As corporate vice president of Trustworthy Computing (TwC) at Microsoft, Scott Charney is among those at the helm of the company's long-standing efforts to improve the security of its products. In an interview with Computerworld, Charney -- a former federal prosecutor of computer crimes and an assistant district attorney in Bronx, New York, before that -- talked about TwC, the changing threat environment and what security fears keep him awake at night.
This is the second half of a two-part interview. Part 1 is here.
When it comes to security, what about consumers and the risk they pose to the ecosystem?
They play a huge part, and it is a somewhat challenging situation. One of the things I talk about often is my mom, because she is 78 and she's found e-mail. I remember encouraging her to get broadband because she was using dial-up. I told her she really needed to get broadband, but to make sure to have a firewall -- and she asked me why broadband causes fires. The reality is my mom doesn't want to become a system administrator, and she does not want to become a security administrator. You have to educate consumers not to make mistakes like clicking on attachments from unknown sources and not following links and all of that. At the same time, we know users will click OK on any dialog box, and you have to find a way to manage these things. It is really critical that the IT industry does a much better job of what I call security usability. As I said, my mother does not want to configure a firewall; she doesn't want to have to manage her antivirus. She wants it to be like the telephone or the television, where she turns it on and it works.
So who is responsible for securing consumers?
One of the reasons that enterprises are secure is that they have a CIO, a CSO and people dedicated to making sure the network is functioning and secure. Who is the CSO or the CIO for the consumer? The answer, of course, is not simple. Some access providers have the ability because they are the point of entry to the Internet to do network access control and provide tools to help keep their customer clean, and some are doing that. And then vendors who are on the desktop certainly have an obligation to produce more secure code and be more manageable. So it's kind of a shared responsibility between the consumer, the access provider and the vendor. It is not really an equal partnership. There have to be clear roles and responsibilities. Consumers feel they are educated about responsible behavior online -- and they should be -- but they can't remove vulnerabilities from the code. That has to be our job. So when you think about defense in depth, different things happen at different places, so you have to be clear about who owns each point.
Several high-profile data breaches have prompted some to call for government action. What kind of role should the government have?
I think data breach laws are a good idea, and Microsoft has actually been an advocate of federal law in this area. The real problem is: Can the laws be realistic and manageable? At times, the government has said maybe we need a product liability law for software. OK, what would that law say? That you should build bug-free code? That can't be right. That you should use reasonable practices? I think with the SDL [Software Development Life Cycle] we are doing that. So what would you have me do that I am not doing today? And is it to allow regulators to look at what we are doing? Or is it to allow individuals to pursue class-action suits, in which case we would have to divert a lot of the money we are spending on security to spend it on legal fees and lawyers because it is going to create a huge industry? And what do you do with the developer in the garage? I mean one of the great things about IT is the low barrier to entry. When you put a product liability regime around something, the low barrier of entry goes away. And what would you do with the open-source, not-for-profit company? You can't hold Microsoft liable because we are a commercial entity with shareholders and not hold Linux liable for making the same mistakes. I actually think the product liability debate is a complicated.