Government agencies and many private corporations now have the ability "to contact each other and support each other" in the event of threats against their information and other critical systems, says Howard Schmidt, Director of Information Security for Microsoft Corporation. He also cites extensive cooperation among corporations to deal with information warfare questions. "When it comes to security issues, there are very few things that relate to competition," says Schmidt. "We work with our competitors and partners alike to assist in standard developments so that we can all succeed in developing and maintaining good security." Schmidt was interviewed by Managing Editor Dian McDonald.
Question: How do you assess the vulnerability of U.S. critical infrastructures to cyber attack? How prepared is the U.S. to withstand such attacks?
Schmidt: My assessment is pretty consistent with that of the Presidential Commission on Critical Infrastructure Protection: We've got some work to do. These were issues that, as this was being established, were not really at the forefront. As far as our ability to withstand such attacks, I think the President's Commission on Critical Infrastructure Protection has gone a long way to bring together the private and public sectors to be able collectively to withstand these types of attacks and basically do a pretty good job of responding to them.
Q: Have you worked with the commission?
Schmidt: Yes, we have worked with the commission. We have had them out here (in Redmond, Washington) for a couple of meetings. I have been back to Washington, D.C., for a couple of meetings. And, as a matter of fact, we are putting together a pretty good sized meeting of folks from the government and the private sector, bringing them together to reach agreement on ways to make a better infrastructure.
Q: What organizational changes has your company made as a result of the new threats to technology?
Schmidt: Let me rephrase that question, if I could, because we are not looking at it as threats to the technology. We are looking at it as the use of technology to give somebody an opportunity to go ahead and do something against a larger audience, so to speak. Basically what we are seeing is: the same old types of threats are there, but they are using the newer technology.
In response to that, we created one year ago a program that we are very proud of: the MIAP or the Microsoft Information Assurance Program, which gives us the ability to tie together a lot of the interests internally that would be relative to protecting our information or assuring that our information is valid. We now have under one organizational "umbrella" various programs and functions including our disaster recovery plan, our data retention and classification system, our backup strategy, the information security group itself, the physical security group as it relates to information assurance, as well as the product security group since Microsoft is a software developer.
Under this structure we have the cross-feed and cross-utilization of all the specialties, not only to secure our information and systems, but to make sure that the products that we are working on have the benefit of the experience of those who are in the information security field to help make them better.
Q: In terms of strategies to deal with information warfare, to what extent are you working in concert with other corporations?
Schmidt: Very much so. As a matter of fact, we have a number of different groups: for example, the Information Systems Security Association, which is a non-profit organization whose members are involved in the security field -- for example, representatives of Charles Schwab Company, U.S. Space Alliance, Air Touch Cellular, and different government agencies. We participate in conferences, and we work with the Gartner Group, a big computer consulting firm. We are participants in the initiative of former Senator Sam Nunn, who has been very instrumental in the infrastructure protection arena. He coordinates a recurring security forum down at Georgia Institute of Technology in Atlanta, and we have been a part of that forum as well.
So there is a lot of cross-feed of information, best practices among us in the security field in the private sector. And there are other groups, such as the Federal Computer Investigations Committee and the High Tech Crimes Investigators' Association, that are comprised of both public and private sector representatives who work together in this area. So we've got some really good relationships, and we work very closely together.
When it comes to security issues, there are very few things that relate to competition. We work with our competitors and partners alike, to assist in standard developments so that we can all succeed in developing and maintaining good security.
Q: Can you elaborate on how your organization is working with the government sector in meeting the new challenges to information systems?
Schmidt: We have a couple of different avenues. Of course the product folks who create the products that we all use have very, very close ties with the government workers in all the government agencies to make sure that the products are being built to meet the needs of government in securing the critical infrastructure.
On the other side of it, as an online service provider, we are as well part of the infrastructure ourselves, and we work very closely, for example, to provide technical expertise to assist those individuals who conduct online investigations. We now have a "24 by 7" (24 hours a day, 7 days a week) hotline number for the law enforcement community as it relates to investigations of people doing things illegally on the Internet.
Also we have recurring best practices meetings. We do a lot of presentations at government meetings. For example, I delivered a keynote speech at the National Defense University in Washington, D.C., a few months back. I was at the "Defending CyberSpace '98 Conference" in D.C. in September. We participate in those types of forums, sharing our mutual experiences to the betterment of all of us in the field.
Q: Do you believe that the government should play a more prominent role in protecting critical infrastructures, and, if so, what could that role be in your view?
Schmidt: Basically, I believe that the government should continue in the role of working together with the private sector. I think that Presidential Decision Directive 63 (PDD 63), which established the Critical Information Assurance Office, really lays out a good framework for putting the government in a good position to work with the private sector. And I think that with that governmental role -- and without new legislation or new rules or regulations -- we can go a lot further to work with the government to make sure that critical infrastructures indeed remain a protected resource.
Q: Do you see clashes of philosophy in the United States between corporate information requirements and government security concerns?
Schmidt: Basically I don't see a clash. I think what we see in that vein is that we all are looking to make sure that we have maximum security while protecting the privacy of our corporate information, government information, personal information, and things of that nature. So even though there may be some differences in terms of how we approach the issues, I think the critical point is the fact that we all agree that we need to work collaboratively to ensure that the infrastructure is protected.
Q: How can the public and private sectors work together better to develop effective defensive capabilities against terrorist or other hostile action?
Schmidt: I think I have pretty much addressed that, but the bottom line is: we now have with various government agencies and a lot of the different corporations the ability to contact each other and support each other in the event that anything like this should take place. And I think we are in pretty good shape when it comes to providing technical expertise to law enforcement support groups. Obviously, we are still working out some of the ways to institutionalize and formalize these procedures more, but I see us doing that now and continuing to do it and do it better.
Q: How does Microsoft build security into its products to help customers protect themselves?
Schmidt: That is something that is kind of beyond my area of responsibility, but what I can say is that Microsoft representatives meet regularly with their customers. We all have concerns about security. Microsoft's product development employees constantly are working to ensure that all of their products are more secure, and they work with us and the information security professionals because we run our own products up here. So there is constant feedback, making sure that the products are as secure as they can be now -- and in the future, as more vulnerabilities may be discovered out there.
Q: Do you believe that with current technological controls, protection is now possible against computer viruses and cyberterrorists?
Schmidt: There has been a lot of publicity recently about different viruses and other things that are out there. Obviously, it's just like any other type of illicit activity as these things are discovered. We, in the private sector and government, work collectively to counter them and to make sure that we stay ahead of such threats, as well as look to the future to try to predict what somebody might try to do. As long as we have the sharing of information and the great information systems that we all rely on, there will be people who will try to do something against those systems. But the bottom line is: with technology and human education and awareness of the risks, I think we can do a pretty good job of handling any of the protective issues related to them.
Q: Have you developed technology that could protect a company from an unrelenting deluge of e-mail messages from a cyberterrorist?
Schmidt: Yes. There are a number of resources built in and a number of updates and patches that we have put on our products and that other companies have put on their products to alleviate this sort of a problem. Also, there are some companies that we work with in our Security Partners Program that have developed some really, really good tools -- by tools, I mean computer programs -- that would really help to protect against denial of service attacks and e-mail bombs and things of that nature. We have come a long way in fixing that problem.
U.S. Foreign Policy
Agenda
USIA Electronic Journal, Vol. 3, No. 4, November
1998