Feeds

MS makes its pitch on security, cyber terror to House

Dough for Feds, FOI exemptions, don't regulate us...

  • alert
  • submit to reddit

The smart choice: opportunity from uncertainty

One of the industry security chiefs strutting their stuff in front of a US congressional subcommittee has been Microsoft Chief Security Officer Howard Schmidt, shameless plugging the "good works" his company's execs do in the name of security while determinedly lobbying in favour of its security policies. The House Energy and Commerce Committee's Commerce, Trade and Consumer Protection Subcommittee (hereafter "the committee") does not have a great deal of track record in security, but in a post September 11 world it's been taking testimony on the subject, and Schmidt's is particularly instructive.

"Exploit code," he told the committee, should not be released publicly by so-called security researchers; this is the company line, and we should expect no less of him. After then paying a brief tribute to Bush cyber security adviser Dick 'Electronic Pearl Harbor' Clarke, Schmidt sets the scene for the tough actions the US (and the rest of the world, but he's worried about Europe) will have to take to avoid cyber-Apocalypse. The big-name security issues (he cites three, one apiece for Microsoft, Linux and Solaris) cost billions, yest the perpetrators are still at large: "Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers.  Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large."

As such, they are a threat to democracy: "In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources." One might wonder how it is that, if the Feds have been unable to track down these twisted characters, how come Schmidt believes that, say, the Real IRA can. But he doesn't tell us.

He wants tougher penalties for the people the Feds currently can't catch, more money to help them catch them, "state-of-the-art technology [equivalent to that] used by hackers, and increased funding... to place them on par with those they investigate." A weird image of the typical hacker as the owner of banks of state-of-the-art workstations and a Platinum Amex emerges, but we're sure that's not what he means.

Tackling the issue needs greater international co-operation, and a shopping list of exemptions and amendments: "new cyber-crime provisions to the anti-terrorism laws and the criminal code"; "tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes"; and "ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered."

The issue here is that ISPs sharing information could be seen as an offence under the Freedom of Information Act, while IT companies sharing information among themselves could be seen as an antitrust issue. Schmidt wants "an exemption from the Freedom of nformation Act (FOIA) for cyber security information voluntarily shared with the federal government," and notes that George Bush supports this.

Of course, if the government is taking a greater interest in cybersecurity, in assigning adequate resources to catch the criminals and in giving the IT industry the structures it needs to improve security, shouldn't it also set down minimum standards for the industry to adhere to? Er, no:

"Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market.  A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices.  In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches.  A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses."

Government has its uses in some areas, but it should know when to butt out, apparently... ®

Related Link:
Full testimony

Related Stories:
MS throttles research to conceal SW bugs
MS to force IT-security censorship

Securing Web Applications Made Simple and Scalable

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.