What do you see as the role of private sector companies like Microsoft in
[improving the security of computer systems]? What sort of
responsibility do they have in terms of corrections?
He is Chief of Information Security for the Microsoft Corporation. Prior to
this he was a Supervisory Special Agent, Director of the Air Force Office of
Special Investigations, Computer Forensic Lab and Computer Crime and
. . . The owners and operators of the critical infrastructure are the private
sector now. Consequently, we do have this added challenge of insuring that the
products we put out are more secure. Generation after generation, we see that,
not only with Microsoft, but with other vendors as well. There's a greater
sensitivity to what effect something that one person does has on the other
people downstream. Consequently, the communication, the sharing of information,
the sharing of vulnerability information, and the reaction to identifying a
problem and the response to it have increased significantly over the past few
If I buy a cigarette lighter, it'll have a little stamp on the bottom,
showing that it was approved by some regulatory agency that sets standards.
Yet I can buy software that will control my life, and it doesn't have to have
something like that.
Yes, that's correct. . . . If I'm sitting at home with my son and just
installed software to play some games, the level of security built for that
would be far different than what we need to run an enterprise or a business.
And those are the standards that we're looking at now, and trying to identify which security standards should be.
The thing that really plays into this is not even so much the hardware or the
software involved. It's the configuration and the day-to-day maintenance of
these things. Often . . . we see that the systems being exploited are the
systems that have problems. Oftentimes, it's not that someone is exploiting
something new. It's an old vulnerability that's been discovered, which someone
hasn't applied the patch to. . . .
The critics will say that this stuff is so new and so complicated that your
average user doesn't know about the bug, and doesn't know about the solution
for the bug.
And they're right, in that respect. This has evolved over time. Many of these
systems were operated and designed to be operated in an environment where there
weren't threats of viruses and Trojans and hackers and crackers and things of
this nature. So it has been an evolutionary process--not only by finding
these things, but also by fixing them. And you're correct that the normal
day-to-day user doesn't know about this. That's why many of the manufacturers
now are coming up with automatic live updates, where every time you log in,
it'll notify you that there's a security patch. All you have to do is click
somewhere, and it'll go install it for you, and it doesn't require any great
technical knowledge to fix it.
How proactive should a company like yours be in actually finding these bugs,
and actually screaming off the rooftops to the people who are using your
product, "You must fix this, or the following consequences might ensue"?
Very proactive. I think we've taken a really dramatic turn in the past year
and a half to two years in that regard. As soon as we find out if there's a
fix available, it's widely publicized, and there's screaming from the
rooftops. . . . We also have the availability for people to sign up online for
security alerts, so if something does come about, they can be alerted to it
automatically. We also have media notification of certain things throughout
that would be critical to everybody's use.
In the last few months, the critics are still saying that the big companies
are being driven more by their marketing departments and sales imperatives than
they are by security interests and people like you. What's running the
I totally disagree with that. Once again, in the past year and a half to two
years, we've seen a dramatic shift in what's happening, to where products will
not be shipped with known security problems, or without enhanced security.
We've come full circle now. There used to be a time where a development
process would take place that had very little to do with the security
professionals. Now, not only do we have direct input into the products across
the board, but also they're coming to us proactively. They're asking the
security professionals to sit in on development committees to submit design
change requests, and to say what additional security features we need, and to
find a way to resolve bugs in the future. The . . . state we're looking to
reach at some point is a state of self-healing, where if a vulnerability or a
bug is found at some point, it's automatically . . . fixed for you the next
time you log on.
. . . The onus is still on the person who buys it to close what he doesn't
need, and therefore block the burglars. Is that going to change, or do you see
that as a major weakness?
. . . That's something that people are looking at on a regular basis--how can
we constantly continue to tighten [security] out of the box, while still
allowing the functionality and the versatility that people want? It's a real
challenge to try to balance the two. But it's not being driven by the
marketing folks. It's actually driven by what people say they want as
features in a particular product. . . .
Let's say we're sitting beside each other on the bus to Seattle. I hear you
say that you're in computer security, and I say, "Look, I've got this problem.
Somebody is messing with my computer, and I don't know where it's coming from."
What would you tell me?
First and foremost, I'd tell you to run a virus scan on your computer system.
Oftentimes, many of these things are found via a virus scan, even though they
may not be specifically a virus, such as some of the Trojan programs. . . .
I'd also recommend that you go out to some of the security update sites, which
are nothing more than clicking an icon on your browser on your system. It will
go out there and search for security updates and install them seamlessly for
How big a problem is this tension between convenience and security?
It's a big problem. What happens in most cases is that people want the ease
of use and the convenience, without having to go through the extra layers of
either adding additional passwords or doing something extra to get what they
want. They want to be able to do it anywhere, any time, on any device, and
that's always a challenge. Some people will look to circumvent that, because
they find it too much of a problem to take the extra 30 seconds or 15 seconds
to type in a password. So it's a real balance, and it's a real challenge.
Part of it we can we can deal with by having good policies that we enforce.
Lately, some of the new operating systems have electronic policies that require
people to have strong passwords or they don't get to log in.
Should a company like Microsoft have a department . . . specifically
dedicated to identifying and analyzing new bugs?
We have what I call the "product security response center," which, even as
early as two years ago, was one or two people. Now they've got a pretty
significant staff that deals with just that.
Why is it so hard to fix this stuff?
I don't know. . . . With the complexity of the systems and the things that
we're doing, it seems that some of the things keep popping up over and over.
As you fix one thing, it opens a door someplace else. I think it's just a
matter of time until people start to work with the security fixes in mind, as
opposed to some of the ease-of-use stuff. It's a shift in the paradigm from
where we were even two to three years ago, to where we're going.
It seems to me that there are three levels of accountability. There's the
government, there's the manufacturer, and then there's the poor fellow . . . at
the bottom, who feels that he's carrying the main load, while the other two
parties aren't helping. Can you give me a point of view from the corporate
side of that perception?
I'm not even sure I can do that from a corporate side. I can do that more from
the end user. . . . It's not as if it's beyond the realm of understanding for
the layperson. I've got an 85-year-old father who every other day clicks on an update site and downloads any patches available. I think
that just becomes a very institutionalized part of what day-to-day computing is
But what will it take for everyone to become as smart as your father? It'll
take either a lot more initiative on the part of people using these computers,
or we should expect a lot more proactivity from a company like Microsoft. Or
is the government going to come along and make you do it and make us
I think there's little likelihood that the government will mandate things.
They have been very good about saying that they will stay out of the business
things and let the market forces drive this, as long as it doesn't compromise
national security and the economic structure of the country. And I think the
message is very clear that, from the end user perspective, there's a lot more
training there's a lot more awareness going around out there now. Classes are
being taught--community college-level classes in community centers, in
retirement communities. And the companies are taking this a lot more seriously
than we did in the past. . . .
When I'm talking to people in this information security industry, I get a
much darker, more frightening perspective than I get from you. Is
that because you're out on the West Coast, or because you're not in that
specific line? . . . What is the reality here?
I'm probably a bit more pragmatic than some of these folks are . . . even going
back to the denial of service attacks back in February. Some of the reports of
that allege that billions of dollars' worth of business was lost. Well, if
that were the case for a five-hour downtime, it would show that that company is
making trillions of dollars a year, and it's not realistic. But when you
separate through that and look at . . . those of us who work in this business
day to day, yes, there are challenges that we have; there are patches that we
need to worry about. But we're able to run the business successfully. We're
able to do our jobs. It's no worse, in some cases, than a bad winter snowstorm
that keeps you from getting in the work for a day or two. In this case, it's
Does the world need an information technology security industry?
Yes, it does. Yes, it does, particularly until such time as security is
institutionalized in all the corporations, in our households, and in
programming. There's a real need for a sort of world-class information
This is something that's never going to go away. The greater dependency we
have on the IT infrastructure, the richer the environment that we work
in--there are going to be those out there who look deliberately to destroy or
disrupt that. Consequently, at least for the next 10 years, I would imagine
that, at minimum, there will be a really drastic need for the security
professionals. . . .
How real, and how theoretical, are these problems: there are terrorists who
will shut down everything . . . to the kid using Dad's computer to make
airlines crash. Are we just talking about theoretical possibilities, or is
there real danger?
. . . Some of the concerns are truly theoretical, and some of them are
possible. You mentioned terrorism . . . .That goes back to the potential we've
talked about for years and years and years about poisoning towns, water
supplies or the mass destruction of societies through biological warfare.
That's all theoretical. Is it possible? Under certain circumstances, it is.
It's the same thing with this. There are certain circumstances, where we could
shut down a 911 system by cutting a cable with a backhoe and taking out a
telephone line. Is it possible? Sure it is. Do we have processes in place
to try to prevent it? Yes, we do. Are they as good as they should be? Well,
we're constantly working on those things, making sure that we have pretty much
every eventuality covered, so that these things don't happen.
I'm being led to believe that every time IBM sells a computer, it's selling
the potential to shut out the lights or turn off the water.
If that were the case, then every time someone sells a backhoe or a jackhammer
or a piece of equipment, you have the potential to cut through a major
But you're selling a whole lot more computers than you are backhoes.
Yes, but the backhoe can do a lot more damage over a widespread area. It's
interesting--if you look back at some of the disruptions we've had, the power
outages have been directly related to physical attributes, as opposed to
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation