Microsoft: Secure out of the Box?

[InfoSec News <isn () c4i org>]

http://www.theneteconomy.com/article/0,3658,s%253D908%2526a%253D20127,00.asp

December 14, 2001 
By: Paul Coe Clark III 

Howard Schmidt is chief security officer at Microsoft. He recently
testified before the House Subcommittee on Commerce Trade and Consumer
Protection about the state of Internet and computer security. We
tracked him down later to ask him about, among other things,
cyberterrorism and the Microsoft's level of responsibility for the
success of large virus attacks.

Schmidt served in the US. Air Force, the F.B.I, and local law
enforcement. After Sept. 11, he was called back to active duty with
the Joint Task Force for Computer Network Operations, the Department
of Justice and the FBI's National Infrastructure Protection Center.


Q: In your testimony the other day, you listed a series of industries
at risk for cyberterrorism or electronic intrusion. One of those you
listed was telecom. What weaknesses are there in the telecom industry
that haven't been addressed.

A: I think it all revolves around the people and the process. I don't
know that there's a specific weakness. I think, generally, that the
concern we have as the industry partnerships, are, are we all
prepared, as the owners and operators of the critical infrastructure,
to be able to respond to three major areas of concern for the value of
the country. There's the national-security piece, which we saw,
responded in 9/11. There's the law enforcement/public-safety piece,
which has some relation to 9/11, but also we've seen in other venues,
even simple things like when an ice storm knocks down the ability to
communicate. The third thing is the economic viability of the nation.  
And that's our ability, because so much has been built, from an
economic standpoint, around the technology piece.

I'll cite a telecom component during 9/11. I was in D.C. You're based
in D.C., aren't you?


Q: Yes, I am, right off K Street, three blocks from the White House.

A: So you know what it was like. I don't know if you tried to use a
mobile phone, or you saw people lining up at the payphones, only to be
able to get no signal. Those are the sort of things that we probably
need to have more redundancy issues and have some resiliency on...


Q: Capacity issues...

A: Right.


Q: Oddly enough, I worked the whole afternoon. I think I was the only
person in downtown Washington, and I had no problem getting people on
the phone. I was just blessed, I think.

A: I was up at the Capitol, and I tried my darndest to get my cell
phone working, and had no success. Interestingly enough, when I got
down to Northern Virginia, outside some of the towers, I was able to
call around the company with little or no problems.


Q: How big a cyberterrorism threat is there? Let me define that a
little better, because it's a meaningless question in some ways. How
severe a threat is there of an Internet-based attack that does
widespread economic or functional damage by a state-sponsored group or
an independent group of terrorists, as opposed to the normal
intrusion, denial-of-service attacks and virus problems we usually
see?

A: That's a tough question to answer, because I don't know if that
question's been asked in all the appropriate circles. If you look at
everything from Sen. Nunn's hearing, back in 1997, to the report of
the President's Commission on Critical Infrastructure Protection, one
of the things that they look at is the availability of being able to
do harm relative to the cost. So when you talk about the actual threat
piece of it, the cost is relatively insignificant. It's a piece of
code that you write to go do something bad, and now the availability
of those sort of things is very widespread. People have computers in
their homes, connected to DSL and cable modems, so the cost of the
ability to do damage is down. The availability, by having a lot of
systems out there to attack, is up, so that puts a threat picture out
there that's more viable than it was a few years ago.


Q: Like leveraging box cutters to take out buildings.

A: That's correct. That was a relatively inexpensive way to create
havoc. And if you do that on the electronic piece of it, some of the
threats that out there, we really don't have a handle on how viable
they are, but we can do some modeling, and building of threat
scenarios, to see, given what tools we know are available to be
applied with malicious intent, how much damage can be done.


Q: But do we know of any states or groups that have cyberterrorism
efforts underway?

A: I think, publicly, what we know is that there have been a number of
nations that have created information-warfare groups, and they've been
fairly public about it. But as far as anything beyond the
cyberhacktivism we've seen, I don't know if there's been anything
publicly discussed about state-sponsored cyberterrorism cells out
there, if you would.


Q: Give us the Reader's Digest one-paragraph description of IT-ASAC.

A: The IT-ASAC is a group of some of the key owners and operators of
the infrastructure that belong to the IT community. It's a group of us
that put aside any competitive differences to share information on
best practices and vulnerabilities anonymously among each other to
maintain the viability of the critical infrastructure. We also develop
mechanisms to share that with the government as a sort of
early-warning system, using our collective 24-by-7 information centers
and the collective knowledge and expertise of our companies.


Q: You're the chief security officer of Microsoft. Explain for us a
little bit how security fits into the Microsoft corporate structure.

A: I think security is recognized as the number-one priority across
the company. That goes not only to operational security and securing
our assets, but also to product development. In my role, I report to
the CTO, and I have Advanced Security Strategy Group, which works on
security architecture, security auditing, incubation of
security-related tools and security policy across the company that
transcends the operational groups as well as the development groups.


Q: One of the things that you took a position on in your testimony was
on openness and security, in terms of being against people publishing
exploit codes to point out weaknesses — which in some sectors of the
software-development community is considered a good thing.

A: What we're relating to is responsible reporting, and there's a
difference. In some cases, it's tantamount to screaming "fire!" in a
crowded movie theater. Responsible reporting means if you find a
vulnerability, you contact the person in the best position to fix it,
normally the vendor of whatever the product is, give them all the
information possible so that they can create a fix, and then go out
and get the fix installed — as opposed to going out and telling
everyone that everybody in this one apartment complex doesn't lock
their doors or leaves their keys in their cars, which then opens them
up to malicious attacks.


Q: I was at a cybersecurity event last night. I don't know if you know
Richard Forno, CTO of Shadowlogic?

A: Yes, I do know Richard.


Q: He said his theory was "D3" — "declassify, demystify and diversify
(software)." All three of those things are not things associated with
Microsoft. Is that a policy you'd take issue with?

A: I think any time we find any security vulnerability, we're one of
the best in the industry to notify people of the details of them and
give them the details to get it fixed.


Q: Microsoft, traditionally, though, although less so of late, has
been known for having a relatively closed security-reporting and
bug-reporting system compared to the *NIX and open-source communities.  
Has that changed, and how much?

A: Well, for one I think it's a misperception or an undeserved
reputation. One of the things I hear most often is that people
responsible for these things at their companies say they're seeing too
many of these things. I don't think it's an issue about open-source, I
think it's an issue about responsibly, once somebody reports
something, we have to replicate what they've reported to make sure
it's a product-security issue and not some hardware problem they've
got, or some incompatibility with some other application they've got,
to replicate that, analyze that, and put the patch out. I don't know
of any time in the four years I've been here that that hasn't been a
priority. It's probably a misperception and mischaracterization of our
reputation.


Q: Today, some of the states came back with a proposal for opening up
Microsoft code. What effect would that have about security.

A: [Explains that he is not involved in antitrust issues] I think the
position has always been that you check the final product for
vulnerabilities. Because there's a whole lot of open source out there
that, day after day after day, there's more reports of
vulnerabilities. I think it doesn't make any difference whether it is
open source or closed source, it's a matter of identifying them once
the product is released.


Q: How much of computer and network security should be handled by
technology and how much by law enforcement?

A: Law enforcement's role is very much a reactive role. After
something bad happens, then they come in, and I think they have an
extremely vital part to help investigating these things to deter
people from attacking these systems. But the idea on the front end is
to use the people, the processes and the technologies to prevent these
things from happening as much as we can, and if there's something we
can't handle, law enforcement comes in and identifies those that have.


Q: I assume from your testimony that you guys supported the language
in the USA PATRIOT Act on cyberterrorism and intrusion. Are we in
danger of over-broadening the standard for calling something
cyberterrorism to include routine exploratory intrusions and port
scans and other minor events, in the heat of the moment after Sept.  
11?

A: I have met with a number of attorneys both in the corporate world
as well as the justice world, and I don't see that's the case. I think
all the changes that were made in the USA-PATRIOT Act relative to
online surveillance, relative to any cyber-related investigative
capability, have revolved around not changing the thresholds of what
it takes to get a search warrant, not changing the threshold of what
it takes to get a wiretap, but streamlining the process; you have to
prove with probable cause that something has occurred to get most of
the court orders .

If I'm tracking somebody that's, say, involved in terrorist activity,
and they're using a cell phone, and they can put the cell phone down
from having a voice call to use the same cell phone to do an Internet
message because they've got a Web-enabled phone, and then they go home
and they use an online account to communicate further, rather than go
get five warrants for the same thing, they don't have to chase the
technology, they chase the criminal activity.


Q: One of the things you opposed in your testimony was federal
security mandates for the industry. But there's a strong push for
strong industry best-practices policies or government mandates.  
Christopher Painter (Department of Justice, Deputy Chief of the
Computer Crime and Intellectual Property Section] says the industries
needs bet practices; he says, too often the industry has no plan for
dealing with intrusions at all. Is there going to be pressure for
government standards?

A: I hope not. What we've seen from time immemorial, market forces
drive a lot of what happens in the development efforts. Standards
don't drive it, because what happens, you wind in a situation where
standards may turn around and inhibit the ability to innovate and the
ability to build more secure products.


Q: In your testimony, you listed several attacks, virus attacks and
others, some of them against Microsoft weaknesses, and some of them
against Linux and other operating systems. But how much responsibility
does Microsoft have because of its market share for security.

A: I think Microsoft has recognized that, because we are the market
leader, we have a special obligation to improve security. This is an
industry issue we're all working on, but because of that special role
out obligation is increased. Which is why we created programs like the
strategic technology protection program -- helping people get secure
with a number of free tools, then getting them to stay secure by
changing, fundamentally, some of our internal processes, to further
strengthen the security that we've been working on internally.


Q: Some of the security problems with Microsoft products are things
like buffer overflows. That happens in programming, and you fix it.  
But others seem like boneheaded decisions based on marketing. Things
like enabling Windows Scripting Host by default on millions of
consumer machines and making e-mail attachments executable. In these
big virus attacks, doesn't Microsoft bear some responsibility for
those choices?

A: I think that picture has changed. Once again, we've been developing
stuff based on ease-of-use for the customer and what the customer
requirements are. I think what happens now is that we've seen the
threat picture change. I think it goes back to a physical analogy. If
I leave my keys in my car because it's convenient for me, and somebody
steals my car, is that my fault? Ten or 15 years ago, the likelihood
of that happening was very, very low. But the threat picture has
changed dramatically in most places.

That's the same thing that's happened with software. Those things were
designed to make it easy for people to do the stuff that they were
doing. It turns out that criminals and others with malicious intents
have turned those good things into bad things. Which is why we've had
to fundamentally ... the way we ship products. They will be shipped
secure out of the box now. It may be a little more difficult to get
some of the features turned on, but it's going to be more secure,
because that's what the new picture warrants for us.


Q: But that kind of begs the question, because it wasn't completely
unthinkable, like someone flying a plane into a building. At the time
when all these features were being rolled out, programmers online were
screaming left and right that this was inevitably going to result in
these massive incidents, and, sure enough, they did.

A: If you look at the development process, and how long it takes to
develop these things and get them out the door, this is not something
that people started working on six months ago, and the developer
community is saying this is a bad thing. This is stuff that has been
in progress for years, which is why we've had to effectively retool
the way we do things internally, to meet that new threat environment.
 

Q: I'll give you a cheerful quote from Rick Forno. He said one of our
major security problems is "our continuing blind dependence on
Microsoft operating systems."

A: Richard's entitled to his opinion, but I ask Richard or anyone else
to look at the security vulnerabilities that have been identified in
anything else that's out there, and the response mechanism. Until some
time as we develop a society that's perfect in writing code, as you
actually pointed out; until some time as we have perfect processes,
then we have to do some level of maintenance, some level of fixing
things. I agree that we all continue to do more work on it.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.