MS Charney Must Make Security Job One

Interview: Microsoft's chief security strategist, Scott Charney, discusses the challenges he faces in his new position.

Dont envy Scott Charney. He has what has to be one of the most difficult positions in the security industry: chief security strategist at Microsoft Corp. The Redmond, Wash., company and its ubiquitous software are the targets of choice for crackers and Internet delinquents of every stripe, and Microsoft has recently kicked off a very public security-improvement initiative called Trustworthy Computing. All of which means Charney, a former Justice Department lawyer and head of PricewaterhouseCoopers security practice, has his work cut out for him. Senior Writer Dennis Fisher spoke with Charney last week about the challenges of his new job and what his priorities will be for the future.

eWEEK: Now that youve had a few weeks to settle in to your new job, what are your priorities for the next 12 to 18 months?

Charney: Well, I want to figure out what organizational and product changes we need to make to make the best impact on security. We need to get the national plan right, get the ISACs and InfraGard up to speed.

eWEEK: Do you have any idea at this point what those product priorities will be?

Charney: You can get some sense by just looking at the products. Something like Windows is obviously a high priority and weve shown that by sending seven thousand Windows developers to school. Theres a big security push around Windows. We have to look at the products role in the infrastructure and prioritize those [that play the biggest roles]. And in terms of other priorities, theres increased concern--as we put more personally identifiable information on the Internet--about privacy. We have to make those services [like Passport] as robust as possible. There are really two issues: keeping the bad people out and how this information is shared. We have to religiously implement fair information practices. Users have to be notified of whats being collected, opt-in vs. opt-out.

eWEEK: Do you have a sense that most of the changes youll propose will be accepted by Gates and Ballmer?

Charney: I have a responsibility to propose intelligent changes, but theres no question that for Gates, Ballmer and [Craig] Mundie security is clearly job one.

eWEEK: One of the things that Craig and Jim Allchin have both said recently is that security is such a focus at Microsoft now that if they have to break legacy app compatibility in order to improve security, so be it. That wont sit well with customers I dont think.

Charney: Well, you have to look at how far back in legacy apps youre going. If we need to make a change and its going to break something in Windows 3.1, thats not really an issue. But if its in Win 2000 or XP, its an issue. But, theres a recognition that things arent as secure as they could be. To the extent that were designing stuff with security as a focus, if something really needs to be done for a security and it might break a legacy system, you have to make a business decision. You have to look at any proposed changes on a case-by-case basis.

eWEEK: Theres been a lot of talk lately in the testimony in the antitrust case about the modularization of Windows. Have you had a chance to consider what that might mean in terms of security?

Charney: Because of my position with the government, Ive avoided the antitrust stuff altogether, so I havent had a chance to look at it at all.

eWEEK: You mentioned that you wanted to work on the national security plan. Do you speak to Richard Clarke regularly about what theyre doing?

Charney: I do talk to him regularly, through this job and also because were both on the lecture circuit. One of the big challenges we have moving forward is to figure out the proper roles of industry and government. Historically, government has had the responsibility for security and protection. And when you start talking about critical infrastructure, its something the government needs to get in on. They have to look at how much security will the markets actually get you? Then, how much security do you really need? And how do we fill the gap between the two? That process has to be open.

eWEEK: I think the concept of the government legislating security makes a lot of people nervous. They dont exactly have a great background when it comes to that, if you look at the crypto regulations and other things. Is there a way to make it work?

Charney: Ive written some laws in the past, and what I worry about is how you say what you mean and get where you want to go without a lot of unintended consequences. In my mind there are only three pockets of money: the taxpayers pocket, the consumers pocket and the investors pocket. What model is right for security? I would be worried about how you move the ball forward without stifling innovation. I always tried to be very technology neutral when I was at Justice, and that seems to be the right approach.

eWEEK: Another topic that gets a lot of attention these days is vulnerability disclosure. Where do you stand on the debate over full disclosure?

Charney: I dealt with this in the government because we had a hacker who hacked into a switch and shut down an airport and the way that he got into the switch was easily repeatable. If you know of a vulnerability, you need to mitigate the risk by patching it. That means notifying the vendor. Once [the patch] is out there, you need to advertise it with the understanding that its like a race because the hackers are racing for the vulnerability and the systems administrators are racing for the patch. If you keep it quiet, you have a lot of people who are at risk. But at the same time, I think its incumbent on [vendors] to patch it. If they dont, then people go public and thats a natural reaction. I think it does make sense to figure out what the rules and best practices are.

eWEEK: Theres been a lot of skepticism about Microsofts Trustworthy Computing effort. Is there anything that you can point to now to reassure people that its a sincere effort, or is it one of those things where we have to wait two or three years to see if it worked?

Charney: In the short term, they need to take a look around at what the company is doing. Sending out products that ere secure by default, where before they were open by default. Sending seven thousand Windows programmers to school. In the long term, over time, as we design more secure products what we should see is fewer successful attacks, better stability and better security. We should be able to measure it and say vulnerabilities are going down and maybe people are still getting in, but theyre not getting root access. Things should improve.