SAN FRANCISCO -- Microsoft's chief information security executive today offered insight into how the company plans...
to thwart botnets, secure enterprise cloud computing and help individuals better manage their online identities.
In his keynote address at the 2010 RSA Conference, Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, signaled Microsoft's intent to wage a battle against botnet operators on multiple fronts -- socially and politically by helping companies and individuals understand the botnet problem, and legally through the courts.
Charney referenced Operation b49, a Microsoft-led initiative to neutralize the well-known Waledac botnet. On Feb. 22, a federal judge in Virginia issued an order at Microsoft's request to disable nearly 300 domains allegedly involved in coordinating Waledac, at the time among the world's top 10 most disruptive botnets.
"People have really struggled to understand the threat" posed by botnets and other types of attacks, Charney said. "Some people diminish the threat; some exaggerate the threat; everyone is struggling to get their arms around the threat."
Charney said that's because there are so many different attackers, types of attacks and motives for attacks, and often few ways to differentiate between run-of-the-mill security threats and worst-case scenario cyberwarfare events.
"We need to start to realize this and think about it in a different way," he said, " assign actors and motives when we can, and think about what to do when we can't."
Charney said Microsoft's anti-botnet approach -- which involves reinforcing the threat by working with government, academia, individuals and the courts -- isn't a true remedy, but represents an important step forward by extending the industry's defense-in-depth mantra beyond technology to also include threat response.
Additionally, Charney suggested governments and the security industry at large should consider more aggressive network access control measures for inspecting and cleaning computers before allowing them onto the Internet.
Seeming to anticipate a skeptical response, Charney rhetorically asked the audience whether individuals would accept not being allowed on the Internet for security reasons. Relating it to second-hand smoke, he said society should no longer tolerate putting each other at risk of cyberattacks. He went so far as to wonder whether the market would make such an aggressive network access control service affordable or whether governments would pay for such measures with taxes and fees.
Charney made it clear that a more proactive approach is needed to mitigate today's Internet threats. In a tongue-in-cheek nod to the many pop-up warning notifications offered over the years by Microsoft software, he said his 80-year-old mother and four-year-old son both react the same way on the computer when they encounter a security dialogue box: They simply click OK and ignore it.
"We can't do [security] that way anymore," Charney said. "The attacks are happening at light speed and we need to react in a different way."
Prescott Winter, an RSA Conference attendee and a former government security expert based in Washington DC, largely lauded Microsoft's efforts to mitigate the threats posed by botnets.
"With its role as a technology provider and a services provider, it really has the authority to do that," Winter said. "I think it's the right thing to do."
However, attendee David Herrald, director of information security for Denver-based IP Commerce Inc., questioned the legality of Microsoft taking on the role of Internet defender, and how it's demonstrating damage done by botnets.
Separately, Charney discussed cloud computing security. He touched on the many cloud security issues that exist today, such as the shared responsibility for security between a customer and cloud service provider, the difficulty in conducting and managing forensic investigations and the nebulous nature of ensuring compliance in the cloud.
He also warned that cloud computing threatens to shift the balance of power between the individual and the state. Once sensitive data such as medical and tax records join email in the cloud, governments will no longer need to go to individuals to retrieve personal data, instead they can potentially force cloud providers to turn over records.
"I have always believed IT should not dictate social policy," Charney said. "Create the policies you want, and then align technology to support them."
Identity management was also one of Charney's key themes, including the simultaneous need for anonymity and accountability on the Internet. To that end, he talked up the ability to use U-Prove, Microsoft's cryptographic technology specification, to enable individuals to create multiple digital identities.
"That way," Charney said, "you avoid national identifier arguments, granting people different identities for use at different times. You can pass claims about yourself instead of a whole identification, with limited disclosure tokens enabled, and can execute transaction without releasing too much about yourself."
Charney also revealed that Microsoft will publicly release the cryptography algorithms of U-Prove along with two reference toolkits about using the algorithms. He went on to announce the release of Forefront Identity Manager 2010, which enables enterprise policy-based identity management along with self-service capabilities for end users.
Said Charney: "The key is to get more people to embrace these kinds of technologies to enable the creation of the identity metaspace we've been talking about for quite a while."