Scott Charney is Corporate Vice President for Microsoft’s Trustworthy Computing Group. Mr. Charney is responsible for a range of corporate programs that influence the security, privacy and reliability of Microsoft’s products, services and internal networks. He also manages the Engineering Excellence Team, a group focused on promoting best-of-breed engineering practices and ensuring compliance with Microsoft’s mandatory engineering policies.
Prior to joining Microsoft, Mr. Charney served as a Principal at PricewaterhouseCoopers, where he led the firm’s Digital Risk Management and Forensics Practice. Before that, Mr. Charney served as Chief of the Computer Crime and Intellectual Property Section (CCIPS) where he was responsible for implementing the Justice Department's computer crime and intellectual property initiatives. Prior to leading CCIPS, Mr. Charney served as an Assistant United States Attorney responsible for the investigation and prosecution of complex cases involving organized crime and as an Assistant District Attorney in Bronx County, New York, where he was responsible for prosecuting persistent violent felony offenders. He also served as Deputy Chief of the Investigations Bureau.
Mr. Charney has received numerous awards during his career, including the Justice Department’s John Marshall Award for Outstanding Legal Achievement and the Attorney General's Award for Distinguished Service. Mr. Charney graduated from the Syracuse University College of Law with honors, and received his undergraduate degrees from the State University of New York at Binghamton.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals, organizations (including nation-states), and society at large, and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns. Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. In my Rethinking Cyber Threats and Strategies paper I discuss a framework for categorizing and assessing cyber threats, the problem with attribution, and possible ways for society to prevent and respond to cyber threats. In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I proposed one possible approach to addressing botnets and other malware impacting consumer machines. This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”
Posted by Scott Charney Corporate Vice President, Trustworthy Computing
Today I’m testifying at a hearing of the House Committee on Oversight and Government Reform. The hearing is on the benefits and risks of the federal government’s adoption of cloud computing.
Cloud computing in its many forms creates tremendous new opportunities for cost savings, flexibility, scalability and improved computing performance for government, enterprises and citizens. At the same time, it presents new security, privacy and reliability challenges, which raise questions about functional responsibility (who must maintain controls) and legal accountability (who is legally accountable if those controls fail). Customers, including the government, need to make informed decisions about adoption of the cloud and its various service models because the model that is embraced will entail different allocations of responsibility between the customer and the cloud provider(s).
This shifting responsibility requires that both cloud providers and governments take seriously their distinct and shared responsibilities for addressing the security, privacy and reliability of cloud services. Both customers and cloud providers must understand their respective roles. Customers must be able to communicate their compliance requirements, and cloud providers must be transparent about the controls in place to meet those requirements:
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing, Microsoft
Cybersecurity and the overall health of the Internet has become a key concern for governments, enterprises and computer users.
As more people, computers and devices come online (there are approximately 2 billion people using the Internet today), cyber threats have grown more sophisticated and cybercriminals have successfully gathered sensitive data, disrupted critical operations or engaged in other illegal activity such as fraud. Governments around the world have expressed concern that the critical information infrastructures that support their countries could be targeted. In response, many countries have sought to improve critical information infrastructure policy, to build effective information sharing and collaboration capabilities that address threats and vulnerabilities, and to coordinate on responses to increasingly complex cyber incidents.
This week, the House Cyber Security Task Force, chaired by Rep. Thornberry, released its recommendations and report to help guide legislative action on cybersecurity. The Task Force recommendations represent another key milestone in our combined private and public sector efforts to address the cybersecurity challenges of the Information Age.
It has been an interesting time for those that care about cyber security. Last week, the European Union introduced its formative cybersecurity strategy and draft directive on network and information security to better protect critical systems from security incidents and breaches. Two days ago, the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The White House also issued Presidential Policy Directive 21 on critical infrastructure security and resilience to augment existing policy and enhance existing capabilities, partnerships, and strategies. Yesterday, a bill was also introduced on the Cyber Intelligence Sharing and Protection Act (CISPA) which will continue the important dialogue on the exchange of cyber threat information to help manage cyber risks.
When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts. It is important to see these principles reflected in the Executive Order for three reasons. First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it. Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks. Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing, Microsoft
Last February, both the United States and the European Union announced major cybersecurity policy initiatives. In the U.S., the Executive Order on Improving Critical Infrastructure Cybersecurity put forward an industry-driven approach to developing a Cybersecurity Framework, and emphasized the role of incentives to encourage use of the Framework. In the EU, the European Commission proposed a draft Network and Information and Security (NIS) Directive that suggested a broader scope and a more regulatory approach than that in the Executive Order, including the mandatory disclosure of cybersecurity incidents. One year later, I wanted to offer observations about these initiatives, as both have advanced on their respective tracks.
At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.
Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.
On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.