Assessment Is Charneys Job One

Eyeing product change, the national plan, Microsoft's security chief tackles company's top priority.

Dont envy Scott Charney. He has one of the most difficult positions in the security industry: chief security strategist at Microsoft Corp. The Redmond, Wash., company and its ubiquitous software are the targets of choice for crackers and Internet delinquents of every stripe—so much so that Microsoft has kicked off a very public security-improvement initiative called Trustworthy Computing. All of which means Charney, a former Department of Justice lawyer and head of PricewaterhouseCoopers security practice, has his work cut out for him. Senior Writer Dennis Fisher spoke with Charney last month about the challenges of his new job and what his priorities will be for the future.

eWeek: Now that youve had a few weeks to settle into your new job, what are your priorities for the next 12 to 18 months?

Charney: Well, I want to figure out what organizational and product changes we need to make to make the best impact on security. We need to get the national plan right, get the ISACs [information sharing and analysis centers] and InfraGard up to speed.

eWeek: Do you have any idea at this point what those product priorities will be?

Charney: You can get some sense by just looking at the products. Something like Windows is obviously a high priority, and weve shown that by sending 7,000 Windows developers to school. Theres a big security push around Windows. We have to look at the products role in the infrastructure and prioritize those [that play the biggest roles]. And in terms of other priorities, theres increased concern—as we put more personally identifiable information on the Internet—about privacy. We have to make those services [such as Passport] as robust as possible. There are really two issues: keeping the bad people out and how this information is shared. We have to religiously implement fair information practices.

eWeek: Do you have a sense that most of the changes youll propose will be accepted by Chairman Bill Gates and CEO Steve Ballmer?

Charney: I have a responsibility to propose intelligent changes, but theres no question that for Gates [and] Ballmer security is clearly Job One.

eWeek: One of the things that Group Platforms Vice President Jim Allchin said recently is that security is such a focus at Microsoft now that if they have to break legacy application compatibility to improve security, so be it.

Charney: Well, you have to look at how far back in legacy apps youre going. If we need to make a change and its going to break something in Windows 3.1, thats not really an issue. But if its in Win 2000 or XP, its an issue. But theres a recognition that things arent as secure as they could be. To the extent that were designing stuff with security as a focus, if something really needs to be done for security and it might break a legacy system, you have to make a business decision.

eWeek: Theres been a lot of talk lately in the testimony in the antitrust case about the modularization of Windows. Have you had a chance to consider what that might mean in terms of security?

Charney: Because of my [previous] position with the government, Ive avoided the antitrust stuff altogether.

eWeek: You mentioned that you wanted to work on the national security plan. Do you speak to federal cyber-security czar Richard Clarke regularly about what theyre doing?

Charney: I do talk to him regularly, through this job and also because were both on the lecture circuit. One of the big challenges we have is to figure out the proper roles of industry and government. Historically, government has had the responsibility for security and protection. And when you start talking about critical infrastructure, its something the government needs to get in on. They have to look at how much security will the markets actually get you. Then, how much security do you really need. And how do we fill the gap between the two.

eWeek: The concept of the government legislating security makes a lot of people nervous. Is there a way to make it work?

Charney: Ive written some laws in the past, and what I worry about is how you say what you mean and get where you want to go without a lot of unintended consequences. In my mind, there are only three pockets of money: the taxpayers pocket, the consumers pocket and the investors pocket. What model is right for security? I would be worried about how you move the ball forward without stifling innovation. I always tried to be very technology-neutral when I was at [the DOJ], and that seems to be the right approach.

eWeek: Another topic that gets a lot of attention these days is vulnerability disclosure. Where do you stand on the debate over full disclosure?

Charney: I dealt with this in the government because we had a hacker who hacked into a switch and shut down an airport, and the way that he got into the switch was easily repeatable. If you know of a vulnerability, you need to mitigate the risk by patching it. Once [the patch] is out there, you need to advertise it with the understanding that its like a race because the hackers are racing for the vulnerability, and the systems administrators are racing for the patch. If you keep it quiet, you have a lot of people who are at risk. But at the same time, I think its incumbent on [vendors] to patch it.

eWeek: Theres been a lot of skepticism about Microsofts Trustworthy Computing effort. Is there anything that you can point to now to reassure people that its a sincere effort, or is it one of those things where we have to wait two or three years to see if it works?

Charney: In the short term, they need to take a look around at what the company is doing: sending out products that are secure by default, where before they were open by default.