Congressman Stephen Horn, R-CA Chairman

Oversight  hearing on

"What Can be Done to Reduce the Threats Posed by Computer Viruses and Worms to the Workings of Government?"

August 29, 2001

Testimony of 

Scott Culp
Manager, Microsoft Security Response Centers

Microsoft Corporation

before the 


Subcommittee on Government Efficiency, 
Financial Management 
and Intergovernmental Relations 

Mr. Chairman and Committee Members, thank you for the opportunity to appear today at this hearing on reducing the threats posed by computer viruses and worms to the workings of the U.S. Government. My name is Scott Culp, and I am the Manager of the Microsoft Security Response Center at Microsoft Corporation. I wish to commend the Chairman and the Committee for leadership on the issue of government computer security. It is a matter we take with grave seriousness, not only because the U.S. Government is one of our largest customers but also as a matter of civic duty.

Mobile hostile code, which includes computer worms and viruses, poses an ongoing threat to the security of Internet-connected systems. The recent Code Red virus is the latest reminder of the widespread damage that worms and viruses can cause. Indeed, the Morris Worm disabled portions of the Internet as long ago as the late 1980s and caused a level of frustration and anger comparable to the publicized viruses and worms of the past year.

Countering worms and viruses is a challenge that the entire information-technology industry must address. We know that every vendor’s platforms can be affected. The Code Red virus was aimed at Microsoft’s programs, and we are one of its victims as well as one of its targets. Concomitantly, our colleagues and peers from other software platforms, both proprietary and open source, have been victimized by worms such as Lion, Ramen, and SADmin.

As a society, we must recognize that hostile code is, ultimately, a human activity and, in particular, a criminal activity. To counter this threat, we are doing innovative work on several fronts that we believe will make our software significantly more resistant to worms and viruses and thus will benefit the U.S. Government – and all of our customers. We also support the responsible handling of vulnerability information by the software industry itself.

Microsoft is an industry leader, and we take this responsibility seriously in all its aspects and especially regarding security. Our efforts to improve computer security cover a wide array of security considerations. I will discuss four of these today: (1) improving software development; (2) our state-of-the-art Microsoft Security Response Center (MSRC); (3) the MSRC’s war on hostile code; and (4) our senior executives’ leadership in the Nation’s critical infrastructure protection policy.

    A. Improving Software Development Practices

To limit the number of vulnerabilities, we recently announced an ambitious program called the Secure Windows Initiative with the goal of nothing less than a generational improvement in our development practices. The Secure Windows Initiative includes several elements, as follows:

First, we are providing advanced training to our own developers so that they better understand the most current threats and vulnerabilities.

Second, we have developed superior code analysis tools that root-out subtle flaws that may result in vulnerabilities. These tools can perform a level of inspection and analysis that far exceeds what human reviewers could perform. The initiative is also helping to assure the quality of our products by broadening the use and scope of automated testing tools that we apply to our own software code. In other words, we have developed more innovative tools to test our own software with far greater complexity and depth than ever before.

Third, we have expanded the use of non-traditional testing methods to test our software, including "penetration test-teams" which intentionally attempt to break into our products. We also recently created an organization outside of Microsoft’s normal development framework that provides independent testing.

Finally, we work closely with third-party experts including NAI Labs and the International Computer Security Association, as well as closely with security experts in the U.S. Government and the British Government as part of their respective security evaluation processes. Indeed, Microsoft has a source-licensing program with over 100 different non-governmental review organizations that have access to our source code and the ability to review it for vulnerabilities. Through these tools and techniques, we intentionally attack our own products to find any vulnerability and to resolve any problems.

    B. Microsoft’s Security Response Center

No software firm has yet built a product without vulnerabilities. Some of these vulnerabilities are subsequently exploited by criminals. Because our customers’ security is a paramount concern for Microsoft and in order to counter this criminal activity, Microsoft – like other software companies – has developed a security response mechanism.

We believes that our security response mechanism, called the Microsoft Security Response Center (MSRC), is the industry’s state of the art. The MSRC thoroughly investigates all reported vulnerabilities and then builds and disseminates any needed security updates. These are delivered through a free mailing list with over 200,000 subscribers and through automated sites like WindowsUpdate which provide consumers with current security information.

Despite our state-of-the-art security response process, we recognize that – as Code Red illustrated – further improvements are needed. The vulnerability that was eventually exploited by Code Red was reported to us in June of 2001. We developed a patch in roughly ten days and publicized the patch for over 6 weeks prior to Code Red’s appearance. We believe that our initial efforts spared many of our customers from being significantly affected by the worm.

    D. Combating Hostile Code

While we must find and fix vulnerabilities, we must also wage a "war on hostile code" – which is precisely what we announced at the RSA Data Security Conference in April of 2001. This broad-ranging initiative includes the following initiatives:

First, the Microsoft Outlook Email Security Update, which we released as a stand-alone update over one year ago, is now built into the recently-released Outlook 2001. This directly addresses threats like the "Melissa" or "I Love You" viruses that trick end-users into undermining their own security and then manipulate functions within the users’ e-mail system.

Second, we integrated a personal firewall into Windows XP that helps avoid attacks against home-users who utilize DSL or cable connections with the Internet.

Third, we added software restriction policies in Windows XP that allow a systems administrator to configure exactly what software can and cannot run on the system. In other words, even if hostile code gets on a particular machine, these restrictions defang it and prevent it from running.

    E. Microsoft’s Executive Leadership

Our involvement in computer security begins with the leadership of our senior executives. Microsoft's senior executives are fully engaged in the U.S. Government’s security policy initiatives, international outreach, and creation of a vision for a more secure computing infrastructure.

For example, Bill Gates, Microsoft’s Chairman and Chief Software Architect, received a presidential appointment to the National Infrastructure Assurance Council (NIAC). The NIAC is intended to advise the President and encourage cooperation between the public and private sectors to address physical threats and cyber threats to the Nation's critical infrastructure.

Craig Mundie, Microsoft’s Senior Vice President and Chief Technical Officer for Advanced Strategies and Policy, received a presidential appointment to the National Security Telecommunications Advisory Council (NSTAC). The NSTAC advises the President on policy and technical issues associated with telecommunications.

Steve Lipner, Microsoft’s Lead Program Manager for Security, serves on the Congressionally-mandated Computer Systems Security and Privacy Advisory Board.

Finally, Howard Schmidt, Microsoft’s Corporate Security Officer, is deeply involved in G8 and United Nations initiatives and serves on the Board of the Partnership for Critical Infrastructure Security, a cross-sector, cross-industry effort supported by the National Security Council and the U.S. Department of Commerce. He recently participated in a U.S.-Australia bilateral meeting on critical infrastructure protection led by the U.S. Departments of State and Commerce. Moreover, he is the first president of the information technology industry’s Information Sharing and Analysis Center to coordinate information-sharing among information-technology companies and with the U.S. Government.

Our senior executives care passionately about security. They drive our thinking on what we need to do in the decades ahead to create a more secure Internet infrastructure, and they simultaneously play a leading role in shaping the general U.S. technological and policy environment.

In this digital age, we have all been awed by what technology can do to facilitate communication, productivity, commerce, and learning. Yet technology is not a panacea that by itself will defeat hostile code written by criminals. To be perfectly clear: This is a battle of good versus evil. We employ innovative and intelligent software developers, but there are also tremendously innovative computer criminals who have as their mission the penetration and stealing of digital information. Just as no one has built a truly impenetrable house or car, no one has produced impenetrable software. We will always face online criminals just as we always face home burglars or car thieves, and we will never see the end of the battle for computer security.

Our society does not tolerate people breaking into brick-and-mortar homes and businesses, but our society inexplicably seems to have more tolerance for computer break-ins. Yet breaking into computers is just as much a crime as breaking into brick-and-mortar homes and businesses, and both types of break-ins harm innocent people and weaken American businesses. Computer attacks need to be treated as the criminal activities that they most assuredly are.

Accordingly, Microsoft strongly supports enforcement of our society’s cybercrime laws. To this end, Microsoft works closely with domestic and international law enforcement. We actively participate in U.S. Government efforts to increase critical infrastructure protection, such as our support for legislation that facilitates information sharing between industry and government. And we strongly support increased funding for computer crime enforcement. As an example of our close relation with law enforcement, we reported our knowledge of the "I Love You" virus to the U.S. Government within minutes of learning of it, and the U.S. Government acted on the report several hours later. We welcome the continuation, expansion, and improvement of these collaborative efforts. And we support the bolstering of cybercrime law enforcement by the U.S. Government.

Furthermore, Microsoft believes that community consensus is needed concerning the handling of vulnerability information. We have very strong relations with many third-party security entities, and both Microsoft and the larger community benefit greatly from their expertise. Most security researchers handle security vulnerabilities responsibly: They report such vulnerabilities to the vendor and then work with the vendor to develop a fix. When the remedy is completed, they assist in notifying the user community about the vulnerability and the available solution. This process produces a net gain in online security and is one that should be promoted.

In sum, Microsoft takes its responsibility as an industry leader and as a technology provider to the U.S. Government, to the Nation, and to the world very seriously. We demonstrate this through Microsoft’s Secure Windows Initiative, the Microsoft Security Response Center, our efforts to combat hostile code, and our executive leadership’s involvement in governmental initiatives. While we engage in state-of-the-art work to improve computer security, violations of computer security are ultimately criminal activity. We are proud of our active support of and close collaborative relationship with law enforcement in its efforts to investigate and prosecute these criminals and to deter them from committing their crimes in the first place. In doing so, the U.S. Government’s networks will be more secure, as will the Nation’s and the world’s.