Print 37 comment(s) - last by noxipoo.. on Jun 15 at 12:17 PM

Microsoft security chief Scott Charney is a leading candidate for the cybersecurity czar position, created by President Obama.  (Source: Microsoft)
President Obama will soon pick a candidate to lead our nation's cybersecurity efforts

Cybercrime, particularly attacks from foreign sources, is on the rise.  In the past month, many government systems and systems of government contractors have been penetrated by hackers from China or elsewhere.  Meanwhile petty cybercrime also remains a problem with malware, phishing, and botnets a lucrative business for some cyber-criminals.

Past exercises have shown the U.S. to have weak cyber-defenses, largely because of poor coordination between the organizations tasked with our government's security.  President George W. Bush and his successor President Barack Obama have set out to improve on this situation by allocating money to security and creating a new cybersecurity czar position to organize the fight.

Two leading candidates have emerged for this job.  The first is Scott Charney, head of Microsoft's cybersecurity division.  According to a source close to Mr. Charney, Mr. Charney says he won't take the job, however, the source believes that he would change his mind if pressed.  In the past Mr. Charney lead PricewaterhouseCoopers' cybercrime unit and before that he worked for the Justice Department's computer crime section.

The leading alternative is Paul Kurtz.  Mr. Kurtz served on the National Security Council under both President Clinton and President Bush.  He was a member of President Obama's transition team leading the cybersecurity efforts.

There are also a handful of other candidates that stand a shot.  Rep. Tom Davis, a moderate Virginia Republican; Sun Microsystems executive Susan Landau; Maureen Baginski, a veteran of the National Security Agency and Federal Bureau of Investigation; Frank Kramer, an assistant defense secretary under Clinton; Melissa Hathaway, who led a cybersecurity review for the president; and James Lewis of the Center for Strategic and International Studies think tank, are all under consideration, says a source.

John Thompson, chairman of the board of Symantec Corp. who had previously been considered a front runner turned the position down.

One thing that adds to the difficulty of the efforts is that the exact role of the job and its authority (and jurisdiction) remains undefined.

Some candidates have already begun to criticize each other.  Mr. Lewis struck out at the corporate candidates, commenting, "Some guy from industry is going to write a national security strategy? No, they aren't. You don't just pick this up.  You need somebody who knows the national security game, who knows government and who knows about the technology."

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Bad choices
By DigitalFreak on 6/12/2009 9:21:08 AM , Rating: 2
Mr. Lewis struck out at the corporate candidates, commenting, "Some guy from industry is going to write a national security strategy? No, they aren't. You don't just pick this up. You need somebody who knows the national security game, who knows government and who knows about the technology."

Agreed, though I doubt Lewis is any more qualified. They need a person who is at the top of their field in cyber-security, not some corporate executive douche.

RE: Bad choices
By Spivonious on 6/12/2009 9:28:21 AM , Rating: 4
I disagree. Who better to implement security than someone who does it as their job? Better than some bureaucrat in Washington who "knows about the national security game."

RE: Bad choices
By DigitalFreak on 6/12/09, Rating: 0
RE: Bad choices
By noxipoo on 6/12/2009 11:35:15 AM , Rating: 3
They are never going to just pick some professional, they need people that have been in positions of leadership. You think this czar will be actually doing the work? I rather have an exec that have done it then some politician talking about a series of tubes.

RE: Bad choices
By callmeroy on 6/12/2009 12:40:16 PM , Rating: 5
Yeah because I'm sure this MS guy used to be a short order cook then one day Bill Gates came into his diner and said "hey, you -- yeah you at the grill....wanna be a top level executive in the largest software company in the world?".

RE: Bad choices
By cnar77 on 6/12/2009 11:25:38 PM , Rating: 3
You obviously don't know anything about Information Systems security. It starts at the top. They don't need to do the work they just need to set the tone that the rest will follow. From there you put good people in place to implement plans and policies, people who can pull everything together but first you need to have a plan. Any person chosen has to be capable enough to work with others and agencies to create a workable, scalable and effective plan focussed on mitigating risk because that's what IS security is.

If you want to know about this topic just check out organizations like (ISC)2 and ISACA. Right now the US government needs IS governance and perhaps their own high standards for which to focus their complaince. Whether its based on COBIT or ISO/IEC 27001.

I resepct your freedom of speech and opinion but like many you're talking about something you "THINK" you understand. From what you've written I can assure you that you don't.

"People demand freedom of speech to make up for the freedom of thought which they avoid."
- Soren Aabye Kierkegaard (1813-1855)

RE: Bad choices
By bhieb on 6/12/2009 1:12:36 PM , Rating: 2
"knows about the national security game."

Ironically if the people that currently "know the security game" actually did, this would not be an issue.

RE: Bad choices
By JasonMick on 6/12/2009 9:29:45 AM , Rating: 1
Actually, I would think someone from a successful corporate security firm or branch like Microsoft's security or Symantec (which has been better of late) would be a *good* choice. They know how to run a large organization efficiently, they should have a good view over the overall state of security. Better than a bureaucrat at least.

I do think it would make more sense to have two czars though, one for Windows systems (likely Charney) and one for Linux systems as the DoD and some other government branches extensively use Linux. I think Mr. Charney would be good for the latter job, but not as good as someone with dedicated experience in the Linux security industry (though many threats are on the app level these days anyways).

RE: Bad choices
By Screwballl on 6/12/2009 9:58:39 AM , Rating: 1

"oh it runs linux? Thats why that system is insecure, lets replace these 2 million computers with Windows"

They need someone who actually worked extensively in the security field but with at least SOME corporate leadership experience or training.
We need a trained professional, not some stiff in a suit that doesn't know the difference between TCP protocol and packet sniffing.

RE: Bad choices
By borowki2 on 6/12/2009 12:10:05 PM , Rating: 3

"Our most dangerous cyber-adversary is the European Union. Nelly Kroes is worse than Osama bin Ladin."

RE: Bad choices
By callmeroy on 6/12/2009 12:47:11 PM , Rating: 4
This thread irks me - where do you folks get off that this MS guy is not skilled in cyber security ? I read the article it even stated he head up a cybercrime unit at Pricewaterhouse and worked for the Justice Department as well in a similar capacity.

I think unless we have his full resume , including education history -- its very cynical to jump to assumptions this guy knows nothing about computer security. My hunch is at his level NOW --- yes he probably isn't hands on as much being an exec, he delegates to others...but you don't no smart employer will give you the reins of an entire division (much less when its about security) on a flimsy track record and sub-par resume.

My guess is this guy knows a GREAT deal more about computer security than any of us in this current thread do.....

RE: Bad choices
By mfed3 on 6/12/2009 10:01:19 AM , Rating: 2
I agree with your first comment, but I just wanted to make sure you knew the DoD definitely does NOT use Linux extensively. In fact they barely use it at all.

The DoD uses Windows almost exclusively, even on the server side. Linux is only really used for some embedded systems or for development servers for source control (ex: svn etc).

It was only recently that the DoD was even allowed to use Linux at all, since Windows was previously mandated as the only OS that was allowed to be used.

RE: Bad choices
By JasonMick on 6/12/2009 11:46:17 AM , Rating: 1
Tanks and fighting vehicles ran on Linux last I checked, and still do, to my knowledge.

Development machines used for hardware, software, and mechanical development of fighting vehicles and aircraft, both within the DoD and its contractors often run on Linux deployments.

I'd call that a major deployment. True most of the computers physically used by soldiers and officers (outside vehicles) are Windows, but the development systems are heavily Linux -- and that's a particularly critical portion of the IT infrastructure to protect.

RE: Bad choices
By Spuke on 6/12/2009 12:02:13 PM , Rating: 2
When I was in the military 12 years ago, all of our critical systems were Linux and Unix. We even had some Linux and Sun desktops.

RE: Bad choices
By theapparition on 6/15/2009 8:13:30 AM , Rating: 2
This issue here is two-fold.

What the OP was refering to was desktop, or standard computer use. And he was absolutely correct that most installations are on Windows.

The sector you are talking about falls into embedded computing. While aircraft systems may certainly run a very customized and stripped down version of *nix, external security threats to them are virtually non-existant since they don't offer the connectivity and interfaces that would necessitate a security threat.

So why techically a large deployment, your argument fails logic because those systems are generally isolated. The biggest security threat to those sytems is from foreign entities gaining access to source code. However, once deployed, there is not much that can affect embedded software (if it's designed right).

RE: Bad choices
By stmok on 6/12/2009 3:48:01 PM , Rating: 2
I just wanted to make sure you knew the DoD definitely does NOT use Linux extensively. In fact they barely use it at all.

In 2005, the DoD bought a super computer for weapons design...It runs Linux.

RE: Bad choices
By DigitalFreak on 6/12/2009 10:48:37 AM , Rating: 2
Someone from a successful corporate security firm - yes. From Microsoft or Symantec - hell no.

RE: Bad choices
By cnar77 on 6/12/2009 11:37:14 PM , Rating: 2
At this level the OS used is irrelevant. Government first needs to have unified standards across the board, proper staff training, policies, standards and procedures. A policy doesn't speak to the OS however procedures do as these are carried out my admins. Procedures would be designed in alignment with the standards created which are devised to meet the policy requirements. So no need for 2 persons in this role. But don't kid yourself in the business world this role is usually filled by a comittee or board of directors. One man doesn't make the call.

RE: Bad choices
By SiliconAddict on 6/14/2009 3:21:02 PM , Rating: 2
Oh give me a break. Do you really think someone charged with securing our infrastructure would throw out the use of Linux because he previously worked for MS? I'm sorry but CIO's don't work that way. He would look at the roll that needs to be filled and pick the best solution. sometimes that would be Windows or a MS solution. Sometimes it would be Linux.

RE: Bad choices
By cnar77 on 6/12/2009 11:30:56 PM , Rating: 2
Understanding how the agencies work is one thing but understanding Information Systems security is another. An IS auditor such as a CISA credentialed holder would assimilate the environment fairly quickly. Afterall this is not a 6 month deal and could take a few years but its easier for an auditor to do the job, put forward recommendations, aid in policy definition, work with security managers and security teams to create standards and procedures in alignment with the policy and have them aim for 100% compliance than to take someone who doesn't know the business and have them do it.

You do know what a czar is right?
By ap90033 on 6/12/2009 11:22:26 AM , Rating: 2
FYI Czars are appointed by the President to circumvent the balances of power put in place by our founding fathers. It is an abuse of power as they can do whatever they want and report only to the President. Sad.

By 67STANG on 6/12/2009 11:39:52 AM , Rating: 2
In all fairness to Obama, he has only appointed 16+ Czars...

RE: You do know what a czar is right?
By Spuke on 6/12/2009 12:04:02 PM , Rating: 2
It is an abuse of power as they can do whatever they want and report only to the President. Sad.
Then they should've closed that loophole.

By ap90033 on 6/12/2009 1:33:45 PM , Rating: 2
Uh duh? You think? Just making the point that it is a BAD IDEA... People should know about this type of craziness...

By Hardin on 6/12/2009 3:55:47 PM , Rating: 2
It's scary how many Czars Obama has. They can basically do whatever they want.

What are they thinking?
By the goat on 6/12/2009 9:46:53 AM , Rating: 2
Isn't this like giving the fox the job of guarding the hen house?

RE: What are they thinking?
By noxipoo on 6/12/2009 11:34:11 AM , Rating: 2
explain how? Microsoft is exploiting holes in their software to steal something from the government?

RE: What are they thinking?
By the goat on 6/15/2009 7:06:10 AM , Rating: 2
explain how? Microsoft is exploiting holes in their software to steal something from the government?

The reason a hen house needs to be guarded is because of the wolf. Just like the reason there are security holes in windows is because of microsoft.

RE: What are they thinking?
By noxipoo on 6/15/2009 12:17:39 PM , Rating: 2
again, what is MS stealing with their holes?

Another Bureaucratic Waste ?
By AntiM on 6/12/2009 10:11:50 AM , Rating: 1
Do we really need another highly paid bureaucrat to make sure people are doing what they're already supposed to be doing? How the heck does a term like "Czar" become associated with a democratic government position anyway?

It will simply be a figurehead position with no real power or authority, just so Obama can say he's doing something about cybercrime. It's just a way of shifting accountability away from those that should be held accountable when their agency is compromised.

Doesn't the FBI, the CIA, and the NSA already have cybercrime units ? Can't they advise the rest of the Government on how to keep their systems secure without us having to pay some (already wealthy) executive $200,000 per year (+ offices and assistants) to go around giving the equivalent of a puppet show?

Just like Homeland Security; a useless, bureaucratic money funnel. Rather than hold the CIA, FBI, and Dept. of Immigration accountable for their gross stupidity, we get a new cabinet department instead, with no real defined purpose.

By hoosiertech on 6/12/2009 4:47:22 PM , Rating: 2
<<Applause>> I agree completely. I wish I could figure out how to rate you up !!

I think our bureaucrats spend too much time and money making the appearance of doing something just to cater to public perception rather than just getting things done.

This basically relates to one of my most hated overused idioms "Perception is reality"
Perception is much more important to the typical politician than real substance.

By SiliconAddict on 6/14/2009 4:55:46 PM , Rating: 1
You are making the assumption that each of those government agencies can easily talk to one another, which they can't. Love or hate the Department of Homeland Security it has allowed interdepartmental communication on a level that really has not happened before. In addition to that gathering the data from 2, 3 or more departments together in a manner that can be interpreted as a honest to god threat vs. an overreaction is also the DoHS job. For every thing you see on CNN there are probably dozens of credable threats that aren't publicized. They are the nervous system of the nation's security system that should have been around a long time ago.
The job this article is talking about is nothing more then facilitating the implementation of good practices and ensuring that its actually done vs cutting corners to save a money here cut a budget there. How is this any different then the Nuclear Regulatory Commission something that has been absolutely necessary to make sure that proper precautions are put in place. You call such things overkill. In none critical segments of government yes. You wouldn't need a Czar to oversee government spending on paper. But when it comes to securing our networks. Its damn obvious that the government branches left on their own aren't doing the job. What would you suggest. We continue to slap people on the hand over and over and over and over. Replacing people again and again and again and each time starting from scratch. (Because do you actually think someone new comes in and is up to speed in a week on what has been going on?) or is it to get someone who knows what they are doing to oversee everyone else so we get our shit up to a level that isn't an international joke? Seriously the number of new articles that have come out over the last 2 years about lost laptops (Because god knows security goes beyond just securing your servers.), hacker break ins is getting pathetic. Its time to try something new.

Small Web Sites
By Mitch101 on 6/12/2009 11:18:44 AM , Rating: 2
I run a number of small sites and one that is growing pretty good now. As we speak I have someone attempting to hack one of my small sites by trying to push a PHP script through on my image upload area. Example script.php.gif

Aside from reporting this issue to his ISP which will take several days because they don't provide a phone numbers and denying him from his IP address which he realized then comes back a few hours later trying again from another local IP address and I have to repeat the process of blocking this person out.

I would love the option of being able to prosecute this person because of their activity but I am no big company and my recourse is to just keep blocking this jerk until he goes away or finds a way in. Its blatantly obvious to what they are trying to do and every time they create an account I revoke it one would think they should get the hint but a couple hours later they are back. Apparently my site is serving as this persons training facility for learning to hack. I certainly feel for many small sites which may not even know they are being attacked.

We really need a recourse toward quickly identifying the hackers that target small sites and get them prosecuted as if they targeted a large site. These people will never target amazon or any large company to really get caught by a heavily monitored security groups with the money and man power to really go after these people. Its the small sites that need some cyber security group to assist them in addressing these issues.

RE: Small Web Sites
By bdewong on 6/12/2009 1:21:52 PM , Rating: 2
One of the biggest things to remember when programming server side scripts is "Never trust user input." Maybe you put in checks to make sure that the image is actually an image, maybe not. But if you put in sufficient checks, this shouldn't be a problem. Just let the guy have his account and keep trying to upload the "pic" and it should be denied by the script.

Another possibility is that the person is not really a person at all and is just a bot programmed to sign-up, and try and upload a script. If that is the case, maybe an email verification or CAPTCHA is in order.

If the latter case is true, the "person" responsible will never be "easy" to track. And in the case of big sites like amazon, sure bots will try and do the same thing, it's just that they get filtered out so fast that it isn't anything to worry about.

Masamune Shirow
By scrapsma54 on 6/12/2009 3:11:52 PM , Rating: 2
Why not employ cyborgs made for the task?

the irony?
By linuxgtwindos3gtmucs on 6/13/2009 12:50:26 PM , Rating: 2
Doesn't anyone see the irony?

the corporation that this guy is in charge of securing is the same one coming out with a program to protect the holes of their swiss cheese OS product.

charge for os
charge for program to protect the os
- they have you coming and going -lol

The os security was so good they decided to put the guy in goverment?

I think first they have to check if this guy cheated on his taxes.
If he cheated then sure hire him.

Just what America needs...
By Beenthere on 6/12/09, Rating: -1
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki