Feeds

MS makes its pitch on security, cyber terror to House

Dough for Feds, FOI exemptions, don't regulate us...

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

One of the industry security chiefs strutting their stuff in front of a US congressional subcommittee has been Microsoft Chief Security Officer Howard Schmidt, shameless plugging the "good works" his company's execs do in the name of security while determinedly lobbying in favour of its security policies. The House Energy and Commerce Committee's Commerce, Trade and Consumer Protection Subcommittee (hereafter "the committee") does not have a great deal of track record in security, but in a post September 11 world it's been taking testimony on the subject, and Schmidt's is particularly instructive.

"Exploit code," he told the committee, should not be released publicly by so-called security researchers; this is the company line, and we should expect no less of him. After then paying a brief tribute to Bush cyber security adviser Dick 'Electronic Pearl Harbor' Clarke, Schmidt sets the scene for the tough actions the US (and the rest of the world, but he's worried about Europe) will have to take to avoid cyber-Apocalypse. The big-name security issues (he cites three, one apiece for Microsoft, Linux and Solaris) cost billions, yest the perpetrators are still at large: "Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers.  Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large."

As such, they are a threat to democracy: "In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources." One might wonder how it is that, if the Feds have been unable to track down these twisted characters, how come Schmidt believes that, say, the Real IRA can. But he doesn't tell us.

He wants tougher penalties for the people the Feds currently can't catch, more money to help them catch them, "state-of-the-art technology [equivalent to that] used by hackers, and increased funding... to place them on par with those they investigate." A weird image of the typical hacker as the owner of banks of state-of-the-art workstations and a Platinum Amex emerges, but we're sure that's not what he means.

Tackling the issue needs greater international co-operation, and a shopping list of exemptions and amendments: "new cyber-crime provisions to the anti-terrorism laws and the criminal code"; "tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes"; and "ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered."

The issue here is that ISPs sharing information could be seen as an offence under the Freedom of Information Act, while IT companies sharing information among themselves could be seen as an antitrust issue. Schmidt wants "an exemption from the Freedom of nformation Act (FOIA) for cyber security information voluntarily shared with the federal government," and notes that George Bush supports this.

Of course, if the government is taking a greater interest in cybersecurity, in assigning adequate resources to catch the criminals and in giving the IT industry the structures it needs to improve security, shouldn't it also set down minimum standards for the industry to adhere to? Er, no:

"Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market.  A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices.  In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches.  A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses."

Government has its uses in some areas, but it should know when to butt out, apparently... ®

Related Link:
Full testimony

Related Stories:
MS throttles research to conceal SW bugs
MS to force IT-security censorship

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Google opens Inbox – email for people too stupid to use email
Print this article out and give it to someone techy if you get stuck
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.