Q&A

Q&A: RSA Chief Art Coviello on 10 Years of Microsoft's Trustworthy Computing

In an interview with Redmond, Coviello recalls where Microsoft was a decade ago when it announced Trustworthy Computing and the progress it has made since.

• By Jeffrey Schwartz
• 05/01/2012

Art Coviello, RSA Security executive chairman and executive VP of EMC Corp., hosted Microsoft Chairman Bill Gates at the annual RSA Security Conference in 2004 when Gates faced the music in front of an audience of heated critics. In an interview with Redmond, Coviello recalls where Microsoft was then and the progress it has made since.

What happened after Gates made his first RSA keynote?
He did a credible job helping people understand what Microsoft was attempting to do. It was at that point that people started to give Microsoft a little bit more of the benefit of the doubt. As Microsoft developed Windows -- and, quite frankly, developed all their products -- they were all developed with an eye toward ease of use. And sometimes ease of use did not always translate into good security. I don't think anyone from [the] Windows 95 [team] would have conceived of a day where there would be a criminal ecosystem phishing and nation-state-oriented attacks. If you look at it in hindsight, it shouldn't have been as surprising that we ran into the trouble we ran into. Several of Microsoft's initiatives, including getting after some of the Zeus botnets working with the financial services sector, have been very aggressive at reaching out to everybody and ensuring their knowledge is everybody else's knowledge and spreading that as quickly as possible. I don't know of another company doing that quite as well as Microsoft. When you own as much of the desktop landscape as they have, as well as the browser infrastructure, I'd say they also have more of a responsibility, almost, than anybody else. Over time, more and more, they have faced up to that. Some things they've done with desktop file encryption, antivirus, anti-malware and [including it with] the operating system as opposed to making it an extra product that you pay for, is pretty welcome in the community.

What's your take on the concern from some who feel that adding anti-malware to Windows might be anti-competitive with some of the security software vendors?
I'm not an antitrust lawyer, but it seems stopping malware in operating systems should be a fundamental part of how that operating system works. So I guess I don't see it that way. The other thing is, let's face it, the antivirus signatures have just not been able to keep up with the threats. That's why some of the proactive sharing of information that Microsoft has also stepped up and led on is also a welcome thing. You're damned if you do and damned if you don't.

What was your reaction to Microsoft teaming up with federal authorities to go after the Zeus botnet? Did they overreach or is this a necessary thing they need to do to stop this?
I think this is something we're all going to struggle with. To me it's a very difficult conundrum. I think it's incumbent on those of us in the industry to educate legislatures that it can't be all right for criminals and other hackers to be able to run roughshod over privacy laws -- and then not allow the people who are charged with protecting that very privacy the ability to do things to protect us that could be viewed as a bit intrusive. So if Microsoft reaches out with the FBI to fight the Zeus botnet, I'm hard-pressed to criticize it as being an overreach. We've got to fight back more vigorously. At some level the best defense is a good offense. We're so open in our infrastructures today that it's critical to the extent we can stop these attacks before they begin, that we've got more time to defeat the attacks that do get through.

Where else would you like to see Microsoft address security?
I'd just say that the progression of what they've done is very strong and they ought to continue to step up their efforts, especially as we go to the cloud. The more we build in intelligence-driven characteristics to security -- in other words, understanding anomalies in human behavior, understanding anomalies in the flow and use of information -- the better equipped we'll be. But I'll leave it to Microsoft to the specifics of what they ought to be doing with their products and solutions.

How closely are you working with Microsoft?
We've engaged with them at a number of points over the years. They've licensed our data loss protection technology. We've certainly worked with them to make sure our SecureID authentication works as well as possible in Microsoft environments. Is their anything in particular they've done that has stood out? I like what they've done with strengthening the security of the operating systems, adding security feature functionality around it. I'd sure like to see them do more with our data loss prevention technology; I think that would be helpful. I really like some of the outreach, being proactive in terms of them defeating some of these botnets. We're at a point now with the openness that we have that there's a certain air of inevitability of being compromised: It's not whether [or] if you're going to be compromised, it's how quick you're able to discover it and do what I call shrink the window of vulnerability so an intrusion does not result in a loss.