Microsoft's Charney says consumers play 'a huge part' in security risks

He also wants a federal law governing corporate data breaches

As corporate vice president of Trustworthy Computing (TwC) at Microsoft, Scott Charney is among those at the helm of the company's long-standing efforts to improve the security of its products. In an interview with Computerworld, Charney -- a former federal prosecutor of computer crimes and an assistant district attorney in Bronx, New York, before that -- talked about TwC, the changing threat environment and what security fears keep him awake at night.

This is the second half of a two-part interview. Part 1 is here.

When it comes to security, what about consumers and the risk they pose to the ecosystem?

They play a huge part, and it is a somewhat challenging situation. One of the things I talk about often is my mom, because she is 78 and she's found e-mail. I remember encouraging her to get broadband because she was using dial-up. I told her she really needed to get broadband, but to make sure to have a firewall -- and she asked me why broadband causes fires. The reality is my mom doesn't want to become a system administrator, and she does not want to become a security administrator. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that. At the same time, we know users will click OK on any dialog box, and you have to find a way to manage these things. It is really critical that the IT industry does a much better job of what I call security usability. As I said, my mother does not want to configure a firewall; she doesn't want to have to manage her antivirus. She wants it to be like the telephone or the television, where she turns it on and it works.

So who is responsible for securing consumers?

One of the reasons that enterprises are secure is that they have a CIO, a CSO and people dedicated to making sure the network is functioning and secure. Who is the CSO or the CIO for the consumer? The answer, of course, is not simple. Some access providers have the ability because they are the point of entry to the Internet to do network access control and provide tools to help keep their customer clean, and some are doing that. And then vendors who are on the desktop certainly have an obligation to produce more secure code and be more manageable. So it's kind of a shared responsibility between the consumer, the access provider and the vendor. It is not really an equal partnership. There have to be clear roles and responsibilities. Consumers feel they are educated about responsible behavior online -- and they should be -- but they can't remove vulnerabilities from the code. That has to be our job. So when you think about defense in depth, different things happen at different places, so you have to be clear about who owns each point.

Several high-profile data breaches have prompted some to call for government action. What kind of role should the government have?

I think data breach laws are a good idea, and Microsoft has actually been an advocate of federal law in this area. The real problem is: Can the laws be realistic and manageable? At times, the government has said maybe we need a product liability law for software. OK, what would that law say? That you should build bug-free code? That can't be right. That you should use reasonable practices? I think with the SDL [Software Development Life Cycle] we are doing that. So what would you have me do that I am not doing today? And is it to allow regulators to look at what we are doing? Or is it to allow individuals to pursue class-action suits, in which case we would have to divert a lot of the money we are spending on security to spend it on legal fees and lawyers because it is going to create a huge industry? And what do you do with the developer in the garage? I mean one of the great things about IT is the low barrier to entry. When you put a product liability regime around something, the low barrier of entry goes away. And what would you do with the open-source, not-for-profit company? You can't hold Microsoft liable because we are a commercial entity with shareholders and not hold Linux liable for making the same mistakes. I actually think the product liability debate is a complicated.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?