The Big Interview: Jerry Fishenden

Microsoft's national technology officer discusses Vista security, fighting spam and the UK government's plans for a super-database
Written by Tom Espiner, Contributor

Jerry Fishenden, Microsoft's National Technology Officer (NTO) for the UK, advises the company on all aspects of technology strategy. His remit includes responsibility for developing the use of IT for local economic development, standards, interoperability, privacy, security and technical computing.

Fishenden has been closely involved with the UK's e-government programme since 1997, and was also involved in the strategic development of the Government Gateway — the UK government's national solution for user identity and transactional services.

We quizzed him on the state of the security landscape today, the challenge of fighting spam and the government's plans to bring in ID cards and create a super-database.

Q: Spam is a huge problem, and one that seems to be baffling the government at the moment. Last week you told the Lords Science & Technology Committee about the US model of Can-Spam and fining per spam. Is this model one you advocate for the UK?
A: I think it would make the [British] system a lot simpler, both in terms of deterrent factor, and of the overheads associated with prosecutions. Also, when someone like Microsoft takes somebody to court, a lot of time and effort is spent trying to prove damages caused by the spam. It's terribly complicated.

It's that usual debate about the balance of deterrents. The amount of spam some of these guys are sending is phenomenal. If we're blocking over three billion spams a day and there's a lot of money in it, then the question is, how do you deter those people?

Recent figures show that most spam is generated from the US, by US companies sending US spam from US servers. Doesn't that show that the US model isn't working?
This gets into issues about the complexities of cross-border spam and e-crime — if I get a spam from the US in my mailbox here in the UK, what do I do about it? You're right, it might come from the States, it might come from anywhere — but how do I initiate an action?

I'm fed up with pesky spam mails invading my mailbox, but which jurisdiction do I take action in? Is it where I live in west London because the PC it landed on is there? But what if a week later I'm flying round the world and I'm in Beijing, and they're hitting the same laptop there? It's horribly complicated.

Would it work to say if someone is using a server in a particular country to spam, then you should be able to go to that country's government and say look, there's a really bad problem with spam from your country. What are you going to do about it?
I suspect the reality is that you might shut down that service, but even if things moves swiftly, by the time you've got through the system of working out who's hosting it and where, the spammers would have torn that site down, gone off somewhere else and set up another one.

But couldn't you then say they're wanted in that country for spamming?
If you work out who it was, yes. Some people are slick at setting up multiple IDs, registering details, then ripping sites down. I can see why the police...

...have a lot of issues at the moment. Essentially you're going to consume a lot of resources trying to track a professional guy who's setting up multiple accounts and identities, who just keeps moving them around and shutting them down.

Microsoft has launched successful prosecutions against a number of spammers, but for trademark infringement and damage to reputation, instead of the act of sending spam. Why is that?
We've only been able to launch quite narrow prosecutions. I'd like to see more of the companies affected by spam, such as Google and Yahoo, banding together with us to bring prosecutions.

Let's look at Vista security. If you harden the system so much that third-party security becomes unnecessary, you'll land yourselves in even more hot water with the EC anti-competition inquiry. However, if you don't harden up the system, you open yourselves up to accusations of being lax about security, and possibly damage your reputation. What's the answer?
We've made the operating system as good as it can possibly be, but that doesn't preclude the fact that security can always be improved over time, particularly as the way hackers exploit the platform evolves.

The idea of a completely secure consumer platform remains in the land of research. You can already get some specialist locked-down configurations, but over time all operating systems are getting more secure.

Is it possible to have a hardened operating system that you automatically update as security threats evolve?
With Kernel Patch Protection, even if you slipstream trusted updates into the operating system, you have to make sure you don't break the applications of third-party providers. It's always desirable to try not to break anyone's apps.

However, attacks are increasingly moving from the operating system to the application layer. It's going to be a real focus to get applications to the same security level as operating systems, as most have focused on ease of use with a major trade-off with security.

The real challenge for industry now is how to move the existing internet model, that's quite embedded, to one that's more secure.

How might that happen?
Identity selectors such as Cardspace could go some way to solving the problem, but we now have to get the provider and consumer spaces interested. ID selectors are trying to get online e-commerce and banking sites interested.

How do you decide what security to put into the operating systems, and what to hold back and sell as security tools?
It's a fine line to tread. The standard principle is this: is it core to protecting the operating system, like a firewall, or is it something that sits around it, like mail services?

Social engineering still remains the most viable form of attack. Spam and email attacks are mostly about social engineering. Some people want to believe that some guy wants to move £1m into their accounts. Some of the stories you hear about pensioners losing their life-savings are frightening, really.

Microsoft security has suffered from having to incorporate legacy code. Has the move to 64-bit with Vista allowed a break with the past?
64-bit has given us the chance to impose a stringent set of ground rules, and say to people — if you want to play in the 64-bit space, here are the rules. With 32-bit, there are legacy issues caused by the desire for backwards compatibility. We were always trying to architect software to run on the previous system. The test used to be — would Donkey Kong run on it?

How will Microsoft get along with third-party security vendors, now it has entered the security products arena?
It's a horrible word that Shakespeare definitely never used, but "co-opetition" is the answer. When it comes to security we're all on the same side, but below that we're all competing. Apple is a good example — we've had that with them for a long time.

We talk to open-source identity selectors, because there's...

...such a huge problem around phishing and pharming. However, we compete quite fiercely. We'll say ours is the best, they'll say theirs is the best, and the market will decide.


Vendors have said that there's a danger that some of the security features in Vista, such as User Account Control and Parental Control, will alienate people because of usability. Do you agree?
Parental Control has been a particular topic of debate. With the BSI Kitemark Committee — which is going slowly — a big debate has been what's on by default, how much you have in place straightaway and how much you leave to choice. If you have too-rigorous controls on by default, people switch them off.

With my son, I set up access to the CBeebies site. Every time he wanted to play a new game I had to authorise it through Parental Control because the games were being served from other sites. I ended up switching Parental Control off.

Chris Lindsay, general manager for broadband at BT Business, told us this week that Microsoft's "brand image" might count against it in the security space, and that Vista's hardware requirements will hamper take-up. What's your view?
Historically we had a problem in the past with our image and reputation. We hope that perceptions have changed. We used to have a large number of vulnerabilities on the platform. Since we started the Trustworthy Computing initiative five years ago, and baked in security by design, there's been a dramatic drop in the number of vulnerabilities.

As for the hardware comment, a lot of current PCs won't run Vista advanced graphics. But if you don't have an Aero-compatible graphics card, Vista will still run. I've got an old Sony Vaio laptop — and you can't retrofit a graphics card in a laptop. However, I'm going to drag it to Vista.

What do you see as the major future security threats across the industry?
With every device potentially on the internet, the security risks increase — especially for mission-critical devices streaming information. It's challenging to secure all that. There's also the issue of identity in a grid-enabled internet — you have to prove who you are to a mesh of internet devices. Suddenly there's a completely different scale to the challenge, particularly for real-time stuff. Take ignorance of the basic protocols for VoIP — people chewing up bandwidth saying "Hi honey, I'm on the train", drowning out a high-priority 999 message.

Will deperimeterisation and encryption solve those issues?
There's scope to use identity selectors such as Cardspace as a secure way of improving information flow, and making sure you're in the loop so information can flow by you if you're an IT manager.

Looking at the public sector, what are the security implications of the government's latest data-sharing plans?
The system they already have — the Government Gateway — is quite a good one. It enables data sharing without releasing information that doesn't need to be released. Gateway keeps track of an information request against an individual's credentials.

At the moment people's IDs are compartmentalised, so there's no reason for your NHS number to be given to anyone else, for example.

Do you have any concerns over the government's database plans for ID cards?
The ID cards programme won't be one big database, but a combination of three. That's a potential security and privacy risk. In a world of distributed systems, how do you safeguard privacy and security? There's lots of challenges around security, privacy, data integrity and data matching.

Editorial standards