by Gregg Keizer
November 18, 2009
from
ComputerWorld Website
The National Security Agency (NSA)
worked with Microsoft on the development of Windows 7, an agency official
acknowledged yesterday during testimony before Congress.
"Working in partnership with Microsoft and
elements of the Department of Defense, NSA leveraged our unique
expertise and operational knowledge of system threats and
vulnerabilities to enhance Microsoft's operating system security guide
without constraining the user to perform their everyday tasks, whether
those tasks are being performed in the public or private sector,"
Richard Schaeffer, the NSA's information assurance director, told the
Senate's Subcommittee on Terrorism and Homeland Security yesterday as
part of a prepared statement.
"All this was done in coordination with the product release, not months
or years later during the product lifecycle," Schaeffer added. "This
will improve the adoption of security advice, as it can be implemented
during installation and then later managed through the emerging SCAP
standards."
Security Content Automation Protocol, or SCAP,
is a set of standards for automating chores such as managing vulnerabilities
and measuring security compliance. The National Institute of Standards and
Technologies (NIST) oversees the SCAP standards.
This is not the first time that the NSA has partnered with Microsoft during
Windows development.
In 2007, the agency confirmed that
it had a hand in Windows Vista as part of
an initiative to ensure that the operating system was secure from attack and
would work with other government software.
Before that, the
NSA provided guidance on how best to secure
Windows XP and Windows 2000.
According to Marc Rotenberg, the executive director of the Electronics
Privacy Information Center (EPIC), the NSA's involvement with operating
system development goes back even farther.
"This battle goes back to at least the
crypto wars of the early '90s," said Rotenberg, who remembered
testifying about the agency's role in private sector computer security
standards in 1989.
But when the NSA puts hands on Windows, that
raises a red flag for Rotenberg, who heads the Washington, D.C.-based public
interest research center.
"When NSA offers to help the private sector
on computer security, the obvious concern is that it will also build in
backdoors that enables tracking users and intercepting user
communications," Rotenberg said in an e-mail.
"And private sector firms are reluctant to
oppose these 'suggestions' since the US government is also their biggest
customer and opposition to the NSA could mean to loss of sales."
Rotenberg's worries stem from the NSA's
reputation as the intelligence agency best known for its eavesdropping of
electronic messaging, including cell phone calls and e-mail.
Andrew Storms, the director of security operations at
nCircle
Security, didn't put much credence in the idea that Microsoft would allow
the NSA to build a hidden entrance to Windows 7.
"Would it be surprising to most people that
there was a backdoor? No, not with the political agenda of prior
administrations," said Storms. "My gut, though, tells me that Microsoft,
as a business, would not want to do that, at least not in a secretive
way."
Roger Thompson, chief research officer at
AVG Technologies, agreed.
"I can't imagine NSA and Microsoft would do
anything deliberate because the repercussions would be enormous if they
got caught," he said in an interview via instant messaging.
"Having said that, I think we should understand that there is every
likelihood that certain foreign governments are constantly looking for
vulnerabilities that they can use for targeted attacks," Thompson
continued.
"So if they're poking at us, I think it's
reasonable to assume that we're doing something similar. But I seriously
doubt an official NSA-Microsoft alliance."
The NSA's Schaeffer added that his agency is
also working on engaging other major software makers, including Apple, Sun
and Red Hat, on security standards for their products.
"More and more, we find that protecting
national security systems demands teaming with public and private
institutions to raise the information assurance level of products and
services more broadly," Schaeffer said.
Microsoft was not immediately available for
comment on the NSA's participation in Windows 7's development.