When I sit down with Scott Charney, VP Trustworthy Computing for Microsoft, he has recently presented the keynote address at the Security Development Conference in San Francisco. It wasn’t the first time I’d watched Charney present, and as always, he had been knowledgeable, confident and engaged. What he lacked, perhaps, is warmth.
I’m most at ease with warm characters, so I felt a little anxious about my interview with Charney, a man with a huge job title and clearly a very busy schedule, but I needn’t have worried. In a one-on-one situation (excluding the two PR people diligently tapping away throughout and keeping an eye on the clock) Charney was relaxed, open and friendly.
First and foremost, Charney is a man that loves his job. I ask him what his dream job is, and give him license to be as creative as he wants, and he answers without hesitation: “My dream job? Oh, I have it”, he says, with a smile. “It’s got hard problems, great people, a mix of technology, law, social, customers, politics. We’re involved in cybersecurity legislation, international standards, questions about military and economic espionage, and cyber warfare. We’re in the thick of it all”, he says, his grin so wide that I’m left with no doubts that ‘the thick of it all’ is exactly where Charney wants to be.
It doesn’t take long for me to realize that what makes Charney tick is his ability to make an impact. Perhaps his primary career days as a prosecution lawyer were an initial indication of this, or earlier still, his study of English and history at university. “Those who ignore history are doomed to repeat it”, he tells me.
As Charney talks me through his employment history, and his most significant accomplishments, it’s clear to see what an impact he has made – almost everywhere he has been. Let’s start right after graduation…
Fear: Access Denied
Armed with a bachelor’s degree in history and English from the State University of New York in Binghamton, and a law degree with honors from Syracuse University, Charney began working life at the Bronx County District Attorney’s Office, where he prosecuted “street crimes and the like”.
The District Attorney received federal money to set up the Major Offense Bureau – in which a small group of prosecutors (12–15) would have only 10 or 12 violent offender cases each.
“My chief, Brian Wilson, had a legal pad”, Charney remembers, “with a piece of paper for each lawyer and the cases they had. The court would call ‘the case of Smith’, and he’d have to look through all of his sheets to confirm.” The paper system, operable with only 12 to 15 names, became less so when he moved to the Investigations Bureau a few years later with 35 lawyers, 60 cases per lawyer and upwards of 2000 cases in the group. As Deputy Chief, Charney announced that he could solve the problem with a computer.
“I was exposed to computers early”, Charney recalls. “My father was a systems administrator back in the vacuum tube days of computers. He had me doing flow charts and learning a little COBOL when I was under ten, so I had no fear of computers.”
With $12,000 to buy two IBM PCs, Charney created a computer database tracking system to monitor defendants and identify which lawyer was matched to a specific case. The system’s popularity with everyone else in the DA’s office required Charney to start building it out. “Then the city came in and said they wanted to automate all the way from the arrest process through the case tracking system. My colleague and I built this prototype system”, he tells me. “I became a hobbyist programmer”, he admits.
While working as Deputy Chief of the Arson Bureau in the Bronx – “kind of humorous because most of the South Bronx had burnt already” – Charney got a call “from the Feds, the organized crime and racketeering section. They were looking for someone for their field office and offered me the job. I asked where the position was based and she said ‘Honolulu, Hawaii’”. Charney tells me that he called his wife, an attorney, to tell her about the offer. “When I got home, the house was packed”, he laughs.
Trading the Beach for ‘the District’
In the enviable setting of Hawaii, Charney began work on narcotics trafficking cases. “I was doing these wire taps and calls where lots of different people were talking and realized I had no way to track it all, so I stated writing code again and programming.”
In 1990, Charney left the sunny shores of Hawaii for Washington DC, where he “went to Main Justice” to give legal advice to government and practice general litigation. Charney says his career path then took “a dramatic turn”.
Current FBI director, Robert Muller, was the Assistant Attorney General who ran the criminal division. “He had decided, ahead of his time, that cybercrime was going to be a big deal”, recalls Charney. In 1991, Muller made an organizational decision regarding the federal statute against cybercrime – the Computer Fraud and Abuse Act. “When he gave resources to the fraud section, they put it everywhere except cyber. Muller called up my boss and said ‘do you think you could do something with cybercrime’, and he said ‘you bet, I have a computer expert right down the hall’”, Charney remembers, pointing at himself.
“So in February 1991 they moved cybercrimes to me, and it was just myself and one other, Dick Shine.” At the time, Charney recounts, he had a computer terminal with a proprietary operating system.
When the Computer Crime Unit was created in September ‘91, Charney was appointed chief with four staff. Fast-forward to ‘96 and it became the Computer Crime and Intellectual Property unit, which he ran until he left the Department of Justice in 1999.
|"Every bug that we eliminate prior to ship saves a lot of money" |
Charney summarizes his journey into information security as the result of “not being computer-phobic and serendipity”. When I ask whether his exposure to cybercrime and organized crime from a legal perspective influences the methodologies and objectives in his role today, he nods his head in agreement. “The reason we do computer security is because people do bad things. It’s actually a social problem with technical underpinnings”, Charney explains.
In between his government days and Microsoft, Charney was recruited by PwC. The firm was building a cybercrime-related practice, which was later branded as Cybercrime Prevention & Response. Charney recalls his tenure at PwC as a good experience and a role that broadened his understanding of the business side of information security. “It was an environment all about ROI, where it was critically important to quantify spend with the benefit of spending that money.”
Charney soon realized that security was a challenging sales job, “because people want numbers. You can kind of accept as a general principle, that if you do better security, you’re less at risk. The challenge was demonstrating ROI.”
The importance of numbers and ROI is something that is still very much on Charney’s radar at Microsoft today. “Every bug that we eliminate prior to ship saves a lot of money. If a bug is never found and never patched, then the cost is zero. But, how predictive can you be that a bug will be found by some researcher or someone who might publish it and put it in the hands of a bad guy? If a bug is reported but not actioned in a bad way, it’s still not a problem.”
Joining Microsoft in 2002 in an information security capacity was perhaps a controversial move. The Bill Gates memo for Trustworthy Computing had recently been announced and “[Microsoft] seemed seriously committed. When I told people I was going to Microsoft to do security they laughed. Some of them said ‘It’s probably just PR’ and I said ‘if it is, you’ll know, because I’ll be gone in six months’”. Eleven years later and Scott Charney is still firmly grounded at Microsoft.
“Security was a big problem for the company, but one of the reasons for that was its footprint. Attackers would gravitate towards the platform as it had such a large share of the PC market”, he argues. Admitting it was a challenge, but a great one, Charney offers his philosophy that “It’s always good to be on the ground floor of something when it hits an inflection point.” And on the ground floor he was, at both Microsoft and in government. “Bob Muller saying ‘cyber is going to be big’ – I was lucky enough to be in the right place at the right time to help form the government’s response, as opposed to inheriting someone else’s vision.”
At Microsoft a few years later, Charney saw – and seized – the opportunity to “influence an entire ecosystem. It was like, who wouldn’t want to do that? You want to have an impact, you want to make a difference.”
One role, which on paper, would allow for an immense impact, is that of the US cybersecurity czar. “When the Obama administration was looking for their first cybersecurity czar [in 2009], I was one of the people they were looking at”, Charney tells me. When considering this role, part of his calculus was family logistics, but he was also concerned about level of impact.
“It occurred to me that in some respects, I could have greater impact at Microsoft”, he says. “Deploying the Secure Development Lifecycle (SDL) at Microsoft probably did as much to help secure the ecosystem as anything anyone has done.”
Having an impact, Charney tells me, is what “makes work fun”, and “Microsoft is an impactful company. Doing security at Microsoft is an impactful role. It’s hard to find a better job than that.”
Where the Grass is Greener
Having worked in both government and the private sector, Charney is well qualified to offer his perspective on what works and what doesn’t. While he admits that the public sector has a bad reputation for its handling of information security, Charney considers than an over-broad belief.
“You have some agencies that are very security-conscious and have great skill, and others that may not be quite as in tune with the threats that they face. You can say the same thing about industry”, considers Charney.
The government is uniquely challenged due to their budget process being congressionally-controlled, and they have more hoops to jump through in order to adopt new standards or technology. “Government historically has command-and-control [protocol] in a command-and-control environment.” The challenge with the internet, Charney continues, is that it is not subject to the same kind of centralized command and control.
“When you bifurcate responsibility, that’s a challenge, so the government has to figure out how to manage through collaboration and influence. If you imposed a command-and-control structure, you’d completely stifle innovation, and it would be too slow for technology that’s so rapidly advancing.”
Pie in the Sky
With an impressive resume and vast experience in the legal sphere and the information security industry, I ask Charney what he considers his as-yet unfulfilled objectives, or his ‘pie in the sky’ wish. “User names and passwords”, he says, without hesitation.
“We’ve known this has been a problem forever, and I think we’re finally starting to see real movement, but it has been ten years”, he explains. Charney blames lack of alignment between economic drivers and social custom. “I think we’re getting closer on that one, but I’d really like to see it licked, in a big way.”
The cloud, he insists, will pose some interesting new challenges for authentication, and “it’s an old problem that needs a cure. The good news is, we’re acting sooner, like we’ve seen this movie before. This time, we have 30 years of experience, and we’re not ignoring history.” There will be many a challenge along the way, Charney predicts, “but it keeps the job very fresh. There’s never a dull day!”
Standing on the Shoulders
When I ask Charney what he is most proud of, his response surprises me. He lists a few different achievements and milestones, all of which have occurred during his tenure at Microsoft. On closer inspection, they are all attributable to the team around him or to Microsoft itself.
“I’m VP at Trustworthy Computing, so I’m the visible face of the program, which means I get a lot of credit for things I haven’t actually done”, he says with total honesty. “The reason the security push [at Microsoft] worked is because people all over the company were committed to making it happen.”
His pride sits with the team that achieved these remarkable things, he tells me, in a culture where Microsoft enables people to achieve. “The change in our reputation for security did not happen overnight, but when I look at media reports over the last decade, and when customers tell me ‘Microsoft is more secure than Linux’, I’m proud of that. Public and customer perception has fundamentally changed for the better”.
Charney singles out the SDL and the patching process as two initiatives that he takes great pride in – on behalf of Microsoft. “Patching was fundamentally broken. It was a cultural problem, not an engineering problem. We agreed to harmonize around two patch installs: one for the kernel, and one for everything else. Most security problems don’t get fixed per se, you just make things better. But this – this we solved.”
|"My father was a systems administrator back in the vacuum tube days of computers. He had me doing flow charts and learning a little COBOL when I was under ten, so I had no fear" |
Decisions made by Microsoft around the ecosystem that put customer safety above their own corporate desire to win also features highly on Charney’s list of proudest milestones they have all achieved together. “We have intense competition, but we consciously decided that security was not an area where we should hoard the SDL or only patch non-pirated machines”, he insists. Microsoft instead decided to patch pirated machines, knowing that if one of those machines gets infected it would also hurt those trying to be safe online that paid for their software. “You have to think about what is good for the ecosystem, not just the company’s bottom line”, he says.
“Microsoft said ‘we have to do the right thing’, and the right thing is to make sure the entire ecosystem is patched, regardless of whether the machine is pirated or not.”
With that, our time runs out and it’s time for me to allow Charney to get on with the job he loves so much. I’ve enjoyed watching him positively light up as he talks about Microsoft and everything that has been achieved by himself and the company. “As a job, what more could I possibly ask for?”, he asks rhetorically, providing the perfect concluding line.
The one quote I take away from the interview that will stay with me was something Charney said at the beginning of our time together when telling me how he got into information security. “Really, most of life is just showing up. When you get an opportunity, try not to blow it, which clearly I didn’t because it has worked out OK.” That’s what you call an under-statement.