Software is vulnerable, just like us
- By Vandana Sinha
- Nov 19, 2003
Tom Richey, Microsoft's Homeland man
Last year, Tom Richey joined Microsoft Corp.'s public-sector strategy team for homeland security. The match seemed fitting.
Richey had spent most of his 21-year career as a commissioned Coast Guard officer, commanding a sizable search-and-rescue station and overseeing counterdrug activity in the eastern Caribbean. He received seven Guard commendations, including the Meritorious Service Medal.
Although new as Microsoft's director of homeland security, Richey is no rookie at strategizing. He has been a senior policy adviser to Sen. John F. Kerry (D-Mass.) on matters ranging from economic policy and health care to national defense.
In his first year with Microsoft, the Homeland Security Department standardized on Microsoft products under a 5-year contract. In 2004, Richey plans to pour more software through that pipeline, including mobile and predictive analysis software and sensors for weapons of mass destruction. Meanwhile, the software giant has encountered its own share of security woes.
Richey, an Arizona State University graduate in psychology, spoke with GCN associate editor Vandana Sinha by telephone from his Washington office.GCN: What is Microsoft's strategy for homeland security?
RICHEY: In my year here, we've reorganized to align ourselves with the Homeland Security Department. We formerly had account managers in different vertical markets. We now have an account manager and an account team that own the DHS account as an enterprise.GCN: How does that play out in an industry with other dominant software vendors?
RICHEY: Before DHS was formed, one of the things the White House transition team did was inventory the 22 component agencies to see how to build a common enterprise from their disparate IT.
That analysis'there's a spreadsheet available to the public'shows, for example, that 18 of the 22 agencies were using Microsoft Exchange and Active Directory. So it made sense to migrate the other four agencies to Microsoft Exchange for unified messaging.
It's a good investment of public dollars to go with the apparent standard, versus making another IT choice.
Likewise, Oracle Corp. had dominance in the middleware and back-end or database piece, so it made sense for CIO Steve Cooper and chief technology officer Lee Holcomb to migrate to Oracle many of the agencies that were not on Oracle.GCN: How do homeland defense efforts differ at the state and local level?
RICHEY: I would describe that as the single largest challenge for DHS. What it comes down to is collaboration and coordination'with first responders among themselves first, and then with the federal government.
Resolving the most significant challenges of homeland security will not come internally from DHS. It's going to come from the private sector and from the state and local levels.
Microsoft recognizes its role. We're prototyping a lot of things, deploying a lot of things. Not all of them are the best. Some need further development. We are working very closely with officials at DHS, the Justice and Defense departments, and state governments.GCN: What's your reaction to the many security breaches that have been found in Microsoft products?
RICHEY: Let me start by saying, we recognize we have a challenge around security. We're not alone in that challenge. Every software vendor has issues about security.
Microsoft's security issues seem to make more news because of our large presence in the federal government, and that makes us a very popular target for folks who would like to perpetrate cybercrimes.
Recognizing that software fundamentally is vulnerable because human beings write the code, Microsoft and Bill Gates are focused on the Trustworthy Computing Initiative. It will take years before we recognize the full impact of that investment.
In all, 8,500 Windows developers were taken off task to learn a new approach to writing code. It cost the company more than $200 million. We've made some pretty significant security accomplishments.
We were recently awarded a Protection Level 3 accreditation for one of our intelligence-sharing solutions by the director of the CIA, which I'm thrilled about. We have Common Criteria certification for Windows 2000, which we're very proud of as well.GCN: What do your hear from your federal users about these vulnerabilities?
RICHEY: We're working with all our government customers to develop a patching and response mechanism that provides the quickest answer to the virus threat. Products need to be secure in deployment and by default'in other words, opening Windows Server with all the doors shut, versus open as we did in the past. We're getting better at that, but we're not there yet.GCN: What are you doing about that?
RICHEY: There are a number of prototypes under way. They're not at a level of development that I can talk about at great length. We are making significant progress.GCN: The Computer and Communications Industry Association of Washington recently asked DHS to reconsider its software contract with you for security reasons. What's your reaction?
RICHEY: The DHS deal was a big one for us'a $90 million contract over five years and 140,000 desktops'a huge, huge win. It's potentially significant in that it established a single enterprisewide agreement for 22 agencies, which prior to this deal had separate licenses with Microsoft.
I applaud the fact that people are worried and focused on the security of the IT infrastructure. I would just add that they're no less focused than Microsoft is.
Microsoft has a significant investment in the federal government IT infrastructure, and government has significant investment in Microsoft. We're working as an industry-and-government partnership to recognize these problems and correct them. And let me just say that all software is vulnerable. There is no vendor out there that is going to escape that reality.GCN: So when would you say the Trustworthy Computing Initiative will pay off?
RICHEY: Bill Gates has been very public and open about this. He said it's a 10-year process, not a one-fell-swoop exercise. It's a fundamental shift in the way we think and approach the product.
How are we going to know when we're at the end of the journey? Are we going to know because we don't have any more viruses? No, I don't think so. You'll hear Microsoft security experts say that we're always going to have threats and viruses. But we're getting smarter at identifying the key vulnerabilities and eliminating them.GCN: How does the progress of free Linux software in the federal sector affect you?
RICHEY: I do understand the threat. In fact, free software is an interesting description of Linux. I would look at it more from the perspective of total cost of ownership.
Look at what goes into developing, for example, Microsoft Office. We spend $6 billion or $7 billion a year on the R&D. Those products and their ability to interoperate, not only on the Microsoft platform but with other products, is developed over years. When you look at the value of a license on our software, you're getting all that mind-share in that price.
Does the customer benefit from that same investment in the total cost of ownership for Linux software? I'm confident in saying that Microsoft would lead the pack in full functionality and capability of the product road map and where we're going. I don't see that same depth, I guess, in a Linux software solution.
Look at the total cost before you decide something is free. What if this system breaks? What if there's a vulnerability? Who owns that?GCN: But don't you see Linux's penetration growing?
RICHEY: I see it, but do I see it becoming stronger? I don't have a prognosis on that. Do I see it being used and explored? Yes, I see it to some extent in the homeland security world. I don't know that it's long-term. It's somewhat of a novelty.
Again, that's great for the market. At the end of the day, these kinds of competitive forces serve the public interest in the best way possible. The customer wins.