Software is vulnerable, just like us

 

Connecting state and local government leaders

Last year, Tom Richey joined Microsoft Corp.'s public-sector strategy team for homeland security. The match seemed fitting.

Last year, Tom Richey joined Microsoft Corp.'s public-sector strategy team for homeland security. The match seemed fitting.Richey had spent most of his 21-year career as a commissioned Coast Guard officer, commanding a sizable search-and-rescue station and overseeing counterdrug activity in the eastern Caribbean. He received seven Guard commendations, including the Meritorious Service Medal.Although new as Microsoft's director of homeland security, Richey is no rookie at strategizing. He has been a senior policy adviser to Sen. John F. Kerry (D-Mass.) on matters ranging from economic policy and health care to national defense.In his first year with Microsoft, the Homeland Security Department standardized on Microsoft products under a 5-year contract. In 2004, Richey plans to pour more software through that pipeline, including mobile and predictive analysis software and sensors for weapons of mass destruction. Meanwhile, the software giant has encountered its own share of security woes.Richey, an Arizona State University graduate in psychology, spoke with GCN associate editor Vandana Sinha by telephone from his Washington office.RICHEY: In my year here, we've reorganized to align ourselves with the Homeland Security Department. We formerly had account managers in different vertical markets. We now have an account manager and an account team that own the DHS account as an enterprise.RICHEY: Before DHS was formed, one of the things the White House transition team did was inventory the 22 component agencies to see how to build a common enterprise from their disparate IT.That analysis'there's a spreadsheet available to the public'shows, for example, that 18 of the 22 agencies were using Microsoft Exchange and Active Directory. So it made sense to migrate the other four agencies to Microsoft Exchange for unified messaging.It's a good investment of public dollars to go with the apparent standard, versus making another IT choice.Likewise, Oracle Corp. had dominance in the middleware and back-end or database piece, so it made sense for CIO Steve Cooper and chief technology officer Lee Holcomb to migrate to Oracle many of the agencies that were not on Oracle.RICHEY: I would describe that as the single largest challenge for DHS. What it comes down to is collaboration and coordination'with first responders among themselves first, and then with the federal government.Resolving the most significant challenges of homeland security will not come internally from DHS. It's going to come from the private sector and from the state and local levels.Microsoft recognizes its role. We're prototyping a lot of things, deploying a lot of things. Not all of them are the best. Some need further development. We are working very closely with officials at DHS, the Justice and Defense departments, and state governments.RICHEY: Let me start by saying, we recognize we have a challenge around security. We're not alone in that challenge. Every software vendor has issues about security.Microsoft's security issues seem to make more news because of our large presence in the federal government, and that makes us a very popular target for folks who would like to perpetrate cybercrimes.Recognizing that software fundamentally is vulnerable because human beings write the code, Microsoft and Bill Gates are focused on the Trustworthy Computing Initiative. It will take years before we recognize the full impact of that investment.In all, 8,500 Windows developers were taken off task to learn a new approach to writing code. It cost the company more than $200 million. We've made some pretty significant security accomplishments.We were recently awarded a Protection Level 3 accreditation for one of our intelligence-sharing solutions by the director of the CIA, which I'm thrilled about. We have Common Criteria certification for Windows 2000, which we're very proud of as well.RICHEY: We're working with all our government customers to develop a patching and response mechanism that provides the quickest answer to the virus threat. Products need to be secure in deployment and by default'in other words, opening Windows Server with all the doors shut, versus open as we did in the past. We're getting better at that, but we're not there yet.RICHEY: There are a number of prototypes under way. They're not at a level of development that I can talk about at great length. We are making significant progress.RICHEY: The DHS deal was a big one for us'a $90 million contract over five years and 140,000 desktops'a huge, huge win. It's potentially significant in that it established a single enterprisewide agreement for 22 agencies, which prior to this deal had separate licenses with Microsoft.I applaud the fact that people are worried and focused on the security of the IT infrastructure. I would just add that they're no less focused than Microsoft is.Microsoft has a significant investment in the federal government IT infrastructure, and government has significant investment in Microsoft. We're working as an industry-and-government partnership to recognize these problems and correct them. And let me just say that all software is vulnerable. There is no vendor out there that is going to escape that reality.RICHEY: Bill Gates has been very public and open about this. He said it's a 10-year process, not a one-fell-swoop exercise. It's a fundamental shift in the way we think and approach the product.How are we going to know when we're at the end of the journey? Are we going to know because we don't have any more viruses? No, I don't think so. You'll hear Microsoft security experts say that we're always going to have threats and viruses. But we're getting smarter at identifying the key vulnerabilities and eliminating them.RICHEY: I do understand the threat. In fact, free software is an interesting description of Linux. I would look at it more from the perspective of total cost of ownership.Look at what goes into developing, for example, Microsoft Office. We spend $6 billion or $7 billion a year on the R&D. Those products and their ability to interoperate, not only on the Microsoft platform but with other products, is developed over years. When you look at the value of a license on our software, you're getting all that mind-share in that price.Does the customer benefit from that same investment in the total cost of ownership for Linux software? I'm confident in saying that Microsoft would lead the pack in full functionality and capability of the product road map and where we're going. I don't see that same depth, I guess, in a Linux software solution.Look at the total cost before you decide something is free. What if this system breaks? What if there's a vulnerability? Who owns that?RICHEY: I see it, but do I see it becoming stronger? I don't have a prognosis on that. Do I see it being used and explored? Yes, I see it to some extent in the homeland security world. I don't know that it's long-term. It's somewhat of a novelty.Again, that's great for the market. At the end of the day, these kinds of competitive forces serve the public interest in the best way possible. The customer wins.

What's more

Family: Wife, Maureen; 13-year-old Patricia and 11-year-old Tommy

Last book read: John Adams by David McCullough

Last movie seen: 'Pirates of the Caribbean'

Favorite Web site: aldaily.com, daily arts and letters news from the Chronicle of Higher Education
Leisure activities: Golf, skiing, sailing, fishing and coaching

Motto: 'You never get a second chance to create a first impression.'

Best job: 'Besides the one I'm in? Command of an operational Coast Guard unit.'

Tom Richey, Microsoft's Homeland man










GCN: What is Microsoft's strategy for homeland security?



GCN: How does that play out in an industry with other dominant software vendors?









GCN: How do homeland defense efforts differ at the state and local level?







GCN: What's your reaction to the many security breaches that have been found in Microsoft products?











GCN: What do your hear from your federal users about these vulnerabilities?



GCN: What are you doing about that?



GCN: The Computer and Communications Industry Association of Washington recently asked DHS to reconsider its software contract with you for security reasons. What's your reaction?







GCN: So when would you say the Trustworthy Computing Initiative will pay off?




GCN: How does the progress of free Linux software in the federal sector affect you?









GCN: But don't you see Linux's penetration growing?



X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.