Can be Done to Reduce the Threats Posed by Computer Viruses and Worms
to the Workings of Government?"
Security Response Centers
Subcommittee on Government Efficiency,
and Intergovernmental Relations
Mr. Chairman and Committee Members, thank you for
the opportunity to appear today at this hearing on reducing the threats
posed by computer viruses and worms to the workings of the U.S. Government.
My name is Scott Culp, and I am the Manager of the Microsoft Security
Response Center at Microsoft Corporation. I wish to commend the Chairman
and the Committee for leadership on the issue of government computer security.
It is a matter we take with grave seriousness, not only because the U.S.
Government is one of our largest customers but also as a matter of civic
Mobile hostile code, which includes computer worms
and viruses, poses an ongoing threat to the security of Internet-connected
systems. The recent Code Red virus is the latest reminder of the widespread
damage that worms and viruses can cause. Indeed, the Morris Worm disabled
portions of the Internet as long ago as the late 1980s and caused a level
of frustration and anger comparable to the publicized viruses and worms
of the past year.
Countering worms and viruses is a challenge that
the entire information-technology industry must address. We know that
every vendor’s platforms can be affected. The Code Red virus was aimed
at Microsoft’s programs, and we are one of its victims as well as one
of its targets. Concomitantly, our colleagues and peers from other software
platforms, both proprietary and open source, have been victimized by worms
such as Lion, Ramen, and SADmin.
As a society, we must recognize that hostile code
is, ultimately, a human activity and, in particular, a criminal activity.
To counter this threat, we are doing innovative work on several fronts
that we believe will make our software significantly more resistant to
worms and viruses and thus will benefit the U.S. Government – and all
of our customers. We also support the responsible handling of vulnerability
information by the software industry itself.
Microsoft’S efforts To improve computer security
Microsoft is an industry leader, and we take this
responsibility seriously in all its aspects and especially regarding security.
Our efforts to improve computer security cover a wide array of security
considerations. I will discuss four of these today: (1) improving software
development; (2) our state-of-the-art Microsoft Security Response Center
(MSRC); (3) the MSRC’s war on hostile code; and (4) our senior
executives’ leadership in the Nation’s critical infrastructure protection
A. Improving Software Development
To limit the number of vulnerabilities, we recently
announced an ambitious program called the Secure Windows Initiative with
the goal of nothing less than a generational improvement in our development
practices. The Secure Windows Initiative includes several elements, as
First, we are providing advanced training to our
own developers so that they better understand the most current threats
Second, we have developed superior code analysis
tools that root-out subtle flaws that may result in vulnerabilities. These
tools can perform a level of inspection and analysis that far exceeds
what human reviewers could perform. The initiative is also helping to
assure the quality of our products by broadening the use and scope of
automated testing tools that we apply to our own software code. In other
words, we have developed more innovative tools to test our own software
with far greater complexity and depth than ever before.
Third, we have expanded the use of non-traditional
testing methods to test our software, including "penetration test-teams"
which intentionally attempt to break into our products. We also recently
created an organization outside of Microsoft’s normal development framework
that provides independent testing.
Finally, we work closely with third-party experts
including NAI Labs and the International Computer Security Association,
as well as closely with security experts in the U.S. Government and the
British Government as part of their respective security evaluation processes.
Indeed, Microsoft has a source-licensing program with over 100 different
non-governmental review organizations that have access to our source code
and the ability to review it for vulnerabilities. Through these tools
and techniques, we intentionally attack our own products to find any vulnerability
and to resolve any problems.
B. Microsoft’s Security Response
No software firm has yet built a product without
vulnerabilities. Some of these vulnerabilities are subsequently exploited
by criminals. Because our customers’ security is a paramount concern for
Microsoft and in order to counter this criminal activity, Microsoft –
like other software companies – has developed a security response mechanism.
We believes that our security response mechanism,
called the Microsoft Security Response Center (MSRC), is the industry’s
state of the art. The MSRC thoroughly investigates all reported vulnerabilities
and then builds and disseminates any needed security updates. These are
delivered through a free mailing list with over 200,000 subscribers and
through automated sites like WindowsUpdate which provide consumers with
current security information.
Despite our state-of-the-art security response
process, we recognize that – as Code Red illustrated – further improvements
are needed. The vulnerability that was eventually exploited by Code Red
was reported to us in June of 2001. We developed a patch in roughly ten
days and publicized the patch for over 6 weeks prior to Code Red’s appearance.
We believe that our initial efforts spared many of our customers from
being significantly affected by the worm.
D. Combating Hostile Code
While we must find and fix vulnerabilities, we
must also wage a "war on hostile code" – which is precisely
what we announced at the RSA Data Security Conference in April of 2001.
This broad-ranging initiative includes the following initiatives:
First, the Microsoft Outlook Email Security Update,
which we released as a stand-alone update over one year ago, is now built
into the recently-released Outlook 2001. This directly addresses threats
like the "Melissa" or "I Love You" viruses that trick
end-users into undermining their own security and then manipulate functions
within the users’ e-mail system.
Second, we integrated a personal firewall into
Windows XP that helps avoid attacks against home-users who utilize DSL
or cable connections with the Internet.
Third, we added software restriction policies in
Windows XP that allow a systems administrator to configure exactly what
software can and cannot run on the system. In other words, even if hostile
code gets on a particular machine, these restrictions defang it and prevent
it from running.
E. Microsoft’s Executive
Our involvement in computer security begins with
the leadership of our senior executives. Microsoft's senior executives
are fully engaged in the U.S. Government’s security policy initiatives,
international outreach, and creation of a vision for a more secure computing
For example, Bill Gates, Microsoft’s Chairman and
Chief Software Architect, received a presidential appointment to the National
Infrastructure Assurance Council (NIAC). The NIAC is intended to advise
the President and encourage cooperation between the public and private
sectors to address physical threats and cyber threats to the Nation's
Craig Mundie, Microsoft’s Senior Vice President
and Chief Technical Officer for Advanced Strategies and Policy, received
a presidential appointment to the National Security Telecommunications
Advisory Council (NSTAC). The NSTAC advises the President on policy and
technical issues associated with telecommunications.
Steve Lipner, Microsoft’s Lead Program Manager
for Security, serves on the Congressionally-mandated Computer Systems
Security and Privacy Advisory Board.
Finally, Howard Schmidt, Microsoft’s Corporate
Security Officer, is deeply involved in G8 and United Nations initiatives
and serves on the Board of the Partnership for Critical Infrastructure
Security, a cross-sector, cross-industry effort supported by the National
Security Council and the U.S. Department of Commerce. He recently participated
in a U.S.-Australia bilateral meeting on critical infrastructure protection
led by the U.S. Departments of State and Commerce. Moreover, he is the
first president of the information technology industry’s Information Sharing
and Analysis Center to coordinate information-sharing among information-technology
companies and with the U.S. Government.
Our senior executives care passionately about security.
They drive our thinking on what we need to do in the decades ahead to
create a more secure Internet infrastructure, and they simultaneously
play a leading role in shaping the general U.S. technological and policy
LARGER COMMUNITY EFFORTS TO IMPROVE COMPUTER SECURITY
In this digital age, we have all been awed by what
technology can do to facilitate communication, productivity, commerce,
and learning. Yet technology is not a panacea that by itself will defeat
hostile code written by criminals. To be perfectly clear: This is a battle
of good versus evil. We employ innovative and intelligent software developers,
but there are also tremendously innovative computer criminals who have
as their mission the penetration and stealing of digital information.
Just as no one has built a truly impenetrable house or car, no one has
produced impenetrable software. We will always face online criminals just
as we always face home burglars or car thieves, and we will never see
the end of the battle for computer security.
Our society does not tolerate people breaking into
brick-and-mortar homes and businesses, but our society inexplicably seems
to have more tolerance for computer break-ins. Yet breaking into computers
is just as much a crime as breaking into brick-and-mortar homes and businesses,
and both types of break-ins harm innocent people and weaken American businesses.
Computer attacks need to be treated as the criminal activities that they
most assuredly are.
Accordingly, Microsoft strongly supports enforcement
of our society’s cybercrime laws. To this end, Microsoft works closely
with domestic and international law enforcement. We actively participate
in U.S. Government efforts to increase critical infrastructure protection,
such as our support for legislation that facilitates information sharing
between industry and government. And we strongly support increased funding
for computer crime enforcement. As an example of our close relation with
law enforcement, we reported our knowledge of the "I Love You"
virus to the U.S. Government within minutes of learning of it, and the
U.S. Government acted on the report several hours later. We welcome the
continuation, expansion, and improvement of these collaborative efforts.
And we support the bolstering of cybercrime law enforcement by the U.S.
Furthermore, Microsoft believes that community
consensus is needed concerning the handling of vulnerability information.
We have very strong relations with many third-party security entities,
and both Microsoft and the larger community benefit greatly from their
expertise. Most security researchers handle security vulnerabilities responsibly:
They report such vulnerabilities to the vendor and then work with the
vendor to develop a fix. When the remedy is completed, they assist in
notifying the user community about the vulnerability and the available
solution. This process produces a net gain in online security and is one
that should be promoted.
In sum, Microsoft takes its responsibility as an
industry leader and as a technology provider to the U.S. Government, to
the Nation, and to the world very seriously. We demonstrate this through
Microsoft’s Secure Windows Initiative, the Microsoft Security Response
Center, our efforts to combat hostile code, and our executive leadership’s
involvement in governmental initiatives. While we engage in state-of-the-art
work to improve computer security, violations of computer security are
ultimately criminal activity. We are proud of our active support of and
close collaborative relationship with law enforcement in its efforts to
investigate and prosecute these criminals and to deter them from committing
their crimes in the first place. In doing so, the U.S. Government’s networks
will be more secure, as will the Nation’s and the world’s.