After a Turbulent Year, Still Some Optimism in the Security World

Despite all of the revelations and accusations and recriminations in the security industry in the last year, Microsoft CSO Scott Charney said he is still optimistic about the industry’s ability to defend users.

SAN FRANCISCO–Despite all of the revelations and accusations and recriminations in the security industry in the last year, Microsoft’s Scott Charney said he is still optimistic about the industry’s ability to defend users. However, that optimism is tempered by concern about the threats those users face from attackers and governments alike.

The threat landscape is an ever-shifting thing, and the last 12 months have seen a massive change in the way that defenders perceive who their adversaries are. Governments and intelligence agencies have been added to many of those lists, and for companies like Microsoft that work closely with governments around the world, but also have hundreds of millions of corporate and home users, this makes for a precarious situation. They are often asked for user data by law enforcement and other government agencies, through court orders and search warrants and other tools.

However, Charney said Microsoft doesn’t simply hand over data any time it gets a request.

“We have never gotten an order for bulk data, and we would fight an order for bulk data,” Charney, corporate vice president, Trustworthy Computing, said during a keynote speech at the ESA Conference here Tuesday.

Microsoft, Google and other tech giants have in recent months been pushing the United States government for the ability to publish more data on the kinds and volume of government requests they get. The government has relented in part, allowing these companies to become slightly more specific about these requests.

On the other side of the coin, Microsoft also shares its source code with governments around the world, something that Charney acknowledged has raised concerns in some circles, with people questioning whether a government could find a new bug in Windows and use it for its own purposes.

“Is it possible a government could find a bug? Sure. But we do code reviews to look for bugs, too,” he said. “We require them to report bugs they find, but how do you enforce that? By the way, you don’t need the source code to find bugs. People find bugs all the time.”

Addressing the issue of government surveillance and the developments of the last year, Charney said he still has faith in the security community’s ability to respond.

“”We’ve had hard problems before and we have to address them,” he said. “We have to do this while thinking about which actions are appropriate or not.”

Suggested articles