Feeds

MS makes its pitch on security, cyber terror to House

Dough for Feds, FOI exemptions, don't regulate us...

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

One of the industry security chiefs strutting their stuff in front of a US congressional subcommittee has been Microsoft Chief Security Officer Howard Schmidt, shameless plugging the "good works" his company's execs do in the name of security while determinedly lobbying in favour of its security policies. The House Energy and Commerce Committee's Commerce, Trade and Consumer Protection Subcommittee (hereafter "the committee") does not have a great deal of track record in security, but in a post September 11 world it's been taking testimony on the subject, and Schmidt's is particularly instructive.

"Exploit code," he told the committee, should not be released publicly by so-called security researchers; this is the company line, and we should expect no less of him. After then paying a brief tribute to Bush cyber security adviser Dick 'Electronic Pearl Harbor' Clarke, Schmidt sets the scene for the tough actions the US (and the rest of the world, but he's worried about Europe) will have to take to avoid cyber-Apocalypse. The big-name security issues (he cites three, one apiece for Microsoft, Linux and Solaris) cost billions, yest the perpetrators are still at large: "Like traditional crime, cyber-crime needs to be opposed with strict criminal laws, strong enforcement capabilities, and well-equipped and highly trained law enforcers.  Yet despite the billions in damage and significant network disruption, many criminal code writers remain at large."

As such, they are a threat to democracy: "In this troubled time, we can expect that some may fall under the control of terrorist organizations and hostile nations, and thus we need to address the inadequate enforcement of criminal laws and insufficient law enforcement resources." One might wonder how it is that, if the Feds have been unable to track down these twisted characters, how come Schmidt believes that, say, the Real IRA can. But he doesn't tell us.

He wants tougher penalties for the people the Feds currently can't catch, more money to help them catch them, "state-of-the-art technology [equivalent to that] used by hackers, and increased funding... to place them on par with those they investigate." A weird image of the typical hacker as the owner of banks of state-of-the-art workstations and a Platinum Amex emerges, but we're sure that's not what he means.

Tackling the issue needs greater international co-operation, and a shopping list of exemptions and amendments: "new cyber-crime provisions to the anti-terrorism laws and the criminal code"; "tougher penalties on criminal hackers, such as civil forfeiture of personal property used in committing these crimes"; and "ISPs to have the authority to share information voluntarily with the entire government once they see that life or limb are endangered."

The issue here is that ISPs sharing information could be seen as an offence under the Freedom of Information Act, while IT companies sharing information among themselves could be seen as an antitrust issue. Schmidt wants "an exemption from the Freedom of nformation Act (FOIA) for cyber security information voluntarily shared with the federal government," and notes that George Bush supports this.

Of course, if the government is taking a greater interest in cybersecurity, in assigning adequate resources to catch the criminals and in giving the IT industry the structures it needs to improve security, shouldn't it also set down minimum standards for the industry to adhere to? Er, no:

"Federal security mandates or requirements, such as rules and regulations for patch application, dictates on the type of technology a company must use, or legal requirements that a company declare that it follows some form of security best practices, would have the perverse effect of slowing innovation in the security market.  A rule requiring notice of security practices would also have the unintended consequence of causing companies to gravitate toward accepted practices rather than toward innovative practices.  In sum, there is a critical difference in quality, innovation and thoroughness between security solutions driven by market and private sector pressures and those driven by regulation, bureaucratic timetables and one-size-fits-all approaches.  A serious government-industry partnership can encourage security innovation and implementations, but will falter if regulation is imposed upon information technology businesses."

Government has its uses in some areas, but it should know when to butt out, apparently... ®

Related Link:
Full testimony

Related Stories:
MS throttles research to conceal SW bugs
MS to force IT-security censorship

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.