NSA helped Microsoft make Vista secure
Agency helped to bring OS into compliance with DOD requirements
IDG News Service - The U.S. agency best known for eavesdropping on telephone calls had a hand in the development of Microsoft Corp.'s Vista operating system, the software vendor confirmed yesterday.
The National Security Agency stepped in to help Microsoft develop a configuration of its next-generation operating system that would meet U.S. Department of Defense requirements, said NSA spokesman Ken White.
This is not the first time the secretive agency has been brought in by private industry to consult on operating system security, White said, but it is the first time the NSA has worked with a vendor prior to the release of an operating system.
By getting involved early in the process, the NSA helped Microsoft ensure that it was delivering a product that was both secure and compatible with government software, he said.
"This allows us to ensure that the off-the-shelf security configuration that the DOD customer receives is at a level that meets our standards," White said. "It just makes a lot more sense to be involved upfront, than it does to have the tail wag the dog."
The NSA's involvement in Vista was first reported yesterday by The Washington Post.
The NSA has provided guidance on how best to secure Microsoft's Windows XP and Windows 2000 operating systems in the past. The agency is also credited with reviewing the Vista Security Guide published on Microsoft's Web site.
Microsoft declined to allow its executives to be interviewed for this story. But in a statement, the company said that it asked a number of entities and government agencies to review Vista, including the NSA, the NATO and the National Institute of Standards and Technology.
Still, the NSA's involvement in Vista raises red flags for some. "There could be some good reason for concern," said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). "Some bells are going to go off when the government's spy agency is working with the private sector's top developer of operating systems."
Part of this concern may stem from the NSA's reported historical interest in gaining back-door access to encrypted data produced by products from U.S. computer companies.
In 1999, then-Rep. Curt Weldon (R-Pa.) said that "high level deal-making on access to encrypted data had taken place between the NSA and IBM and Microsoft," according to EPIC's Web site.
With Vista expected to eventually power the majority of the world's personal computers, it would be tempting for the government agency to push for a way to gain access to data on these systems, privacy advocates say.
The NSA provided guidance on Vista's security configuration, but it did not openany back doors to Windows, White said. "This is not the development of code here. This is the assisting in the development of a security configuration," he said.
While the NSA is best known for its surveillance activities, the work with Microsoft is being done in accordance with the NSA's second mandate: to protect the nation's information system, White said. "This is the other half of the NSA mission that you never hear much about," he said. "All you ever hear about is foreign signal intelligence. The other half is information assurance."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts