Feeds

MS makes its pitch on security, cyber terror to House

Dough for Feds, FOI exemptions, don't regulate us...

  • alert
  • submit to reddit

Business security measures using SSL

One of the industry security chiefs strutting their stuff in front of a US congressional subcommittee has been Microsoft Chief Security Officer Howard Schmidt, shameless plugging the "good works" his company's execs do in the name of security while determinedly lobbying in favour of its security policies. The House Energy and Commerce Committee's Commerce, Trade and Consumer Protection Subcommittee (hereafter "the committee") does not have a great deal of track record in security, but in a post September 11 world it's been taking testimony on the subject, and Schmidt's is particularly instructive.

"Exploit code," he told the committee, should not be released publicly by so-called security researchers; this is the company line, and we should expect no less of him. After then paying a brief tribute to Bush cyber security adviser Dick 'Electronic Pearl Harbor' Clarke, Schmidt sets the scene for the tough actions the US (and the rest of the world, but he's worried about Europe) will have to take to avoid cyber-Apocalypse. The big-name security issues (he cites three, one apiece for Microsoft, Linux and Solaris) cost billions, yest the perpetrators are still at large: "Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers.  Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large."

As such, they are a threat to democracy: "In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources." One might wonder how it is that, if the Feds have been unable to track down these twisted characters, how come Schmidt believes that, say, the Real IRA can. But he doesn't tell us.

He wants tougher penalties for the people the Feds currently can't catch, more money to help them catch them, "state-of-the-art technology [equivalent to that] used by hackers, and increased funding... to place them on par with those they investigate." A weird image of the typical hacker as the owner of banks of state-of-the-art workstations and a Platinum Amex emerges, but we're sure that's not what he means.

Tackling the issue needs greater international co-operation, and a shopping list of exemptions and amendments: "new cyber-crime provisions to the anti-terrorism laws and the criminal code"; "tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes"; and "ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered."

The issue here is that ISPs sharing information could be seen as an offence under the Freedom of Information Act, while IT companies sharing information among themselves could be seen as an antitrust issue. Schmidt wants "an exemption from the Freedom of nformation Act (FOIA) for cyber security information voluntarily shared with the federal government," and notes that George Bush supports this.

Of course, if the government is taking a greater interest in cybersecurity, in assigning adequate resources to catch the criminals and in giving the IT industry the structures it needs to improve security, shouldn't it also set down minimum standards for the industry to adhere to? Er, no:

"Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market.  A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices.  In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches.  A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses."

Government has its uses in some areas, but it should know when to butt out, apparently... ®

Related Link:
Full testimony

Related Stories:
MS throttles research to conceal SW bugs
MS to force IT-security censorship

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.