Scott Charney, chief security strategist at Microsoft, has extensive dealings with the government in the area of security on behalf of Microsoft and his background includes an eight-year stint as chief of the Computer Crime and Intellectual Property Section in the criminal division at the Department of Justice from 1991 to 1999. Under his direction, the agency investigated and prosecuted national and international hacker cases, economic espionage cases and violations of federal criminal copyright and trademark laws. He spoke this week spoke with Computerworld about areas of concern for IT professionals during a time of war.
How will the war impact you in your role at Microsoft? When you think about actual conflict, there are probably three things that you can note historically. One is that conflicts between nations tend to lead to parallel conflicts between hackers. When the US spy plane was down in China, you saw a large increase of defaced Web sites between Chinese and US hackers.... You might see some increase in that, if history is any guide.
The second issue, of course, people worry about is some sort of terrorist strike against cyber. Most of us don't believe that a major cyberterrorist attack is imminent for a host of reasons. Historically, we haven't seen cyberterrorism attacks, and there's a lot of speculation on why that's so. One is it's not actually so easy to bring down the networks. There's a lot of redundancy and a lot of resiliency. Second, it doesn't create the kind of graphic pictures that terrorists often want. Third, it doesn't create the kind of fear that terrorists want.
Most of us who worry about cyberterrorism worry less about a global attack on the infrastructure as opposed to a specific, coordinated attack on an infrastructure. Had they attacked Verizon 10 minutes before the planes hit the tower, the disruption of the communications networks through cyber would have made it much harder to restore when you started replacing the physical parts of the network.
The third piece, which is of broad concern for the Defense Department, is whether there will be a corollary information warfare attack of some sort meant to disrupt communications and other things. There was a case called "solar sunrise" in the mid '90s when we were gearing up for air strikes against Iraq last time, where DOD[the Department of Defense] noticed a very broad-based attack on their networks.
I got called around 2:00, 2:30 in the morning and I said, "Where's it coming from?" They said, "United Arab Emirates." And I said, "Well, I'm Justice, not State, but I think they're friendly, right?" And they said, "Yeah, but we don't know where it's actually coming from. We just know it's that region of the world. And with what's going on militarily, this is of concern, of course." And they were right.
So we got court orders and launched an extensive investigation. It was two juveniles in Cloverdale, California, who were looping through the Middle East and coming back and attacking the Department of Defense with the help of an Israeli. What you don't know in an Internet attack is who's attacking or why. So there are some huge challenges here. But I think in terms of what's going on in Iraq now, the things you would watch out for are information warfare attacks.
From the perspective of IT folks who are at home or perhaps have international operations, what should they be wary of or thinking about top-of-mind over the next couple of weeks? When I think about September 11, it had a broad impact on the cybercommunity. ... The reason it changes their thinking is because it made them re-evaluate risk — perceived risk vs. real risk. If on September 10, I had said to anyone anywhere, "What are the odds of four planes being hijacked, three of them hitting buildings?," they'd say, "Slim to none." And then on September 12, it was 100 per cent. So even in the cyberworld, people started to ask, "OK. We don't think it's likely the whole Internet could be brought down or terrorists would target us. But we didn't think they were going to do that either."
Whenever there is some sort of international crisis like this, I think it's time for people to step back, take a deep breath and say, "In this changing world model, have we done enough things to make sure we're reasonably secure," because it is all about risk management. In times of conflict, risk goes up.
So people in companies should be saying, "Are we in an infrastructure that might be targeted by terrorists? Am I in an infrastructure that's supporting military operations and therefore may be a target?" If you are, you should say, "Am I configured correctly? Have I run lockdown tools? Am I up to date on my patches?"
If I haven't done that now — and you should have — this is a wake-up call to do it now, especially because your risk is elevated.
Have you found that most IT folks reacted to that September 11 wake-up call? Some people took it as a wake-up call and acted on it. I think some people didn't.; they say it's not a cyberevent. I also think a combination of that and some other things, like Slammer for example, make it clear that vendors certainly have to make it easier for customers to manage their set-ups.
As someone who thinks a lot about critical infrastructure protection, there are things clearly that Microsoft needs to do better. And we're devoting a lot of attention to it.
Also this synergy didn't exist before, for the most part, between markets, public safety and national security. Having been in the government for a long time, from a public safety, national security perspective, I was screaming about security in the early '90s, but markets really weren't demanding it. ... I think what we've seen in the last couple of years is this synergy where markets are now demanding the same things that public safety and national security require. And that synergy is actually a wonderful thing.
You said there are lots of things Microsoft could do better in the area of security. What in your estimation is the highest priority? The No. 1 priority for us is patch management. It absolutely has to be. We have a patch management working group now that spans the company. We said, OK, let's define our problems. One, we need a common nomenclature. We need to be talking about things in the same terms. We need a common installer so that patches install the same way. We need patches to register with the [operating system] in the same way so we can scan for it later and see if you're patched. We need the ability to uninstall. Some people wrote installers with uninstallers. Some didn't. Well, it's important to have that because you can test the patch and deploy it and then [if] it has an unintended consequence, can you uninstall it and get back out?
And we need to improve the tools that allow you to scan to see if you're patched, because today, the tools don't run across the suite of Microsoft products.
What's the timetable for the patch management improvements? We've got eight installers today. Within a year, I want to get down to two: one for applications, one for the [operating system]. ... I'm always cautious about going public with road maps because you run into challenges you didn't anticipate.