Prepared Testimony of Scott Charney
Chief Security Strategist
Before the Subcommittee on Terrorism, Unconventional Threats, and Capabilities
House Armed Services Committee, U.S. House of Representatives
Hearing on “Cyber Terrorism: The New Asymmetric Threat”
July 24, 2003
Chairman Saxton, Ranking Member Meehan, and Members of the Subcommittee: My name is Scott Charney, and I am Microsoft’s Chief Security Strategist. I want to thank you for the opportunity to appear today to provide our views on cybersecurity and cyberterrorism. I oversee the development of strategies to implement our long-term Trustworthy Computing initiative and to create more secure software, services, and infrastructures. My goal is to reduce the number of successful computer attacks and increase the confidence of all IT users. Not only do I work on our products and services, but I also collaborate with others in the computer industry, the U.S. Department of Defense (DoD), and across the government to make computing more secure for all users.
Earlier in my career, I served as chief of the Computer Crime and Intellectual Property Section (CCIPS) in the Criminal Division of the U.S. Department of Justice, where I helped prosecute nearly every major hacker case in the United States from 1991 to 1999.
At Microsoft, we are deeply committed to cybersecurity, and we recognize our responsibility to make our products ever more secure. We are at the forefront of industry efforts to enhance the security of computer programs, products and networks, and to better protect our critical information infrastructures. We also work closely with our partners in industry, government agencies, and law enforcement around the world to identify security threats to computer networks, share best practices, improve our coordinated responses to security breaches, and prevent computer attacks from happening in the first place. These efforts accelerated after September 11th and crystallized when Bill Gates launched our Trustworthy Computing initiative in January 2002.
Today, I want to describe the ways in which we believe industry and government are working in partnership to promote cybersecurity. First, I will discuss our commitment to Trustworthy Computing and how it is reflected in our software, our development processes, and our research and development efforts. Second, I will discuss our efforts to join forces with others within the industry to help guard against cyber threats and enhance security for governments, businesses, and consumers. Third, I will address our engagement on cyberterrorism and other cybersecurity issues with DoD. Fourth, I will describe some of my personal experiences with DoD’s efforts to protect against and to respond to cyberattacks, and how these experiences may inform my work in support of DoD missions. Finally, I will offer a few recommendations; steps the government can take to enhance cybersecurity.
The work of this Subcommittee on cybersecurity, terrorism, and unconventional threats is crucial to protecting and enhancing DoD’s abilities to prevent and respond to cyberattacks that may impair DoD’s capabilities and readiness. We deeply appreciate the Subcommittee’s interest in protecting the Defense Department’s civilian and uniformed personnel, and the computer systems upon which they rely, from the determined and unceasing efforts of cybercriminals to inflict substantial damage and disruption. We are committed to working with DoD, the Congress, and industry partners to reduce DoD’s vulnerabilities to cyberattacks, including cyberterrorism, and to strengthen DoD’s capabilities to prevent, identify, characterize, respond to, and deter attacks.
I. Trustworthy Computing Overview
Trustworthy Computing is our top priority and involves every aspect of the company. The focus of Trustworthy Computing is on four key pillars: security, privacy, reliability, and business integrity. The goals of each pillar are not hard to define. Security involves designing programs and systems that are resilient to attack so that the confidentiality, integrity, and availability of data and systems is protected. As for privacy, the goal is to give individuals greater control over their personal data and ensure, as with the efforts against spam, their right to be left alone. Reliability means creating software and systems that are dependable, available when needed, and perform at expected levels. Finally business integrity means acting with honesty and integrity at all times, and engaging openly and transparently with customers.
The security pillar of Trustworthy Computing is most relevant for today’s hearing. Under this pillar, we are working to create products and services for DoD and all of its customers that are Secure by Design, Secure by Default, and Secure in Deployment, and to communicate openly about our efforts.
“Secure by Design” means two things: writing more secure code and architecting more secure software and services. Writing more secure code means using a redesigned software development process that includes training for developers, code reviews, automated testing of code, threat modeling, and penetration testing. Architecting more secure software and services means designing software with built-in and aware security, so that security imposes less of a burden on users and security features are actually used.
“Secure by Default” means that computer software is secure out of the box, whether it is in a home environment or an IT department. It means shipping software to customers in a locked-down configuration with many features turned off, allowing customers to configure their systems appropriately, in a more secure way, for their unique environment.
“Secure in Deployment” means making it easier for consumers, commercial and government users, and IT professionals to maintain the security of their systems. We have a role in helping computer users help themselves by creating easy-to-use security technology. Due to the complexity of software and the different environments in which it may be placed, software will never be perfectly secure while also being functional. Accordingly, “secure in deployment” means providing training on threats and how to manage them; offering guidance on how to deploy, configure, and maintain software securely; and providing better security tools for users, so that when a vulnerability is discovered, the process of patching that vulnerability is simple and effective.
“Communications” means sharing what we learn both within and outside of Microsoft, providing clear channels for people to talk to us about security issues, and addressing those issues with governments, our industry counterparts, and the public.
To see all of these principles in action, one need only look at our most recently released software: Windows Server 2003. In February 2002, we had all 8,500 developers on the Windows Server team stop developing new code to focus on security. First, they received training on writing secure code. Next, the software went through a three-phase “security push” that involved extensive code reviews, developing threat models to understand where attacks might occur, and, finally, extensive penetration testing by both Microsoft and contract personnel. This effort, which cost over $200 million dollars and delayed the shipment of Windows Server 2003, was a critical step forward and represents significant change in our development process. It is also significant that we are communicating our methodology to others; for example, software developers can use some of the same techniques by reading Writing Secure Code from Microsoft Press.
Last week a vulnerability was discovered and patched for Windows Server 2003. While disappointing, such occurrences are part of major operating system development. These systems – in all platforms, including Windows, Linux, and Unix – will always suffer vulnerabilities. Where we distinguish ourselves is in the processes and systems used to remediate such events, and part of Trustworthy Computing is ensuring that our state of the art security response center provides customers with the solutions and updates they need as quickly and rigorously as possible.
As you can see, the Trustworthy Computing goals are real and specific, and this effort is now ingrained in our culture and is part of the way we value our work. It is demonstrated by our enhanced software development process. It is demonstrated by our continued development of more sophisticated security tools, including threat models and risk assessments, to better identify potential security flaws in our software. It is demonstrated by our formation of what we believe to be the industry’s best security response center to investigate immediately any reported vulnerability and to build and disseminate the needed security fix. It is demonstrated by the tools, templates, and prescriptive guidance, such as configuration guidelines, that we post on our website to help system administrators secure our software in many different environments. And perhaps more clearly than anything else, it is demonstrated by our delay in releasing software for months to continue to improve its security. In short, security is – as it should be – a fundamental corporate value. We make every effort to address software security in the initial design, during development, and before a release, and we remain committed to the security of the software once it has gone to market.
At times, of course, people worry that increased security may lead to an erosion of privacy. It is important to note that while there may at times be tension between the two, in most cases security and privacy are not inevitably in conflict. In fact, we think technology can help protect both simultaneously, especially if companies continue to innovate. For example, customers have long said that they need new ways to control how digital information – such as e-mails and word processing documents – is distributed. In response, we are working on a number of emerging rights management technologies that will help protect many kinds of digital content and open new avenues for its secure and controlled use. For example, we are on the verge of releasing Microsoft Windows Rights Management Services (RMS), a premium service for Windows Server 2003 that works with applications to help customers protect sensitive web content, documents, and email. The rights protection persists in the data regardless of where the information goes, whether online or offline. In this way it allows ordinary users and enterprises to take full advantage of the functionality and flexibility offered by the digital network environment – from sharing information and entertainment to transacting business – while providing greater privacy and better distribution control through persistent protections.
Although we have made major strides, much work on Trustworthy Computing remains ahead of us. One key piece of that work is the Next-Generation Secure Computing Base (NGSCB). This is an on-going research and development effort to help create a safer computing environment for users by giving them access to four core hardware-based features missing in today’s PCs: strong process isolation, sealed storage, a secure path to and from the user, and strong assurances of software identity. These changes, which require new PC hardware and software, can provide protection against malicious software and enhance user privacy, computer security, data protection and system integrity. We believe these evolutionary changes ultimately will help provide individuals, government agencies, and enterprises with greater system integrity, information security and personal privacy, and will help transform the PC into a platform that can perform trusted operations to the benefit of consumers, other computer users, and society as a whole.
II. Inter-Industry Security Efforts
Notwithstanding the robust nature of our own efforts, we recognize that Trustworthy Computing and improved cybersecurity will not result from the efforts of one company alone. And so, we are working in partnership with industry and government leaders to make this Trustworthy Computing goal something that is embraced by the entire industry. To get there, we need stronger standards, as well as a better articulation and implementation of security best practices. Such efforts can help us get out of our historically reactive mode and get into a mode where we prevent, detect, deter and, when necessary, respond by using technology as a tool against cybercrime and potential cyberterrorism.
In April of this year, we joined four other industry partners (AMD, Intel, IBM and Hewlett-Packard) in establishing the Trusted Computing Group (TCG), a not-for-profit organization formed to develop, define, and promote open standards for hardware-enabled trusted computing and security technologies. The primary goal is to help users protect their information assets (data, passwords, keys, etc.) from external software attack and physical theft and to provide these protections across multiple platforms, such as servers, personal computers, PDAs, and digital phones. With regard to best practices, we have worked with private and public partners when establishing configuration guides for systems administrators.
We also helped found the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and provided its first president. The IT-ISAC coordinates information-sharing on cyber-events among information technology companies and the government. Working with other members, we continue to support the IT-ISAC’s efforts to coordinate among members, with the government, and with ISACs for other critical infrastructures. Such efforts are critical because this nation’s infrastructures were and are designed, deployed, and maintained primarily by the private sector. The interdependencies among infrastructure sectors mean that damage caused by an attack on one sector may have disruptive, unpredictable, and perhaps devastating effects on other sectors. Voluntary information sharing and industry-led initiatives, supported by government cybersecurity initiatives, comprise an essential first line of defense against such threats. DoD has a direct and immediate stake in the success of these efforts because of DoD’s reliance upon privately-operated infrastructures.
We believe that the information sharing engendered to date by the IT-ISAC and other ISACs is an important step in enhancing public-private cooperation in combating cybersecurity threats. Yet, there remains room for progress, and we believe that government and industry should continue to examine and reduce barriers to appropriate exchanges of information, and to build mechanisms and interfaces for such exchanges. This effort must involve moving away from ad hoc exchanges and toward exchanges that are built into business and governmental processes. This will require working toward a common understanding of the information that is valuable to share; when, how, and to what extent such information should be shared; how shared information will be used; and the means by which shared information will be protected. The keystones are trust and value – if an information sharing “network” provides value and the participants trust it, then information will be shared. While the appropriate structure and form of this network are still evolving for both industry and government, we are eager to contribute to a robust and enduring exchange of information on cybersecurity threats and will continue to work with government, our industry partners, and the ISAC community toward that goal.
In addition to efforts to coordinate and facilitate information sharing on cyber-events, we are also working with other industry leaders to propose and institutionalize industry best practices for handling security vulnerabilities in ways that more effectively protect Internet users. We are a founding member of the Organization for Internet Safety (OIS), an alliance of leading technology vendors, security researchers, and consultancies, that is dedicated to the principle that security researchers and vendors should follow common processes and best practices to efficiently resolve security issues and to ensure that Internet users are protected. Last month, OIS issued for public comment a preliminary draft of best practices for reporting and responding to security vulnerabilities. These draft guidelines provide specific, prescriptive guidance that establishes a framework in which researchers and vendors can work together to improve the speed and quality of security investigations into security vulnerabilities, then jointly provide guidance to help users protect themselves and their infrastructures. OIS will release a revised set of best practices shortly. We view these best practices as an important step in elevating standards for accountability on all fronts and among all audiences in managing security vulnerabilities.
III. DoD-Specific Security Efforts
As I noted earlier, we are committed to working closely with DoD to support its information technology and research. We are keenly aware that any cyberattack against the computer systems of DoD, its allies, or the infrastructures upon which DoD relies may have significant and potentially devastating consequences for our nation. I would like to highlight briefly a few of the areas in which we are partnering with DoD to enhance the security, reliability, and functionality of DoD networks.
We are supporting our DoD customers in keeping their computer systems up to date and in compliance with the Department of Defense Computer Emergency Response Team (DoD CERT) Information Assurance Vulnerability Assessment (IAVA) process. The IAVA process provides positive control of vulnerability notification and corresponding corrective actions within DoD. For example, as United States Air Force Chief Information Officer John Gilligan recently testified before this Subcommittee, the Air Force is fielding state-of-the art computer network and systems management tools, much of whose core capabilities are powered by Microsoft software. The Air Force uses these tools to control and update their systems rigorously and remotely. These capabilities improve the protection of information and enhance the efficiency of software distribution and asset management, as well as network and system troubleshooting. Although patching is a well-recognized problem, we have enabled the Air Force to realize command-wide implementation of patches and updates for anti-virus software fixes within hours or a day instead of the days and weeks it used to require. This includes massive time-savings in complex enterprises such as the Air Education and Training Command, which consists of 42,000 systems across 13 Air Force bases. Additionally, the United States Army Medical Command, with our support, reached 100% security-patch coverage in over 500 Systems in less than one month. We are also engaged with the Defense Information Services Agency (DISA) on a project that will mirror and make immediately available to its DoD customers the patches that we make available on the Internet.
In addition to supporting DoD’s IAVA process, we have outlined a framework that defines the steps necessary to make Microsoft Exchange Server 2003 more secure. That framework also includes the measures that help our government and DOD customers deploy and maintain a secure messaging environment. These efforts help to protect the confidentiality, integrity, and availability of data and systems at every phase of the software lifecycle. For example, an Exchange Server 2003 implementation for the Army Knowledge Online Portal enables the Army to provide a platform that supports its U.S. Defense Message System (DMS). It also supports digitally signing and encrypting e-mail in applications such as Outlook and the web-based Outlook Web Access. Our technology is providing the U.S. Army with an opportunity to consolidate servers, and the U.S. Army expects to use Exchange Server 2003 as one of the center-point technologies supporting its global messaging and information environment.
We are privileged to be a major contributor to the DMS, the designated messaging system created by the Defense Information Systems Agency (DISA) for DoD and supporting agencies. It is a flexible, commercial off-the-shelf (COTS) application using Microsoft Exchange and Outlook, and it provides messaging and directory services using the underlying Defense Information Infrastructure (DII) network and security services. DMS is installed and operational at 270 military installations worldwide and is integral to today’s frontline warfighters. During Operation Iraqi Freedom, for example, DMS won praise for its enhanced capabilities to send attachments such as photos, images and other documents.
DMS provides a message service to all DoD users (including deployed tactical users) and interfaces to other U.S. government agencies, Allied/Coalition forces and defense contractors. We have contributed to DMS over the past eight years, streamlining and hardening the code required to perform unclassified and classified messaging in support of the DoD and others.
We are also helping DoD meet the unique challenges presented by the number of DoD networks, the requirements and trust levels of users, and the sensitivity of information on those networks. Many of today’s enterprise customers manage user access to at least three separate networks: an Intranet, an Extranet, and the Internet. Together, these multiple networks enable users to share information with those inside and outside of their enterprises. The trustworthiness of each of these networks varies according to the level of trust extended to the networks’ users.
For the typical enterprise, trusted hosts – such as firewalls and application proxies – are responsible for controlling the access among these different networks. The trusted host model, when correctly configured and maintained, allows enterprises to secure a small number of network connections and, if necessary, to isolate a network under attack.
Particularly within the agencies responsible for protecting national security, the government has elected to keep certain networks completely isolated. These so-called “air-gapped” networks remain so because it was determined that access to them by an unauthorized user could result in loss of life or grave damage to national security. Users of air-gapped networks, who must also access other networks, are typically required to work at multiple workstations, which impedes their effectiveness.
In addition, the importance and number of these “air-gapped” networks supporting information sharing for both the war on terror and coalition warfighting continues to grow. The need for faster, more efficient information sharing, as well as the need to reduce the hardware footprint, power requirements, and ambient cooling demands on the user’s desktop, is contributing toward the trend of reducing the number of workstations. For these reasons, there is a growing demand within the U.S. Government, particularly within the DoD and the U.S. intelligence community, to provide access to multiple networks through a reduced number of workstations. One possible solution is to provide increased functionality and usability through multiple windows on a workstation that would securely access multiple networks in a compartmentalized fashion.
We are actively engaged with the government on this important security topic and are currently reviewing technical approaches. We are also in discussions with the government on future technical capabilities that will provide rigorous security mechanisms to protect sensitive information while enabling greater information sharing. Our industry colleagues are also working with the government in this field. In the years ahead, these industry-government collaborations will increase the level of the government’s cybersecurity while enhancing the government’s overall effectiveness.
IV. Reflections on DoD’s Efforts to Protect against Cyberterrorism
My experiences at the Justice Department suggest that the government generally, and the Department of Defense in particular, have great bureaucratic challenges ahead. Throughout our history, citizens have relied upon government to protect public safety and national security. But all threats are not the same, and we have created different organizations and mechanisms for addressing different threats. To protect citizens against crime, we hire, train and equip law enforcement personnel. To protect us against those who would steal our military secrets or attack our vital national interests, we rely upon the intelligence community, both affirmatively to collect foreign intelligence, and defensively to engage in counterintelligence techniques. Finally, to address the military threat posed by another state, we fund a military, supporting personnel, equipment and weapons. In short, depending upon the threat, we deploy a different resource, and each resource plays by its own set of rules.
This traditional model works, however, only when one can identify the nature of the attack; specifically, who is attacking and for what reason. This traditional model fails in the Information Age because when computers come under attack, the “who” and “why” are, and may remain, unknown.
The notion that only states have access to weapons of war is no longer correct, at least not if information warfare is considered. Simply put, we have distributed a technology that is far more powerful than most that are placed in the public domain. Traditional vigilance regarding states that support terrorism or political unrest, or are otherwise considered “rogue” (i.e., “nations of concern”) is now supplemented by threats from “individuals of concern,” a far larger pool, and one that is harder to identify and police. As a result, an attack upon DoD may come not only from a foreign nation conducting information warfare, but also from juveniles on the West Coast, as it did in Solar Sunrise, the case name for a widespread attack against DoD that appeared, at least initially, to come from the Middle East. To the extent the nation detects a cyberattack but does not know who is attacking – a juvenile, a criminal, a spy, or a nation-state or terrorist group bent on committing information warfare – the role of the Department of Defense may not be entirely clear.
V. Policy Prescriptions
In the face of this challenge, it remains clear that, in cyberspace, “an ounce of prevention is worth a ton of cure.” But while the efforts outlined above can address many of the security challenges that DoD faces, technology, process, and people alone cannot provide a complete answer. A comprehensive response to the challenges of cybersecurity depends on technology, process, people and appropriate public policy and how these four elements interact with, complement, and reinforce one another. I want to outline a few specific areas where government policy can be particularly helpful in promoting cybersecurity within the government and throughout our infrastructures.
First, the government can lead by example by securing its own systems through the use of reasonable security practices and buying products that are engineered for security. Where appropriate – such as for national security agencies and other agencies, issues, and services for which security is of the utmost importance – the government’s acquisition policies should include purchasing products whose security has been evaluated and certified under the internationally-recognized (and U.S.-supported) Common Criteria for Information Technology Security. We believe that policies requiring the acquisition of software that has received appropriate Common Criteria certifications should be developed and applied consistently and evenhandedly, and we applaud DoD’s recent efforts to make clear that its security policies apply to software that has been developed under all business, development, and licensing models. Such efforts to procure only security-engineered products, and specifically such clear support for the Common Criteria, will help strengthen the government infrastructure. In doing so, the government also will help establish appropriate security practices, which ultimately are necessary to enhance the protection of critical infrastructures.
Second, sustained public support of research and development can play a vital role in advancing the IT industry’s security efforts. Accordingly, we support additional federal funding for cybersecurity research and development (R & D), including university-driven research. The public sector should increase its support for basic research in technology and should maintain its traditional support for transferring the results of federally-funded R & D under permissive licenses to the private sector so that all industry participants can further develop the technology and commercialize it to help make all software more secure.
Third, government has a critical role to play in facilitating information sharing. Government sharing its own information with industry is essential to improve the security of software, to protect critical infrastructures, and to build the value for all participants of the information sharing network. In short, the government must be an active provider as well as an avid consumer of valuable threat and vulnerability information.
We are committed to strengthening the security of our software and services, and are equally committed to working with Congress, DoD, other government agencies, and our industry peers on security issues, whether by offering our views on proposed regulatory and policy measures or by participating in joint public and private security initiatives. In the end, a coordinated response to cybersecurity risks – one that is based on dialogue and cooperation between the public and private sectors – offers the greatest hope for promoting security against cyberattacks and for fostering the growth of information networks that sustain and enhance government’s capabilities and effectiveness.