Towards Trustworthy Computing: Security Strategy

Date September 9, 2003
Speaker Scott CHARNEY(Chief Trustworthy Computing Strategist, Microsoft Corporation)
Moderator IKEDA Nobuo(Senior Fellow, RIETI)
Commentator TAKAGI Hiromitsu(Team Leader, Secure Programming Team, Grid Technology Research Center, National Institute of Advanced Industrial Science and Technology)INNAMI Tomohiro(Director, Information Security Policy Office, Commerce and Information Bureau, METI)



Hiromitsu Takagi: Secure by default and by design are crucial and I am happy to hear that your organization is pursuing these objectives. Microsoft's response team is prompt and capable compared to its competitors' teams. During my research, however, I have found that your Clipboard application is vulnerable to snooping.

Scott Charney: Most viruses exploit flaws that secure by default sometimes can help, and sometimes cannot help.

Hiromitsu Takagi: Is "protect your PC" a global advertising campaign or is it exclusive to the Japanese market?

Scott Charney: It is a global campaign to encourage users to use anti-virus software, patches, and firewalls.

Tomohiro Innami: I would like to talk about the Blaster virus in Japan. This is my private opinion, not that of the Ministry. Many people call METI and ask, "What is Windows update?" Literacy is low. The Microsoft helpdesk line is always busy. Does Microsoft feel a corporate responsibility to improve this situation? No one is satisfied with Microsoft's attitude.

Scott Charney: Microsoft started as a consumer company. There is not enough use of Windows update. We are looking into whether auto-update should be turned on by default. We must automate more of this process. I agree that we do not have enough people to handle crises at call centers. But even if we hired 5,000 more technicians, the benefit would be marginal. Customers would still have to wait for their call to get through. And what would these hires do when the crisis subsides? It is best if we find ways to work with other organizations, like governments. We are talking about priority routing on the Internet, so that the patches get distributed before the worm does. This will require some redesign of the Internet. Blaster showed that we needed to scale up and look at faster delivery methods. Preventing Blaster was, to some degree, our responsibility.

Questions and Answers

Q: Are we entering an era where worms could overwhelm us?

A (Scott Charney): No, worms have exploited buffer overruns that will be removed from the code. Also, we have to live with some threat in computing, just as we do in other aspects of life. This is risk management, not risk elimination. The stand down and review cost us $200 million alone.

Q: Japan, China, and Korea are considering developing software to compete with Microsoft. Will these represent competitive threats?

A (Scott Charney): Linux and competitive threats have re-galvanized our company.

Q: Can you comment on product liabilities?

A (Scott Charney): Product liability is more complicated than software. In the US, those focusing on product liability have argued that it may be a way to motivate the markets. But the companies will have to pass on the costs to the consumers or investors. Someone has to pay for it. This is fine as long as it motivates the right behaviors. It must be done in a fair way.

Q: Is there a renewed need for international cooperation?

A (Scott Charney): Absolutely. There are difficult sovereignty issues that have not yet been dealt with. Sometimes the jurisdiction does not have the proper institutions to deal with the crime; witness the response to the "I love you" virus in the Philippines. We must continue harmonizing laws.

Q: What is your assessment of China's cooperation in trustworthy computing? Was the recent blackout in the US related to a computing problem?

A (Scott Charney): China is an important market. We are working with the Chinese government, letting them see code, in order to build trust. It is challenging because intellectual property rights are not strong in China. It is premature to say what the cause of the blackout was, but the evidence to date suggests that it was a physical, rather than software, problem. The investigation is ongoing.

A (Tomohiro Innami): I see on your flowchart that the government should be included in your trustworthy computing efforts in Japan, but there is no mention of METI. Please insert METI if you believe we can cooperate.

A (Scott Charney): We would be happy to include METI-it is always high on our list, as it is an important agency.

Q: Security measures seem to inhibit the free flow of ideas, the very purpose of the Internet. Is this issue on your mind?

A (Scott Charney): Absolutely. The products we design give the end user freedom of choice. There has been a social shift. People began to isolate themselves with firewalls, but started to let in their friends and colleagues, producing holes in their firewalls. Pretty soon, there were many people inside the firewalls. We cannot protect our boxes; we can only protect the data inside our boxes. The difficulty is that copying is binary-either you allow it or you don't. Fair use is about the purpose, and it is difficult to enforce fair use by computer. The market is moving toward a preference for security. When cars were first built, there were no traffic lights. The world has changed for the Internet too.

*This summary was compiled by RIETI Editorial staff.