homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: howard schmidt

photo of howard schmidt

He is Chief of Information Security for the Microsoft Corporation. Prior to this he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.
What do you see as the role of private sector companies like Microsoft in [improving the security of computer systems]? What sort of responsibility do they have in terms of corrections?

. . . The owners and operators of the critical infrastructure are the private sector now. Consequently, we do have this added challenge of insuring that the products we put out are more secure. Generation after generation, we see that, not only with Microsoft, but with other vendors as well. There's a greater sensitivity to what effect something that one person does has on the other people downstream. Consequently, the communication, the sharing of information, the sharing of vulnerability information, and the reaction to identifying a problem and the response to it have increased significantly over the past few years.

If I buy a cigarette lighter, it'll have a little stamp on the bottom, showing that it was approved by some regulatory agency that sets standards. Yet I can buy software that will control my life, and it doesn't have to have something like that.

Yes, that's correct. . . . If I'm sitting at home with my son and just installed software to play some games, the level of security built for that would be far different than what we need to run an enterprise or a business. And those are the standards that we're looking at now, and trying to identify which security standards should be.

The thing that really plays into this is not even so much the hardware or the software involved. It's the configuration and the day-to-day maintenance of these things. Often . . . we see that the systems being exploited are the systems that have problems. Oftentimes, it's not that someone is exploiting something new. It's an old vulnerability that's been discovered, which someone hasn't applied the patch to. . . .

The critics will say that this stuff is so new and so complicated that your average user doesn't know about the bug, and doesn't know about the solution for the bug.

And they're right, in that respect. This has evolved over time. Many of these systems were operated and designed to be operated in an environment where there weren't threats of viruses and Trojans and hackers and crackers and things of this nature. So it has been an evolutionary process--not only by finding these things, but also by fixing them. And you're correct that the normal day-to-day user doesn't know about this. That's why many of the manufacturers now are coming up with automatic live updates, where every time you log in, it'll notify you that there's a security patch. All you have to do is click somewhere, and it'll go install it for you, and it doesn't require any great technical knowledge to fix it.

It's not as if it's  [security] beyond the realm of understanding.I've got an 85-year-old father who every other day  clicks on an update site and downloads any patches available. How proactive should a company like yours be in actually finding these bugs, and actually screaming off the rooftops to the people who are using your product, "You must fix this, or the following consequences might ensue"?

Very proactive. I think we've taken a really dramatic turn in the past year and a half to two years in that regard. As soon as we find out if there's a fix available, it's widely publicized, and there's screaming from the rooftops. . . . We also have the availability for people to sign up online for security alerts, so if something does come about, they can be alerted to it automatically. We also have media notification of certain things throughout that would be critical to everybody's use.

In the last few months, the critics are still saying that the big companies are being driven more by their marketing departments and sales imperatives than they are by security interests and people like you. What's running the business?

I totally disagree with that. Once again, in the past year and a half to two years, we've seen a dramatic shift in what's happening, to where products will not be shipped with known security problems, or without enhanced security. We've come full circle now. There used to be a time where a development process would take place that had very little to do with the security professionals. Now, not only do we have direct input into the products across the board, but also they're coming to us proactively. They're asking the security professionals to sit in on development committees to submit design change requests, and to say what additional security features we need, and to find a way to resolve bugs in the future. The . . . state we're looking to reach at some point is a state of self-healing, where if a vulnerability or a bug is found at some point, it's automatically . . . fixed for you the next time you log on.

. . . The onus is still on the person who buys it to close what he doesn't need, and therefore block the burglars. Is that going to change, or do you see that as a major weakness?

. . . That's something that people are looking at on a regular basis--how can we constantly continue to tighten [security] out of the box, while still allowing the functionality and the versatility that people want? It's a real challenge to try to balance the two. But it's not being driven by the marketing folks. It's actually driven by what people say they want as features in a particular product. . . .

Let's say we're sitting beside each other on the bus to Seattle. I hear you say that you're in computer security, and I say, "Look, I've got this problem. Somebody is messing with my computer, and I don't know where it's coming from." What would you tell me?

First and foremost, I'd tell you to run a virus scan on your computer system. Oftentimes, many of these things are found via a virus scan, even though they may not be specifically a virus, such as some of the Trojan programs. . . . I'd also recommend that you go out to some of the security update sites, which are nothing more than clicking an icon on your browser on your system. It will go out there and search for security updates and install them seamlessly for you.

How big a problem is this tension between convenience and security?

It's a big problem. What happens in most cases is that people want the ease of use and the convenience, without having to go through the extra layers of either adding additional passwords or doing something extra to get what they want. They want to be able to do it anywhere, any time, on any device, and that's always a challenge. Some people will look to circumvent that, because they find it too much of a problem to take the extra 30 seconds or 15 seconds to type in a password. So it's a real balance, and it's a real challenge. Part of it we can we can deal with by having good policies that we enforce. Lately, some of the new operating systems have electronic policies that require people to have strong passwords or they don't get to log in.

Should a company like Microsoft have a department . . . specifically dedicated to identifying and analyzing new bugs?

We have what I call the "product security response center," which, even as early as two years ago, was one or two people. Now they've got a pretty significant staff that deals with just that.

Why is it so hard to fix this stuff?

I don't know. . . . With the complexity of the systems and the things that we're doing, it seems that some of the things keep popping up over and over. As you fix one thing, it opens a door someplace else. I think it's just a matter of time until people start to work with the security fixes in mind, as opposed to some of the ease-of-use stuff. It's a shift in the paradigm from where we were even two to three years ago, to where we're going.

It seems to me that there are three levels of accountability. There's the government, there's the manufacturer, and then there's the poor fellow . . . at the bottom, who feels that he's carrying the main load, while the other two parties aren't helping. Can you give me a point of view from the corporate side of that perception?

I'm not even sure I can do that from a corporate side. I can do that more from the end user. . . . It's not as if it's beyond the realm of understanding for the layperson. I've got an 85-year-old father who every other day clicks on an update site and downloads any patches available. I think that just becomes a very institutionalized part of what day-to-day computing is all about.

But what will it take for everyone to become as smart as your father? It'll take either a lot more initiative on the part of people using these computers, or we should expect a lot more proactivity from a company like Microsoft. Or is the government going to come along and make you do it and make us listen?

I think there's little likelihood that the government will mandate things. They have been very good about saying that they will stay out of the business things and let the market forces drive this, as long as it doesn't compromise national security and the economic structure of the country. And I think the message is very clear that, from the end user perspective, there's a lot more training there's a lot more awareness going around out there now. Classes are being taught--community college-level classes in community centers, in retirement communities. And the companies are taking this a lot more seriously than we did in the past. . . .

When I'm talking to people in this information security industry, I get a much darker, more frightening perspective than I get from you. Is that because you're out on the West Coast, or because you're not in that specific line? . . . What is the reality here?

I'm probably a bit more pragmatic than some of these folks are . . . even going back to the denial of service attacks back in February. Some of the reports of that allege that billions of dollars' worth of business was lost. Well, if that were the case for a five-hour downtime, it would show that that company is making trillions of dollars a year, and it's not realistic. But when you separate through that and look at . . . those of us who work in this business day to day, yes, there are challenges that we have; there are patches that we need to worry about. But we're able to run the business successfully. We're able to do our jobs. It's no worse, in some cases, than a bad winter snowstorm that keeps you from getting in the work for a day or two. In this case, it's electronic.

Does the world need an information technology security industry?

Yes, it does. Yes, it does, particularly until such time as security is institutionalized in all the corporations, in our households, and in programming. There's a real need for a sort of world-class information security group.

This is something that's never going to go away. The greater dependency we have on the IT infrastructure, the richer the environment that we work in--there are going to be those out there who look deliberately to destroy or disrupt that. Consequently, at least for the next 10 years, I would imagine that, at minimum, there will be a really drastic need for the security professionals. . . .

How real, and how theoretical, are these problems: there are terrorists who will shut down everything . . . to the kid using Dad's computer to make airlines crash. Are we just talking about theoretical possibilities, or is there real danger?

. . . Some of the concerns are truly theoretical, and some of them are possible. You mentioned terrorism . . . .That goes back to the potential we've talked about for years and years and years about poisoning towns, water supplies or the mass destruction of societies through biological warfare. That's all theoretical. Is it possible? Under certain circumstances, it is. It's the same thing with this. There are certain circumstances, where we could shut down a 911 system by cutting a cable with a backhoe and taking out a telephone line. Is it possible? Sure it is. Do we have processes in place to try to prevent it? Yes, we do. Are they as good as they should be? Well, we're constantly working on those things, making sure that we have pretty much every eventuality covered, so that these things don't happen.

I'm being led to believe that every time IBM sells a computer, it's selling the potential to shut out the lights or turn off the water.

If that were the case, then every time someone sells a backhoe or a jackhammer or a piece of equipment, you have the potential to cut through a major communication system.

But you're selling a whole lot more computers than you are backhoes.

Yes, but the backhoe can do a lot more damage over a widespread area. It's interesting--if you look back at some of the disruptions we've had, the power outages have been directly related to physical attributes, as opposed to electronic ones.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation