Microsoft: Secure out of the Box?

Microsoft is (some might say finally) getting serious about Internet security. Paul Coe Clark III talked with Redmond's chief security officer, Howard Schmidt.

Howard Schmidt is chief security officer at Microsoft. He recently testified before the House Subcommittee on Commerce Trade and Consumer Protection about the state of Internet and computer security. We tracked him down later to ask him about, among other things, cyberterrorism and the Microsofts level of responsibility for the success of large virus attacks.

Schmidt served in the US. Air Force, the F.B.I, and local law enforcement. After Sept. 11, he was called back to active duty with the Joint Task Force for Computer Network Operations, the Department of Justice and the FBIs National Infrastructure Protection Center.

Q: In your testimony the other day, you listed a series of industries at risk for cyberterrorism or electronic intrusion. One of those you listed was telecom. What weaknesses are there in the telecom industry that havent been addressed.

A: I think it all revolves around the people and the process. I dont know that theres a specific weakness. I think, generally, that the concern we have as the industry partnerships, are, are we all prepared, as the owners and operators of the critical infrastructure, to be able to respond to three major areas of concern for the value of the country. Theres the national-security piece, which we saw, responded in 9/11. Theres the law enforcement/public-safety piece, which has some relation to 9/11, but also weve seen in other venues, even simple things like when an ice storm knocks down the ability to communicate. The third thing is the economic viability of the nation. And thats our ability, because so much has been built, from an economic standpoint, around the technology piece.

Ill cite a telecom component during 9/11. I was in D.C. Youre based in D.C., arent you?

Q: Yes, I am, right off K Street, three blocks from the White House.

A: So you know what it was like. I dont know if you tried to use a mobile phone, or you saw people lining up at the payphones, only to be able to get no signal. Those are the sort of things that we probably need to have more redundancy issues and have some resiliency on...

Q: Capacity issues...

A: Right.

Q: Oddly enough, I worked the whole afternoon. I think I was the only person in downtown Washington, and I had no problem getting people on the phone. I was just blessed, I think.

A: I was up at the Capitol, and I tried my darndest to get my cell phone working, and had no success. Interestingly enough, when I got down to Northern Virginia, outside some of the towers, I was able to call around the company with little or no problems.

Q: How big a cyberterrorism threat is there? Let me define that a little better, because its a meaningless question in some ways. How severe a threat is there of an Internet-based attack that does widespread economic or functional damage by a state-sponsored group or an independent group of terrorists, as opposed to the normal intrusion, denial-of-service attacks and virus problems we usually see?

A: Thats a tough question to answer, because I dont know if that questions been asked in all the appropriate circles. If you look at everything from Sen. Nunns hearing, back in 1997, to the report of the Presidents Commission on Critical Infrastructure Protection, one of the things that they look at is the availability of being able to do harm relative to the cost. So when you talk about the actual threat piece of it, the cost is relatively insignificant. Its a piece of code that you write to go do something bad, and now the availability of those sort of things is very widespread. People have computers in their homes, connected to DSL and cable modems, so the cost of the ability to do damage is down. The availability, by having a lot of systems out there to attack, is up, so that puts a threat picture out there thats more viable than it was a few years ago.

Q: Like leveraging box cutters to take out buildings.

A: Thats correct. That was a relatively inexpensive way to create havoc. And if you do that on the electronic piece of it, some of the threats that out there, we really dont have a handle on how viable they are, but we can do some modeling, and building of threat scenarios, to see, given what tools we know are available to be applied with malicious intent, how much damage can be done.

Q: But do we know of any states or groups that have cyberterrorism efforts underway?

A: I think, publicly, what we know is that there have been a number of nations that have created information-warfare groups, and theyve been fairly public about it. But as far as anything beyond the cyberhacktivism weve seen, I dont know if theres been anything publicly discussed about state-sponsored cyberterrorism cells out there, if you would.

Q: Give us the Readers Digest one-paragraph description of IT-ASAC.

A: The IT-ASAC is a group of some of the key owners and operators of the infrastructure that belong to the IT community. Its a group of us that put aside any competitive differences to share information on best practices and vulnerabilities anonymously among each other to maintain the viability of the critical infrastructure. We also develop mechanisms to share that with the government as a sort of early-warning system, using our collective 24-by-7 information centers and the collective knowledge and expertise of our companies.

Q: Youre the chief security officer of Microsoft. Explain for us a little bit how security fits into the Microsoft corporate structure.

A: I think security is recognized as the number-one priority across the company. That goes not only to operational security and securing our assets, but also to product development. In my role, I report to the CTO, and I have Advanced Security Strategy Group, which works on security architecture, security auditing, incubation of security-related tools and security policy across the company that transcends the operational groups as well as the development groups.

Q: One of the things that you took a position on in your testimony was on openness and security, in terms of being against people publishing exploit codes to point out weaknesses — which in some sectors of the software-development community is considered a good thing.

A: What were relating to is responsible reporting, and theres a difference. In some cases, its tantamount to screaming "fire!" in a crowded movie theater. Responsible reporting means if you find a vulnerability, you contact the person in the best position to fix it, normally the vendor of whatever the product is, give them all the information possible so that they can create a fix, and then go out and get the fix installed — as opposed to going out and telling everyone that everybody in this one apartment complex doesnt lock their doors or leaves their keys in their cars, which then opens them up to malicious attacks.

Q: I was at a cybersecurity event last night. I dont know if you know Richard Forno, CTO of Shadowlogic?

A: Yes, I do know Richard.

Q: He said his theory was "D3" — "declassify, demystify and diversify (software)." All three of those things are not things associated with Microsoft. Is that a policy youd take issue with?

A: I think any time we find any security vulnerability, were one of the best in the industry to notify people of the details of them and give them the details to get it fixed.

Q: Microsoft, traditionally, though, although less so of late, has been known for having a relatively closed security-reporting and bug-reporting system compared to the *NIX and open-source communities. Has that changed, and how much?

A: Well, for one I think its a misperception or an undeserved reputation. One of the things I hear most often is that people responsible for these things at their companies say theyre seeing too many of these things. I dont think its an issue about open-source, I think its an issue about responsibly, once somebody reports something, we have to replicate what theyve reported to make sure its a product-security issue and not some hardware problem theyve got, or some incompatibility with some other application theyve got, to replicate that, analyze that, and put the patch out. I dont know of any time in the four years Ive been here that that hasnt been a priority. Its probably a misperception and mischaracterization of our reputation.

Q: Today, some of the states came back with a proposal for opening up Microsoft code. What effect would that have about security.

A: [Explains that he is not involved in antitrust issues] I think the position has always been that you check the final product for vulnerabilities. Because theres a whole lot of open source out there that, day after day after day, theres more reports of vulnerabilities. I think it doesnt make any difference whether it is open source or closed source, its a matter of identifying them once the product is released.

Q: How much of computer and network security should be handled by technology and how much by law enforcement?

A: Law enforcements role is very much a reactive role. After something bad happens, then they come in, and I think they have an extremely vital part to help investigating these things to deter people from attacking these systems. But the idea on the front end is to use the people, the processes and the technologies to prevent these things from happening as much as we can, and if theres something we cant handle, law enforcement comes in and identifies those that have.

Q: I assume from your testimony that you guys supported the language in the USA PATRIOT Act on cyberterrorism and intrusion. Are we in danger of over-broadening the standard for calling something cyberterrorism to include routine exploratory intrusions and port scans and other minor events, in the heat of the moment after Sept. 11?

A: I have met with a number of attorneys both in the corporate world as well as the justice world, and I dont see thats the case. I think all the changes that were made in the USA-PATRIOT Act relative to online surveillance, relative to any cyber-related investigative capability, have revolved around not changing the thresholds of what it takes to get a search warrant, not changing the threshold of what it takes to get a wiretap, but streamlining the process; you have to prove with probable cause that something has occurred to get most of the court orders .

If Im tracking somebody thats, say, involved in terrorist activity, and theyre using a cell phone, and they can put the cell phone down from having a voice call to use the same cell phone to do an Internet message because theyve got a Web-enabled phone, and then they go home and they use an online account to communicate further, rather than go get five warrants for the same thing, they dont have to chase the technology, they chase the criminal activity.

Q: One of the things you opposed in your testimony was federal security mandates for the industry. But theres a strong push for strong industry best-practices policies or government mandates. Christopher Painter (Department of Justice, Deputy Chief of the Computer Crime and Intellectual Property Section] says the industries needs bet practices; he says, too often the industry has no plan for dealing with intrusions at all. Is there going to be pressure for government standards?

A: I hope not. What weve seen from time immemorial, market forces drive a lot of what happens in the development efforts. Standards dont drive it, because what happens, you wind in a situation where standards may turn around and inhibit the ability to innovate and the ability to build more secure products.

Q: In your testimony, you listed several attacks, virus attacks and others, some of them against Microsoft weaknesses, and some of them against Linux and other operating systems. But how much responsibility does Microsoft have because of its market share for security.

A: I think Microsoft has recognized that, because we are the market leader, we have a special obligation to improve security. This is an industry issue were all working on, but because of that special role out obligation is increased. Which is why we created programs like the strategic technology protection program -- helping people get secure with a number of free tools, then getting them to stay secure by changing, fundamentally, some of our internal processes, to further strengthen the security that weve been working on internally.

Q: Some of the security problems with Microsoft products are things like buffer overflows. That happens in programming, and you fix it. But others seem like boneheaded decisions based on marketing. Things like enabling Windows Scripting Host by default on millions of consumer machines and making e-mail attachments executable. In these big virus attacks, doesnt Microsoft bear some responsibility for those choices?

A: I think that picture has changed. Once again, weve been developing stuff based on ease-of-use for the customer and what the customer requirements are. I think what happens now is that weve seen the threat picture change. I think it goes back to a physical analogy. If I leave my keys in my car because its convenient for me, and somebody steals my car, is that my fault? Ten or 15 years ago, the likelihood of that happening was very, very low. But the threat picture has changed dramatically in most places.

Thats the same thing thats happened with software. Those things were designed to make it easy for people to do the stuff that they were doing. It turns out that criminals and others with malicious intents have turned those good things into bad things. Which is why weve had to fundamentally ... the way we ship products. They will be shipped secure out of the box now. It may be a little more difficult to get some of the features turned on, but its going to be more secure, because thats what the new picture warrants for us.

Q: But that kind of begs the question, because it wasnt completely unthinkable, like someone flying a plane into a building. At the time when all these features were being rolled out, programmers online were screaming left and right that this was inevitably going to result in these massive incidents, and, sure enough, they did.

A: If you look at the development process, and how long it takes to develop these things and get them out the door, this is not something that people started working on six months ago, and the developer community is saying this is a bad thing. This is stuff that has been in progress for years, which is why weve had to effectively retool the way we do things internally, to meet that new threat environment.

Q: Ill give you a cheerful quote from Rick Forno. He said one of our major security problems is "our continuing blind dependence on Microsoft operating systems."

A: Richards entitled to his opinion, but I ask Richard or anyone else to look at the security vulnerabilities that have been identified in anything else thats out there, and the response mechanism. Until some time as we develop a society thats perfect in writing code, as you actually pointed out; until some time as we have perfect processes, then we have to do some level of maintenance, some level of fixing things. I agree that we all continue to do more work on it.