http://www.eweek.com/article/0,3658,s=712&a=27341,00.asp May 27, 2002 By Dennis Fisher Don't envy Scott Charney. He has one of the most difficult positions in the security industry: chief security strategist at Microsoft Corp. The Redmond, Wash., company and its ubiquitous software are the targets of choice for crackers and Internet delinquents of every stripe - so much so that Microsoft has kicked off a very public security-improvement initiative called Trustworthy Computing. All of which means Charney, a former Department of Justice lawyer and head of PricewaterhouseCoopers' security practice, has his work cut out for him. Senior Writer Dennis Fisher spoke with Charney last month about the challenges of his new job and what his priorities will be for the future. eWeek: Now that you've had a few weeks to settle into your new job, what are your priorities for the next 12 to 18 months? Charney: Well, I want to figure out what organizational and product changes we need to make to make the best impact on security. We need to get the national plan right, get the ISACs [information sharing and analysis centers] and InfraGard up to speed. eWeek: Do you have any idea at this point what those product priorities will be? Charney: You can get some sense by just looking at the products. Something like Windows is obviously a high priority, and we've shown that by sending 7,000 Windows developers to school. There's a big security push around Windows. We have to look at the product's role in the infrastructure and prioritize those [that play the biggest roles]. And in terms of other priorities, there's increased concern - as we put more personally identifiable information on the Internet - about privacy. We have to make those services [such as Passport] as robust as possible. There are really two issues: keeping the bad people out and how this information is shared. We have to religiously implement fair information practices. eWeek: Do you have a sense that most of the changes you'll propose will be accepted by Chairman Bill Gates and CEO Steve Ballmer? Charney: I have a responsibility to propose intelligent changes, but there's no question that for Gates [and] Ballmer security is clearly Job One. eWeek: One of the things that Group Platforms Vice President Jim Allchin said recently is that security is such a focus at Microsoft now that if they have to break legacy application compatibility to improve security, so be it. Charney: Well, you have to look at how far back in legacy apps you're going. If we need to make a change and it's going to break something in Windows 3.1, that's not really an issue. But if it's in Win 2000 or XP, it's an issue. But there's a recognition that things aren't as secure as they could be. To the extent that we're designing stuff with security as a focus, if something really needs to be done for security and it might break a legacy system, you have to make a business decision. eWeek: There's been a lot of talk lately in the testimony in the antitrust case about the modularization of Windows. Have you had a chance to consider what that might mean in terms of security? Charney: Because of my [previous] position with the government, I've avoided the antitrust stuff altogether. eWeek: You mentioned that you wanted to work on the national security plan. Do you speak to federal cyber-security czar Richard Clarke regularly about what they're doing? Charney: I do talk to him regularly, through this job and also because we're both on the lecture circuit. One of the big challenges we have is to figure out the proper roles of industry and government. Historically, government has had the responsibility for security and protection. And when you start talking about critical infrastructure, it's something the government needs to get in on. They have to look at how much security will the markets actually get you. Then, how much security do you really need. And how do we fill the gap between the two. eWeek: The concept of the government legislating security makes a lot of people nervous. Is there a way to make it work? Charney: I've written some laws in the past, and what I worry about is how you say what you mean and get where you want to go without a lot of unintended consequences. In my mind, there are only three pockets of money: the taxpayer's pocket, the consumer's pocket and the investor's pocket. What model is right for security? I would be worried about how you move the ball forward without stifling innovation. I always tried to be very technology-neutral when I was at [the DOJ], and that seems to be the right approach. eWeek: Another topic that gets a lot of attention these days is vulnerability disclosure. Where do you stand on the debate over full disclosure? Charney: I dealt with this in the government because we had a hacker who hacked into a switch and shut down an airport, and the way that he got into the switch was easily repeatable. If you know of a vulnerability, you need to mitigate the risk by patching it. Once [the patch] is out there, you need to advertise it with the understanding that it's like a race because the hackers are racing for the vulnerability, and the systems administrators are racing for the patch. If you keep it quiet, you have a lot of people who are at risk. But at the same time, I think it's incumbent on [vendors] to patch it. eWeek: There's been a lot of skepticism about Microsoft's Trustworthy Computing effort. Is there anything that you can point to now to reassure people that it's a sincere effort, or is it one of those things where we have to wait two or three years to see if it works? Charney: In the short term, they need to take a look around at what the company is doing: sending out products that are secure by default, where before they were open by default. - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 06:26:17 PDT