Microsoft's security chief asseses cyberterrorism threat

In an interview Scott Charney, chief security strategist at Microsoft, speaks about his concerns for IT professional during the...

In an interview Scott Charney, chief security strategist at Microsoft, speaks about his concerns for IT professional during the war with Iraq and Microsoft's efforts to improve the security of its products.

How will the war impact your role at Microsoft?

Most of us don't believe that a major cyberterrorist attack is imminent for a host of reasons.

Historically, we haven't seen cyberterrorism attacks, and there's a lot of speculation on why that's so. 

First, it's not actually so easy to bring down the networks. There's a lot of redundancy and a lot of resiliency. Second, it doesn't create the kind of graphic pictures that terrorists often want. Third, it doesn't create the kind of fear that terrorists want.

Most of us who worry about cyberterrorism, worry less about a global attack on the infrastructure as opposed to a specific, co-ordinated attack on an infrastructure. Had they attacked wireless communications provider, Verizon, 10 minutes before the planes hit the tower, the disruption of the communications networks through cyber would have made it much harder to restore when you started replacing the physical parts of the network.

From the perspective of IT staff who are at home or perhaps have international operations, what should they be wary of or thinking about over the next couple of weeks?

When I think about 11 September, it had a broad impact on the cybercommunity. The reason it changes their thinking is because it made them re-evaluate risk - perceived risk versus real risk.

If on 10 September I had said to anyone anywhere, "What are the odds of four planes being hijacked, three of them hitting buildings?", they'd say, "Slim to none". But then on 12 September, it was 100%.

So even in the cyberworld, people started to ask, "OK. We don't think it's likely the whole internet could be brought down or terrorists would target us. But we didn't think they were going to do that either."

Companies should be asking themselves, "Are we in an infrastructure that might be targeted by terrorists? Am I in an infrastructure that's supporting military operations and therefore may be a target?"

If you are, you should say, "Am I configured correctly? Have I run lockdown tools? Am I up to date on my patches?"

Have you found that most IT professionals reacted to 11 September as a wake-up call?

Some people took it as a wake-up call and acted on it. I think some people didn't - they say it's not a cyberevent. I also think a combination of that and some other things, like Slammer (the worm which targeted Microsoft SQL servers earlier this year) for example, make it clear that suppliers certainly have to make it easier for customers to manage their set-ups.

You said there are lots of things Microsoft could do better in the area of security. What, in your estimation, is the highest priority?

The number one priority for us is patch management. It absolutely has to be. We have a patch management working group now that spans the company. We need to be talking about things in the same terms. We need a common installer so that patches install the same way. We need patches to register with the operating system in the same way so we can scan for it later and see if you're patched. We need the ability to uninstall. Some people wrote installers with uninstallers. Some didn't.

And we need to improve the tools that allow you to scan to see if you're patched, because today, the tools don't run across the suite of Microsoft products.

What's the timetable for the patch management improvements?

We've got eight installers today. Within a year, I want to get down to two - one for applications and one for the operating system. I'm always cautious about going public with road maps because you run into challenges you didn't anticipate.

Read more on IT risk management