[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Assessment Is Charney's Job One
From: InfoSec News <isn () c4i ! org>
Date: 2002-05-29 9:47:26
[Download RAW message or body]
http://www.eweek.com/article/0,3658,s=712&a=27341,00.asp
May 27, 2002
By Dennis Fisher
Don't envy Scott Charney. He has one of the most difficult positions
in the security industry: chief security strategist at Microsoft Corp.
The Redmond, Wash., company and its ubiquitous software are the
targets of choice for crackers and Internet delinquents of every
stripe - so much so that Microsoft has kicked off a very public
security-improvement initiative called Trustworthy Computing. All of
which means Charney, a former Department of Justice lawyer and head of
PricewaterhouseCoopers' security practice, has his work cut out for
him. Senior Writer Dennis Fisher spoke with Charney last month about
the challenges of his new job and what his priorities will be for the
future.
eWeek: Now that you've had a few weeks to settle into your new job,
what are your priorities for the next 12 to 18 months?
Charney: Well, I want to figure out what organizational and product
changes we need to make to make the best impact on security. We need
to get the national plan right, get the ISACs [information sharing and
analysis centers] and InfraGard up to speed.
eWeek: Do you have any idea at this point what those product
priorities will be?
Charney: You can get some sense by just looking at the products.
Something like Windows is obviously a high priority, and we've shown
that by sending 7,000 Windows developers to school. There's a big
security push around Windows. We have to look at the product's role in
the infrastructure and prioritize those [that play the biggest roles].
And in terms of other priorities, there's increased concern - as we
put more personally identifiable information on the Internet - about
privacy. We have to make those services [such as Passport] as robust
as possible. There are really two issues: keeping the bad people out
and how this information is shared. We have to religiously implement
fair information practices.
eWeek: Do you have a sense that most of the changes you'll propose
will be accepted by Chairman Bill Gates and CEO Steve Ballmer?
Charney: I have a responsibility to propose intelligent changes, but
there's no question that for Gates [and] Ballmer security is clearly
Job One.
eWeek: One of the things that Group Platforms Vice President Jim
Allchin said recently is that security is such a focus at Microsoft
now that if they have to break legacy application compatibility to
improve security, so be it.
Charney: Well, you have to look at how far back in legacy apps you're
going. If we need to make a change and it's going to break something
in Windows 3.1, that's not really an issue. But if it's in Win 2000 or
XP, it's an issue. But there's a recognition that things aren't as
secure as they could be. To the extent that we're designing stuff with
security as a focus, if something really needs to be done for security
and it might break a legacy system, you have to make a business
decision.
eWeek: There's been a lot of talk lately in the testimony in the
antitrust case about the modularization of Windows. Have you had a
chance to consider what that might mean in terms of security?
Charney: Because of my [previous] position with the government, I've
avoided the antitrust stuff altogether.
eWeek: You mentioned that you wanted to work on the national security
plan. Do you speak to federal cyber-security czar Richard Clarke
regularly about what they're doing?
Charney: I do talk to him regularly, through this job and also because
we're both on the lecture circuit. One of the big challenges we have
is to figure out the proper roles of industry and government.
Historically, government has had the responsibility for security and
protection. And when you start talking about critical infrastructure,
it's something the government needs to get in on. They have to look at
how much security will the markets actually get you. Then, how much
security do you really need. And how do we fill the gap between the
two.
eWeek: The concept of the government legislating security makes a lot
of people nervous. Is there a way to make it work?
Charney: I've written some laws in the past, and what I worry about is
how you say what you mean and get where you want to go without a lot
of unintended consequences. In my mind, there are only three pockets
of money: the taxpayer's pocket, the consumer's pocket and the
investor's pocket. What model is right for security? I would be
worried about how you move the ball forward without stifling
innovation. I always tried to be very technology-neutral when I was at
[the DOJ], and that seems to be the right approach.
eWeek: Another topic that gets a lot of attention these days is
vulnerability disclosure. Where do you stand on the debate over full
disclosure?
Charney: I dealt with this in the government because we had a hacker
who hacked into a switch and shut down an airport, and the way that he
got into the switch was easily repeatable. If you know of a
vulnerability, you need to mitigate the risk by patching it. Once [the
patch] is out there, you need to advertise it with the understanding
that it's like a race because the hackers are racing for the
vulnerability, and the systems administrators are racing for the
patch. If you keep it quiet, you have a lot of people who are at risk.
But at the same time, I think it's incumbent on [vendors] to patch it.
eWeek: There's been a lot of skepticism about Microsoft's Trustworthy
Computing effort. Is there anything that you can point to now to
reassure people that it's a sincere effort, or is it one of those
things where we have to wait two or three years to see if it works?
Charney: In the short term, they need to take a look around at what
the company is doing: sending out products that are secure by default,
where before they were open by default.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic