Government

Can Microsoft help government agencies improve IT security?

Microsoft's Institute for Advanced Technology in Governments is helping federal, state, and local agencies devise software solutions. I wanted to know if that included improving IT security.

Microsoft's Institute for Advanced Technology in Governments is helping federal, state, and local agencies devise software solutions. I wanted to know if that included improving IT security.

--------------------------------------------------------------------------------------------------------------------------------

Keeping up with new technology is a full-time job, a luxury most public and private organizations do not have. Case in point, U.S. intelligence agencies hired a defense contractor to create a specialized ($250,000 US) touch table. Mr. Lewis Shepherd, CTO of Microsoft's Institute for Advanced Technology in Governments realized the custom system is similar to Microsoft's Surface. He worked with the agencies and software developer, creating an equivalent solution that costs around $10, 000 US.

Some background

That was not just a fortunate break. Mr. Shepherd (profile) has significant experience working with enterprise organizations. That includes government agencies, as Mr. Shepherd spent four years at the Defense Intelligence Agency (DIA) before joining Microsoft.

While at DIA, Mr. Shepherd was in charge of research and development for the defense intelligence community. One of his challenges was information management and improving the exchange of data between agencies. That part of his job caught my attention. Intelligence agency databases tend to be secure and private. That's something the private sector and other agencies need help with according to 2010 IT security predictions.

I contacted Mr. Shepherd hoping that he might share his thoughts about how best to preserve security and maintain the privacy of databases. Mr. Shepherd was more than willing, providing answers to the following questions: TechRepublic: You currently are Chief Technology Officer for Microsoft's Institute for Advanced Technology in Governments. If you Bing or Google the organization, not much shows up (not even a Web site), could you tell us about the group? Mr. Shepherd: The Institute may seem quiet because it is relatively small and new within Microsoft, in the Advanced Research and Strategies division. The Institute's purpose is to provide government customers with the opportunity to create unique, but scalable solutions based upon Microsoft's platforms, products and services, in part by combining Microsoft's technologies in unique and innovative ways.

Our Institute also draws upon Microsoft's advanced research and development activities to help solve intractable problems for the public sector. Microsoft has one of the largest corporate R&D budgets, this year at $9.5 billion. For comparison, that's about three times the budget of DARPA over at the Department of Defense.

So, we have a lot of depth, which we believe can be brought to bear in helping government officials and technologists think about the future of information work and society's challenges. TechRepublic: During one of your talks with Mr. Jon Udell you mentioned that the group's name ends in governments not government, further explaining that Microsoft is interested in helping all tiers of government. Could you expand on what you meant? Mr. Shepherd: The Institute has offices in the United States and the United Kingdom and is involved with national and local governments, as well as non-governmental organizations (NGO) around the globe. We have several projects in the works with state governments in the U.S.

Here and abroad, we have been consulting on solutions for large-scale problems with governmental coordinating groups. Many times, the challenges faced by the public sector are not clearly defined in the "job-jar" of solely one governmental agency or level of government.

As an example, who owns the problem of improving public education in America? All levels of government must cooperate on this issue along with NGOs, so we work with them all. TechRepublic: While at the DIA, one of your goals was to get all 16 intelligence agencies sharing data securely and accurately. With the number of data breaches in the private sector climbing, securing information is a big concern for CIO/CSOs. Is what you learned at DIA something Microsoft can bring to the private sector? Any examples? Mr. Shepherd: Yes, in fact there has been a bidirectional-information flow, sharing best-practices between government and Microsoft for several years. For example, Microsoft has a cryptographic research unit which works on improving algorithmic and mathematical approaches for encryption and information security. That group's research work is in many cases published and openly available to the U.S. government.

Our Institute has spent quite a bit of time working with federal government agencies sharing appropriate information about best practices in securing enterprise data with modern systems. On the other end, the federal government has been eager to work closely with Microsoft in architecting secure solutions for many of their most challenging data security problems.

One thing that being involved in defense intelligence after 9/11 taught me was that our nation and any modern state depends enormously on a vibrant and entrepreneurial private sector for innovative technologies. Those aren't developed in government labs by and large; even the notable exceptions like ARPANET and GPS relied on government's partnership with defense contractors.

I joined the government after 9/11 from the Silicon Valley start up culture. So, I know first hand the role that the Valley and the technology industry play in providing our government with innovative solutions.

While I was in government, I was very impressed with the critical importance of Microsoft systems to the daily work of DIA and other agencies involved in the Afghanistan and Iraq wars. I admired the dedication that Microsoft brought to creating specialized software solutions for unique government problems.

TechRepublic: Usability and security/privacy are at odds when considering data management. That truism concerns many people, considering the push to consolidate health records into a national database. What do you feel it will take to achieve a workable balance? Mr. Shepherd: I probably have a slightly different take on this because of my private-sector experience. I skew a bit toward the importance of usability. Perhaps counter-intuitively, I believe that government agencies currently place an enormous amount of importance on the protection of privacy. But we must not let that always remain a binary choice. Great architecture with innovative software design can achieve a remarkable balance of each TechRepublic: The CIA is one of the partner agencies with DIA in the intelligence community. It recently came under question for monitoring social networks. It seems citizens are wondering about the value. Your opinion on this would be appreciated. Mr. Shepherd: I'm a proponent of our intelligence community stepping up its efforts in collecting and analyzing "all-source intelligence," meaning data and information garnered from across the spectrum, as allowed by law.

We shouldn't rely only on signals intelligence (overseas phone calls) or on human intelligence (overseas spying). We need to incorporate a look at the entire digital and real-world spectrum of activities which our adversaries engage in. Today that needs to include their digital traces across social networks.

Since we know that terrorists and their support networks are active in international social networks, it would be suicidal for us not to take that into account in trying to develop an accurate picture of their intentions and malevolent plans. We do the same for the hacker community, and we should be doing it with our national adversaries as well.

There's another aspect to this that never gets reported on: the intelligence community is not only charged with developing real-time warning and predictions of terrorist activity or national-level military attack. They are also charged with providing our national leadership with the best possible assessments of international long-term trends and social activity which may have some bearing on the United States and its economic, social, or political systems in future. TechRepublic: Your work at the DIA certainly elevated your understanding of IT security. Has Microsoft been receptive to implementing what you learned at DIA? If so, could you provide some examples? Mr. Shepherd: I've been fortunate to be in a group aligned with what we internally call Trustworthy Computing, Microsoft's effort to help ensure secure, private, and reliable computing experiences for everyone.

As part of this effort, the Trustworthy Computing team works with business groups throughout the company to ensure their products and services adhere to Microsoft's security and privacy policies. It also engages with governments, industry partners, and computer users on important security and privacy issues such as critical infrastructure protection, software assurance, and identity management.

That myriad of activities, internal to the company for our own development practices, external to our partner tech firms, and to our customers globally, exactly mirrors the complexity of secure relationships which we relied upon at DIA.

We developed software and built Information Assurance into each product and system, relying on robust and authoritative security certification; and we simultaneously collaborated with the other intelligence agencies such as Homeland Security, FBI, and coalition partners to try to optimize the sharing of information.

Final thoughts

As shown in the touch-table example, the best decisions are made from an informed position. That, plus Microsoft products being pervasive indicate the working relationship between the Institute for Advanced Technology in Governments and government agencies is a logical step.

I would like to extend a special thanks to Mr. Shepherd for answering my many questions.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

66 comments
JCitizen
JCitizen

My PC is somewhat designed along this model. With the Cable QAM and RIAA standards coming along in the Digital Rights Management field, I've been introduced to the future through my cable ready system, that I purchased from HP. Apparently the law is interpreted to enforce only OEM suppliers are allowed to build and configure PC or PC like systems that handle premium content. On satellite receivers it is obvious; but on PC systems they put DRM designed hardware from the BIOS all the way to the back-plane in the entertainment arena. Microsoft even issues special operating systems that handle the hardware requirements; even my media center comes with a separate designed version. If you try to put inappropriate hardware, commit transgressions while ripping, burning, or copying content, or even make an unauthorized internet connection, your PC can be instantly disabled or shutdown - sometimes without warning or message! I spent four months tearing my hair out trying to get it to work properly - the HP techs just stand there scratching their heads. Every time I have to get a repair part, I have to explain the DRM thing so they will hopefully understand the requirements, and not just blow me off as just being a difficult customer. Needless to say, I've learned more patience than I remember ever practicing in my life.

johnfranks999
johnfranks999

Is anyone else here reading ?I.T. WARS?? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary ? an eCulture ? for a true understanding of a "business-technology weave." It has great chapters on security, risk, project management, content management, acceptable use, disaster recovery (rebranded as disaster awareness, preparedness and recovery), policies, and so on. Just Google ?IT WARS? ? check out a couple links down and read the interview with the author David Scott. (Full title is ?I.T. WARS: Managing the Business-Technology Weave in the New Millennium?).

Tony Hopkinson
Tony Hopkinson

Certainly they are a walking talking example of a whole pile of practices to avoid. Of course this is not a secret, the real questioon is Can MS do it, wothout commercial 'realities' continuing to make a complete arse of it.....

secondbrain
secondbrain

As long as the "solution" for IT Security remains software focused, the "solution" will only ever be as good as the latest version of whatever software is being used. MS can help itself by "helping" the government, but at the end of the day no software solution will ever keep pace with the malware underworld. The solution is hardware.

benwal91
benwal91

They can't help me with a simple question in networking... They think they can help? I read a post from another site about suggesting Linux to the government. I can't find the link from that post anymore.

pkobza
pkobza

Microsoft helping gov with security. So one eyed leading the blind?

charlie
charlie

Hi Michael. I read this with interest. I'd like to highlight the work Huddle (www.huddle.net) has been doing with private and public sector organisations to help them collaborate securely with people outside of their own IT networks. This is a major problem and one that we have solved at many levels - our customer base reflects this with major global corporates coming on board all the time. If you want to have an interview with a young, fast growing company that is operating in this space then we'd be very happy to oblige. Best Regards Charlie Blake Thomas - Huddle.net

Ocie3
Ocie3

through my cable ready system, that I purchased from HP." To which cable are you referring? Please let me know which HP model to avoid. :-( Personally, I have never bought or used a "media center PC" if only because I lack any apparent need for one (because I do not have a spouse and children who have their own computers, thus no home network, and no particular desire to download music, videos and/or movies by the bushel ....). The only use that I have for "cable TV" is for broadband Internet access. But the way that Cox Cable TV provides that where I live does not make it worthwhile to switch from Century Link DSL with landline telephone service, especially considering all of the up-front costs. The complexity and fine-tuning of the Cox "bundles" conveys the message that they would really rather just have "cable TV" customers, and if those customers want Internet access and/or "digital" telephone service, then they should be prepared to pay premium prices.

Deadly Ernest
Deadly Ernest

in many of the US states and most of the world, yet HP, MS, etc still do it. Hell, one of the US federal laws to do with DRM gives RIAA certain rights to attack my system if I do certain things against DRM. Under US law they can do that, but if they do the same thing to a computer in Australia, they (as in all the RIAA execs and the staff involved) have commited a felony and can face up to ten years in prison. Don't you just LOVE how sensible some of those US DRM laws aren't.

JCitizen
JCitizen

thanks for the heads up!

Deadly Ernest
Deadly Ernest

freedom. Software leaves some freedom, the hardware solutions provided to date, like the Trusted Module, lock down the system and lock them into a limited number of software providers as well. If the options are worry about some spam etc, ot be locked up in an Alcatraz type set up, I'll take the concerns coming with the software, thanks.

Deadly Ernest
Deadly Ernest

aware of Unix and Linux. There are a number of government projects going on about the feasibility of converting certain major government applications to run on Linux or Unix instead of Windows, as they currently do. Also, a number of small specialised military programs are based on Unix or Linux, mostly to do with embedded software for weapons. Edit: Check out the info here too: http://en.wikipedia.org/wiki/Evaluation_Assurance_Level

Michael Kassner
Michael Kassner

I don't want to do the debate thing. My intent was to point out that MS is working hard to improve and share their research with the government.

tracy.walters
tracy.walters

...although I think it's been going on for some time. Generally, groups like this shun any kind of publicity, so we have not seen their activity. I've worked closely with Microsoft in their labs and on various projects over the years, finding them to be dedicated and professional. It's unfortunate that some people here love to hate Microsoft...the people, technology and standards they've brought to this industry are priceless. Of course, I'll be villified for saying so.

Michael Kassner
Michael Kassner

I certainly will look into it. I appreciate the information.

JCitizen
JCitizen

I feel your pain ocie!!! I should have put a frowny face after that statement of "I've seen the future", 'cause it don't look pretty!!! :( I could fill a voluminous book of the battles I've fought with Cox and Blue Sky. Both to avoid at all costs!!!!! If what they want is pay TV customers, they got a funny way of conveying that!!

JCitizen
JCitizen

but I had several requirements of one PC, and this met it; although not without headaches! I use this machine as my PC, HDTV cable media center with DVR, home theater(goes with previous requirement), cell phone bluetooth communication center, HD video authoring, malware honeypot, and telephone. I've piled it on, but it has taken it, with a few battle scars!

Michael Kassner
Michael Kassner

If security is an issue. Why not lock down the computers. You are trying to have one size fit all. I don't think it can be accomplished that way.

secondbrain
secondbrain

If you can work with open source tools (office, firefox, etc...) there is a hardware solution that will provide the freedom you're looking for. In addition to that the flexibility and freedoms allowed are not dictated by the hardware but by the admin. If you're talking about IT Security for your home PC, the solution is overkill, but as an enterprise wide solution hardware is the way to go. It's the only way to have a truly secure web browser, eliminates the need for NAC solutions as well as VPN solutions, protected online transactions, and guest user access. The next version will include secure online communications (VOIP, chat, email) To opt for the software solution is to ignore the true size and nature of the threat.

JCitizen
JCitizen

at USJFCOM was C2MR, and that was just a rehearsal of present rescue systems listed in the 2009 Orientation Guide. I've heard of Trusted Computing, but I think it has been a concept that has been around a while. I've always figured it was a marketing stunt as well.

Michael Kassner
Michael Kassner

I am not one of those that it's all or nothing. I know the people in charge of those projects are doing the best thing. I feel the same way when the decision to use MS products is made.

pkobza
pkobza

where do you see any hate from me. I don't hate Microsoft. It more likely seems to be you hating whomever does not share your point of view. I'm just not interested in sweet talk and patting on backs. The only thing I'm interested in are RESULTS. Microsoft has lot of interesting and cool technologies, which they either developed, or bought. ActiveDirectory for instance is one of the greatest things that they have, and Linux is seriously lacking this for the big leap of conquering enterprise desktops. On the other hand they waste lot of resources on useless stuff and flame wars. What I really meant with one eyed leading blind is, that neither govt, nor Microsoft have any right to preach about security. Teenager is able to crack his way into Pentagon, and look at whatever pleases him. Response from govt? Fire the team which failed to prevent that? Officially apologize to the public for doing lousy job? Geez no! Just sentence the kid for life of course!! Afghan peasants are watching live feed from remote controlled planes, which cost astronomical amounts of taxpayers dollars to develop. How ridiculous is that?? And Microsoft? Hardly a month passes without Microsoft fixing bug that allows >remote< code execution in products, which they claimed were secure. Blaster and Conficker viruses spread like lightning, causing major havoc everywhere, and bringing down computers without even any need for users to run as administrators (awful design flaw that Microsoft didn't care about for years). There were actually viruses that could get past MS firewall in XP SP1, and disable it from the inside, I mean what the hell??? Truly trusted computing indeed. What Microsoft really needs is cut down on marketing and sales staff, and hire more developers, to get ahead of things with fixing security holes, and quick. If there is already working exploit for security hole, then its too late. Colorful powerpoint presentations and patting on backs never fixed a single security hole, nor did it improve any software. Actual WORK is required.

Michael Kassner
Michael Kassner

Says a lot. I for one am glad they are still creating.

Deadly Ernest
Deadly Ernest

and above. Also, Win 7 64 bit will NOT allow any driver not digitally signed by MS to run, and a lot of people are NOT getting that done for anything but their very latest hardware, so in it isn't absolutely brand new or in the existing MS Win 7 driver database, you screwed on getting the hardware to work in the 64 bit version. It might be worth seeing if you can get a live disc version of something like SimplyMepis Linux or Kubuntu or PCLinuxOS to run on that system, to try it out.

JCitizen
JCitizen

brain farts as much, I'd bet. Hopefully that all settled out for him! I'd switch to Linux, but it would take some very fancy integration with MythTV and another OSS distro to get past the hardware DRM. Not trying to steal anything, and the gettup would be legit; just would like a system without as many headaches. Maybe Win 7 x64? - *sigh!* I hear the new media center works like a top - got my doubts. >: (

Deadly Ernest
Deadly Ernest

them that much control of your system, you leave yourself open to everything going done due to one minor problem. Being from a security background where we ALWAYS had designed and built in redundancy, I'm very wary of any set up that has ONLY one point of access - that's how you get severely damaged, no real good emergency support or exit at all.

Deadly Ernest
Deadly Ernest

son and I both got cheap refurbed Dells, same model. At the same time both had graphics issues. I plugged in a PCI graphics card I had lying around, switched the BIOS video setting from 'on-board' to 'PCI' and turned it on. Waited a moment while SimplyMepis Linux went through a check of the system, it told me it had a change of graphics card, selected on and started up with my high resolution settings all OK. My son did a similar fix but had to settle for 800 x 600 until he could reset the Windows drivers for that card, then had to reboot. The system recognised the change but Windows was not able to identify and select the correct driver by itself. Then he had to reset where he kept his multitude of icons on the desktop as Windows had automatically repositioned them when it took itself to 800 x 600 from his 1280 x 1024 resolution - he has the icons grouped in different spots on the desktop.

JCitizen
JCitizen

but it does suck when it craters on me. That is only one time, so far. If HP support personnel weren't so inept, it would have been fixed in two days; actually second day air delivery.

JCitizen
JCitizen

HA! But you're right about single point of failure. I had a graphics card go out and was blind and deaf for a month! Not because I didn't have backup assets, but because I got so spoiled rotten on one PC gettup! If I was rich, I'd get another one, but nope! I could go to FOSS/OSS solutions on this, but I know how much trouble it would be, for a Linux newbie like me; actually I think I found out GNU might be the answer.

santeewelding
santeewelding

Means -- what? -- you don't have to look any further. Why disburse yourself all over hell?

Deadly Ernest
Deadly Ernest

the single point of failure problem. I've got a friend at church who does a lot of personal video editing and is always complaining about the problems with using certain software on certain Windows platforms, he has three machines with three versions of Windows and the specialised software he bought has each been specific to a particular version of Windows - he can't get all three for the one version and is mighty upset about it. He's gotten to the point where he's looking very closely at running Linux and using Cross Over to run the Windows software under, if it will run each program fully, he can finally run all three lots on the one PC and save having to transfer the files between machines. And please, don't ask me what he's doing that's so complex, he's told me twice and I STILL don't understand it all.

Deadly Ernest
Deadly Ernest

locking down a specific computer or computers is one thing, but good computer security still needs to follow the basics of good physical security - I've worked in and out of physical security systems for nearly forty years - not always in the security side, but more so than not. Starting with banks in 1970 , and some aspects of security in the Aust Dept of Defence in the 1990s. I've worked with Tempest systems and other classified systems as well; but most of my work with them has been on the physical and policy side, not as an IT security guy setting up and Intrusion Detection System or the like. The closest I got to that was in the early 2000 building some secure gateway servers for a DoD classified gateway where the servers had to be 'hardened' against intrusion and mis-use, and that's a real chore. Each security situation should be evaluated on its own needs and the right tools selected and used, and they can come from many sources. True security is more an attitude that's applied to the whole system, not JUST the perimeter and the odd important room. The MS approach is perimeter and the odd room. As to database data security, that starts with the operating system of the computer it sits on and the operating system of the computers that have access to it, and includes all the links between. Yet, the approach used by MS that I gather from your article is focussed on the database and their Trusted Computing policy; this is NOT a good security approach policy. It matters not how great the database is designed if it can be improperly accessed due to a vulnerability in the operating system it sits on or the operating system of a system that has approved access is vulnerable. Secure these first and you've quintupled the security on the database without even touching it. ............... Let's take this into a physical security situation. A database is a file of records, let's swap them to physical files. The current MS process is to build a fence around the base put armed guards on the gateway, check people coming in the gate, lock the doors of the building, place a guard at the front door, and lock the room with the files stored in it. But nor effort is put into ensuring people can't climb the fence, the base isn't patrolled by guards, the ventilation exit of the building doesn't have a grill, and the ventilation grills are big enough for people to easily crawl through. Thus, it's easy to enter the base via an unapproved point, enter the building and make your way to the room, avoiding all guards in the process. Once in the room, you have full access to all the files, as long as you hide when someone comes to the room. A building to be used for the storage and or use of classified material is secured from the ground up, starting with the plans, when done properly. Ventilation ducts are too small to be used by people and have sensors in them to detect radio controlled equipment being used in them. All rooms are locked and have a number of sensors on them, all corridors and rooms are checked by patrols, as are the base, and patrols check the fence line, even though they also have sensors on them. What MS are wanting to do is to build a huge fortress like set up and then stick the files in a locked room within a warehouse and have all the guards on the fortress walls - that's the aim of the Trusted Computing policy. The current MS approach is better than their intended aim, because what they intend is to lock everyone into their products and then relax on their laurels because they'll 'KNOW' no one can mis-use or abuse their TC systems. And that's the point when they'll be most vulnerable, as they'll be slack. Also, the TC approach is no good until they fix all the problems in their current software. BTW Not all the current available versions of Unix or Linux are absolutely secure or high security either, but the majority do have a higher basic security than what MS has in theirs. As you often say, select the best to suit the purpose, at present, for a security situation MS is NOT even the third best. An OS should be reasonably secure in its default installation, something that can NOT be said for any version of Windows sold new today.

Michael Kassner
Michael Kassner

If the work is sensitive, lock the computers down. I don't see that as an issue. MS will not be the only solution. Not comfortable, don't use their OSs.

Deadly Ernest
Deadly Ernest

can't put more software on that unit, it's another to 'lock down' ALL the computers so that you have total loss of privacy and anonymity and are permanently 'locked in' to using a limited range of software and hardware products. Especially when the offered solution, once activated, means you can NOT interact or communicate with any other system not utilising the 'locked' system. And that's the final aim of Trusted Computing, and why so many object to it.

Deadly Ernest
Deadly Ernest

Oh well, the real interesting question is how long this will go on before someone in big business or government bites the bullet and dumps MS big time; then we may see some real action on security.

RU_Trustified
RU_Trustified

with windows 7. Our mad scientist has looked at it and says it has some serious problems.

Ocie3
Ocie3

will include secure online communications (VOIP, chat)." The next version of what, i.e., what piece of hardware?

Deadly Ernest
Deadly Ernest

I spent most of the 1980s and 1990s and a trouble shooter, and one of the first things about fixing a problem and finding new solutions is to identify and correct what's wrong with the current situation - which MS have NOT done and shy away from. This attitude is a real worry.

Michael Kassner
Michael Kassner

Remember this is a process. People and organizations are working on things that have have never been done before. The fact that they are willing to try means something.

Deadly Ernest
Deadly Ernest

perimeter of the network or segments of the network, which are mostly software anyway, but of providing security at all levels within the network as well.

Michael Kassner
Michael Kassner

I am trying to understand what you mean by a hardware solution? Could you please expand on what you mean? Thanks.

JCitizen
JCitizen

I'm playing catchup - after a video card failure. I was never impressed with Trusted Computing, but then, the whole though of "Trusted" and "Microsoft" put together has always been difficult for me. Don't get me wrong, I use Microsoft, but I don't have to like it either. When I look at alternatives, I look at huge projects that I just don't have time for right now. I've always been a sucker for "all-in-one" solutions.

Michael Kassner
Michael Kassner

Not doing R & D in this country is the one thing that is scaring many experts. So, I certainly agree with you on that point.

tracy.walters
tracy.walters

The amount of money does say a lot...more than some small countries. Putting that kind of time and treasure into R&D is something that few organizations can do. It's good to see their management team believes in R & D enough to fund it at that level.