Slashdot Mirror
Bush Names New Cyber Security Czar
goombah99 writes "The Washington Post reports that Cybersecurity "czar" Richard Clarke has confirmed widespread reports that he is leaving the White House, to be replaced by former microsoft security chief Howard Schmidt. He was also part of the Air Force's 'Computer Crime and Information Warfare division'. In related news, the National Strategy to Secure Cyberspace has received Bush's signature and will be released to the public in the next few weeks. Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit. Anyone know how Schmitt will view the relative security of closed versus open source?"
Nothing says "Security" better to me than "Former Microsoft Security Chief".
So, Micro$oft has finally infiltrated the US government.... We're all doomed!
...in the light of Slammer, Nimda, CodeRed, the Saint Petersberg crackers, and Microsoft's generally horrific security record, spread out in inglorious array throughout the history of the company.
He'll probably require Gummint computers to run in 640kB, because nobody could need any more than that.
Got time? Spend some of it coding or testing
What you are not look at is this. This person had the same chance to make good security decisions with Microsoft and HE DIDN'T. Thats the point. Taxpayers should have to spend money on something that Microsoft should be paying for. It is their responsibility to make their product secure, why should tax payers pay for that?
According to his biography here. From his bio, it doesn't sound like he's a dyed in the wool microsoftie.
Instead of making jokes or clamoring about how this is a bad (or good) thing, let's try to figure out what this guy is about.
Any signal out there?
My father is a blogger.
Here are a few legitimate concerns in order of importance (in my mind of course).
1. Blackmail: If this security chief assisted in any of Microsoft's prior bad acts (DR-DOS episode is just one example) and is vulnerable to a criminal charge, he's vulnerable to blackmail. That makes him singularly inappropriate to head a sensitive position such as this one.
2. Incompetence: He's a former head of MS security. His performance is part of the reason that MS had the trusted computing initiative after he left because security was so screwed up.
3. Unwillingness to choose honest dealing with the public over self-interest: He never blew the whistle on MS even though security people generally know where all the bodies are buried. A lot of insecure systems are out there on the Internet in part because he didn't want to make waves. That is not necessarily what you want in a govt. job.
For all the people whose blood boils at the mere mention of Microsoft's name: give this man some credit for leaving the company. And, as others here have pointed out, what better laboratory for the study of cyber warfare than MS? Could YOU have handled that heat as long as he did?
It's only funny until someone gets hurt. Then, it's hilarious.
Not his job, while I agree if you disagree with your boss you get fired.. this is more then that.
The fact that his boss seems to be against personal freedom, as evidenced by this guys removal, it should set off alarms in everyone's head, that the government wont tolerate personal rights and freedoms... in any form.
---- Booth was a patriot ----
I think EVERY politician is in some way vulnerable to blackmail. Based on what we now know about Mr. Clinton's weakness for pretty much anything in a skirt, I'd say he was a bad choice for president. In fact, being revealed to the public was probably the BEST thing that could have happened to him, as it eliminates many chances at blackmail. Just because the public is aware of several cases someone may have been involved in doesn't really make blackmail any more likely. It's the stuff you DON'T know about that you should worry most about.
2. Incompetence: He's a former head of MS security. His performance is part of the reason that MS had the trusted computing initiative after he left because security was so screwed up.
I'm not sure if you can pin this one on him either. The truth is, Windows needs to be pretty much re-written from the ground up with a focus on security. Would you like to be the one to announce that to the CEO? I missed the article that detailed his departure from Microsoft, but until somebody points me in the right direction, I'd assume it was just as likely he stepped down due to a difference of opinion in how to handle the security problems.
3. Unwillingness to choose honest dealing with the public over self-interest: He never blew the whistle on MS even though security people generally know where all the bodies are buried. A lot of insecure systems are out there on the Internet in part because he didn't want to make waves. That is not necessarily what you want in a govt. job.
He wasn't working for the public when he was at Microsoft. It was his job to avoid whistle-blowing on their security holes. Instead, he was expected to focus on quietly plugging those holes before somebody else found out.
I'm not sure we can truly judge anybody by their performance at another company. Many an underling has been let go because they disagreed with the top brass, and it's really hard to distinguish who the "bad guy" really is. I'd say we should focus more on his track record in his current position to see how he'll pan out. Unfortunately, I don't think there's much information to go on. That in itself may be a better argument against his appointment.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Seriously, folks. It's not MS that is the problem - it is the closed source model. MS just happens to be the biggest player in that world. But if someone else was pumping out software in this sort of closed source way then they too would be stumbling around.
Second, if he was ever head of MS security, he is used to dealing with extremely difficult situations and has handled his share of disasters. Overall, that job would provide great experiance understanding the tradeoffs made between functionality, ease of use and security. Also, a good understanding of how some software companies resolve security issues and how to lead an effort to address security flaws in software. Probably an ideal background overall.
On the other hand, his job title was "Security Chief". To me, that means that security issues stop at his door, and blaming the windows codebase or the CEO is a smokescreen - it's his job to make the product secure. If he can't convince the CEO that's important, then what makes you think the can convince Bush about anything important?
I read the article about his departure from MS, it was full of the normal corporate bullshit. So if he was leaving over security issues, he didn't feel strongly enough to go public with them - which is probably politically wise, but still something I'd check off against him.
When I hear about a the "Drug Czar" I am reminded about the "war on drugs" that has already cost us plenty of civil liberties and caused a violent and expensive black market for drugs.
The idea of a "Cyber Security Czar" frightens me even more, especially given the fact that the Bush Administration doesn't seem to care jack squat for the rights and privacy of American citizens.
The fact that it seems they dismissed the old Cyber Security Czar because he was actually sticking up for the privacy of citizens (and thus not working towards Bush's vision of a facist-style government in which citizens are reduced to flag-waving serfs with no actual rights) scares me quite a bit.
"You spoony bard!" -Tellah
I don't buy that for a second. I agree that closed-source software isn't as good as open-source from a security standpoint, but MS takes insecurity to such a ridiculous extreme that it goes beyond this argument. Look at all the other closed-source operating systems still in use today: Solaris, AIX, HP-UX, Irix, Novell, SCO, MacOS X, and even Mac OS 9. Which of these have had remotely near the problems MS has had? None! Because they actually think a little bit about security when they're designing it, instead of thinking "let's auto-execute email attachments that unknown people send our customers!"