Elinor Mills Abreu
SAN FRANCISCO: Meet Microsoft's new tough cop: a security czar who says he
will draw heavily on his government background to shore up the holes in
Microsoft's software that make it a popular target for hackers -- one of the
company's top missions for the year.
"I'm going to spend a lot of time commuting between the two Washingtons,"
Scott Charney told Reuters in an interview. Charney assumed his new role as
chief security strategist at Redmond, Washington-based Microsoft on April 1
Charney, formerly the Justice Department's computer crime chief, has two
priorities: reviewing Microsoft's products and working with its customers to
figure out how to protect key area's of the nation's computer infrastructure,
much of which runs on Microsoft software.
"Security has often been a nuisance to handle and we need to change
that," Charney said. That view reflects a striking shift in strategy at
Microsoft, the world's No. 1 software company, which said early this year it had
put security at the top of its priorities even at the expense of adding new
features to its products.
But Microsoft still faces a strong undercurrent of distrust from some
computer security experts. Some argue it should have named a programmer as
security chief if it wanted to fix software problems that require frequent
patches and have prompted complaints from the government, analysts and corporate
users.
Before joining Microsoft, Charney worked as a principal of
PricewaterhouseCoopers' cybercrime prevention unit and served as chief of the
computer crime and intellectual property unit at the Department of Justice from
1991 to 1999.
"He knows a heck of a lot about tracking down the bad guys that are
causing the problem," said Gary McGraw, chief technology officer at Cigital,
a software risk management firm. But, he said, "the new job of Microsoft
should be about preventing crime, building things secure."
Pr or politics?
In a January e-mail to all employees, chairman Bill Gates said increasing the
security of computing was vital to the success of the company's new Web-based
services. Charney's hiring was announced two weeks later.
"Is Bill Gates choosing a lawyer for a reason? What's his view of
information protection: liability, public relations, prosecutions,
politics?" wondered Fred Cohen, a University of New Haven professor of
computer forensics and a pioneer in the anti-virus field. "Or is it about
improving technology?"
Last year was a particularly bad year for Microsoft's image as a string of
nasty viruses, including Nimda and Code Red, left hundreds of thousands of
Microsoft customers at risk.
Problems with Microsoft's Web server software, Internet Information Server,
were so prominent that analyst John Pescatore of Gartner Inc. urged IIS users to
switch to other software and one insurer, J.S. Wurzler, began charging IIS users
higher premiums.
In addition, Air Force chief information officer John Gilligan complained to
Microsoft about having to spend so much money patching his systems.
'Not a techie'
The 46-year-old Charney, who said he enjoys playing folk music on his guitar in
his spare time, takes the criticism in stride. "By Microsoft standards I am
not a techie, although I was programming COBOL when I was 8," he said,
adding that his father was a system administrator who wrote one of the first
computer programs to pay dividend checks by computer.
"My job has two parts, one is the technical stuff and the other is the
policy stuff," Charney added. "I'm surrounded by technical people.
Where I am weak there are many others who are strong." "I have a
fairly broad-based background," the New York native said. "People say
'how can a prosecutor do this?' I think they're thinking of 'Law & Order' on
TV. My real career has been a little more complex than that."
Charney's predecessor also hailed from Washington -- Microsoft chief security
officer Howard Schmidt worked in the Air Force computer crime division and at
the Federal Bureau of Investigation. He left in January to work for the federal
Critical Infrastructure Protection Board.
"Management is often better if they are managers first," Russ
Cooper, editor of the NTBugTraq e-mail list, said in defense of Charney.
"Let the good technologists do the technology and let him find a way to
make it into the process."
Charney conceded that Microsoft needed to improve its patching process and
reduce the number Microsoft needs to release. He also said security functions of
the software would become "more transparent and user-friendly." For
some, the proof will be in the results.
"It doesn't matter what he says; it matters what they do," said
skeptic Bruce Schneier, co-founder and chief technology officer at Counterpane
Internet Security. "Microsoft has a long tradition of lying about security
... I don't need to hear more rhetoric."