Assessment Is Charney's Job One

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article/0,3658,s=712&a=27341,00.asp

May 27, 2002 
By Dennis Fisher 

Don't envy Scott Charney. He has one of the most difficult positions
in the security industry: chief security strategist at Microsoft Corp.  
The Redmond, Wash., company and its ubiquitous software are the
targets of choice for crackers and Internet delinquents of every
stripe - so much so that Microsoft has kicked off a very public
security-improvement initiative called Trustworthy Computing. All of
which means Charney, a former Department of Justice lawyer and head of
PricewaterhouseCoopers' security practice, has his work cut out for
him. Senior Writer Dennis Fisher spoke with Charney last month about
the challenges of his new job and what his priorities will be for the
future.


eWeek: Now that you've had a few weeks to settle into your new job,
what are your priorities for the next 12 to 18 months?

Charney: Well, I want to figure out what organizational and product
changes we need to make to make the best impact on security. We need
to get the national plan right, get the ISACs [information sharing and
analysis centers] and InfraGard up to speed.


eWeek: Do you have any idea at this point what those product
priorities will be?

Charney: You can get some sense by just looking at the products.  
Something like Windows is obviously a high priority, and we've shown
that by sending 7,000 Windows developers to school. There's a big
security push around Windows. We have to look at the product's role in
the infrastructure and prioritize those [that play the biggest roles].  
And in terms of other priorities, there's increased concern - as we
put more personally identifiable information on the Internet - about
privacy. We have to make those services [such as Passport] as robust
as possible. There are really two issues: keeping the bad people out
and how this information is shared. We have to religiously implement
fair information practices.


eWeek: Do you have a sense that most of the changes you'll propose 
will be accepted by Chairman Bill Gates and CEO Steve Ballmer?

Charney: I have a responsibility to propose intelligent changes, but 
there's no question that for Gates [and] Ballmer security is clearly 
Job One.


eWeek: One of the things that Group Platforms Vice President Jim 
Allchin said recently is that security is such a focus at Microsoft 
now that if they have to break legacy application compatibility to 
improve security, so be it.

Charney: Well, you have to look at how far back in legacy apps you're 
going. If we need to make a change and it's going to break something 
in Windows 3.1, that's not really an issue. But if it's in Win 2000 or 
XP, it's an issue. But there's a recognition that things aren't as 
secure as they could be. To the extent that we're designing stuff with 
security as a focus, if something really needs to be done for security 
and it might break a legacy system, you have to make a business 
decision.


eWeek: There's been a lot of talk lately in the testimony in the 
antitrust case about the modularization of Windows. Have you had a 
chance to consider what that might mean in terms of security?

Charney: Because of my [previous] position with the government, I've 
avoided the antitrust stuff altogether.


eWeek: You mentioned that you wanted to work on the national security 
plan. Do you speak to federal cyber-security czar Richard Clarke 
regularly about what they're doing?

Charney: I do talk to him regularly, through this job and also because 
we're both on the lecture circuit. One of the big challenges we have 
is to figure out the proper roles of industry and government. 
Historically, government has had the responsibility for security and 
protection. And when you start talking about critical infrastructure, 
it's something the government needs to get in on. They have to look at 
how much security will the markets actually get you. Then, how much 
security do you really need. And how do we fill the gap between the 
two.


eWeek: The concept of the government legislating security makes a lot 
of people nervous. Is there a way to make it work?

Charney: I've written some laws in the past, and what I worry about is 
how you say what you mean and get where you want to go without a lot 
of unintended consequences. In my mind, there are only three pockets 
of money: the taxpayer's pocket, the consumer's pocket and the 
investor's pocket. What model is right for security? I would be 
worried about how you move the ball forward without stifling 
innovation. I always tried to be very technology-neutral when I was at 
[the DOJ], and that seems to be the right approach.


eWeek: Another topic that gets a lot of attention these days is 
vulnerability disclosure. Where do you stand on the debate over full 
disclosure?

Charney: I dealt with this in the government because we had a hacker 
who hacked into a switch and shut down an airport, and the way that he 
got into the switch was easily repeatable. If you know of a 
vulnerability, you need to mitigate the risk by patching it. Once [the 
patch] is out there, you need to advertise it with the understanding 
that it's like a race because the hackers are racing for the 
vulnerability, and the systems administrators are racing for the 
patch. If you keep it quiet, you have a lot of people who are at risk. 
But at the same time, I think it's incumbent on [vendors] to patch it.


eWeek: There's been a lot of skepticism about Microsoft's Trustworthy 
Computing effort. Is there anything that you can point to now to 
reassure people that it's a sincere effort, or is it one of those 
things where we have to wait two or three years to see if it works?

Charney: In the short term, they need to take a look around at what 
the company is doing: sending out products that are secure by default, 
where before they were open by default.
 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.