Feeds

MS makes its pitch on security, cyber terror to House

Dough for Feds, FOI exemptions, don't regulate us...

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

One of the industry security chiefs strutting their stuff in front of a US congressional subcommittee has been Microsoft Chief Security Officer Howard Schmidt, shameless plugging the "good works" his company's execs do in the name of security while determinedly lobbying in favour of its security policies. The House Energy and Commerce Committee's Commerce, Trade and Consumer Protection Subcommittee (hereafter "the committee") does not have a great deal of track record in security, but in a post September 11 world it's been taking testimony on the subject, and Schmidt's is particularly instructive.

"Exploit code," he told the committee, should not be released publicly by so-called security researchers; this is the company line, and we should expect no less of him. After then paying a brief tribute to Bush cyber security adviser Dick 'Electronic Pearl Harbor' Clarke, Schmidt sets the scene for the tough actions the US (and the rest of the world, but he's worried about Europe) will have to take to avoid cyber-Apocalypse. The big-name security issues (he cites three, one apiece for Microsoft, Linux and Solaris) cost billions, yest the perpetrators are still at large: "Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers.  Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large."

As such, they are a threat to democracy: "In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources." One might wonder how it is that, if the Feds have been unable to track down these twisted characters, how come Schmidt believes that, say, the Real IRA can. But he doesn't tell us.

He wants tougher penalties for the people the Feds currently can't catch, more money to help them catch them, "state-of-the-art technology [equivalent to that] used by hackers, and increased funding... to place them on par with those they investigate." A weird image of the typical hacker as the owner of banks of state-of-the-art workstations and a Platinum Amex emerges, but we're sure that's not what he means.

Tackling the issue needs greater international co-operation, and a shopping list of exemptions and amendments: "new cyber-crime provisions to the anti-terrorism laws and the criminal code"; "tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes"; and "ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered."

The issue here is that ISPs sharing information could be seen as an offence under the Freedom of Information Act, while IT companies sharing information among themselves could be seen as an antitrust issue. Schmidt wants "an exemption from the Freedom of nformation Act (FOIA) for cyber security information voluntarily shared with the federal government," and notes that George Bush supports this.

Of course, if the government is taking a greater interest in cybersecurity, in assigning adequate resources to catch the criminals and in giving the IT industry the structures it needs to improve security, shouldn't it also set down minimum standards for the industry to adhere to? Er, no:

"Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market.  A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices.  In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches.  A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses."

Government has its uses in some areas, but it should know when to butt out, apparently... ®

Related Link:
Full testimony

Related Stories:
MS throttles research to conceal SW bugs
MS to force IT-security censorship

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.