NSA helped with Windows 7 development
Privacy expert voices 'backdoor' concerns, security researchers dismiss idea
Computerworld - The National Security Agency (NSA) worked with Microsoft on the development of Windows 7, an agency official acknowledged yesterday during testimony before Congress.
"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector," Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security yesterday as part of a prepared statement.
"All this was done in coordination with the product release, not months or years later during the product lifecycle," Schaeffer added. "This will improve the adoption of security advice, as it can be implemented during installation and then later managed through the emerging SCAP standards."
Security Content Automation Protocol, or SCAP, is a set of standards for automating chores such as managing vulnerabilities and measuring security compliance. The National Institute of Standards and Technologies (NIST) oversees the SCAP standards.
This is not the first time that the NSA has partnered with Microsoft during Windows development. In 2007, the agency confirmed that it had a hand in Windows Vista as part of an initiative to ensure that the operating system was secure from attack and would work with other government software. Before that, the NSA provided guidance on how best to secure Windows XP and Windows 2000.
According to Marc Rotenberg, the executive director of the Electronics Privacy Information Center (EPIC), the NSA's involvement with operating system development goes back even farther. "This battle goes back to at least the crypto wars of the early '90s," said Rotenberg, who remembered testifying about the agency's role in private sector computer security standards in 1989.
But when the NSA puts hands on Windows, that raises a red flag for Rotenberg, who heads the Washington, D.C.-based public interest research center. "When NSA offers to help the private sector on computer security, the obvious concern is that it will also build in backdoors that enables tracking users and intercepting user communications," Rotenberg said in an e-mail. "And private sector firms are reluctant to oppose these 'suggestions' since the US government is also their biggest customer and opposition to the NSA could mean to loss of sales."
Rotenberg's worries stem from the NSA's reputation as the intelligence agency best known for its eavesdropping of electronic messaging, including cell phone calls and e-mail.
Andrew Storms, the director of security operations at nCircle Security, didn't put much credence in the idea that Microsoft would allow the NSA to build a hidden entrance to Windows 7. "Would it be surprising to most people that there was a backdoor? No, not with the political agenda of prior administrations," said Storms. "My gut, though, tells me that Microsoft, as a business, would not want to do that, at least not in a secretive way."
Roger Thompson, chief research officer at AVG Technologies, agreed. "I can't imagine NSA and Microsoft would do anything deliberate because the repercussions would be enormous if they got caught," he said in an interview via instant messaging.
"Having said that, I think we should understand that there is every likelihood that certain foreign governments are constantly looking for vulnerabilities that they can use for targeted attacks," Thompson continued. "So if they're poking at us, I think it's reasonable to assume that we're doing something similar. But I seriously doubt an official NSA-Microsoft alliance."
The NSA's Schaeffer added that his agency is also working on engaging other major software makers, including Apple, Sun and Red Hat, on security standards for their products.
"More and more, we find that protecting national security systems demands teaming with public and private institutions to raise the information assurance level of products and services more broadly," Schaeffer said.
Microsoft was not immediately available for comment on the NSA's participation in Windows 7's development.
- Boutique PC seller laughs all the way to the bank on the back of Windows 7
- Microsoft starts auto-installing Windows 7 SP1 on consumer PCs Tuesday
- Microsoft warns of looming retirement for Windows 7 RTM
- Consumer Reports makes case for Windows 7 PCs
- Microsoft doubles support lifespan for consumer Windows 7, Vista
- At CES, Microsoft sets stage for lower Windows revenue
- Windows 7 to crack 40% share by year's end
- Microsoft TV ads to target old PCs with anti-'good enough' angle
- Windows 7 share tops XP for first time in U.S.
- Windows 7 breaks 20% share barrier
Read more about Government IT in Computerworld's Government IT Topic Center.
- 10 Hot Big Data Startups to Watch
- 11 Unique Uses for Google Glass, Demonstrated by Celebs
- How to Export Your Google Reader Account
- How to Better Engage Millennials (and Why They Aren't Really so Different)
- Telltale signs of ATM skimming
- 20 security and privacy apps for Androids and iPhones
- Big screen con artists: 7 great movies about social engineering
Today, many government agencies – civilian and defense – find themselves in a technology quandary: the volume of data that must be stored is growing rapidly, while shrinking budgets are limiting capital expenditures (i.e. – servers, storage devices, etc.) required to store all of this data.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Federal IT Innovation Caught in a Catch-22
- Fed resources shoring up old infrastructure, holding back new technologies.
- ESG Lab Validation of QLogic's Caching SAN Adapter
- ESG details the results of their testing of QLogic's new 10000 Series 8Gb Fibre Channel Adapter with a focus on scalable database performance...
- Deliver Customer Value with Big Data Analytics
- Big Data requires that companies adopt a different method in understanding today's consumer. Read this white paper to learn why Big Data is...
- Cloud Analytics for the Masses
- Learn the best practices in building applications that can leverage volume, variety and velocity of Big Data for organizations of any size.
- An Interactive eGuide: DDoS Attacks
- In today's world, Distributed Denial of Service (DDoS) attacks on organizations are becoming more prevalent. The number of attacks are increasingly annually with... All Government IT White Papers
- 3 Reasons Why Sepaton is the World's Fastest Backup Solution
- Leading analyst, Storage Switzerland learns how Sepaton backs up and deduplicates massive data volumes while maintaining the industry's fastest performance - all in...
- Virtustream (Vayence) video taking a 3000-Seat SAP Environment to the Cloud
- How can public cloud services help your organization reduce costs and increase security for your mission
- Williams & Fudge on Transforming IT with EMC
- Watch Williams & Fudge Data Center Director Phillip Reynolds discuss why this accounts receivable management firm turned to EMC.
- The Success Network: Driving Business Forward
- The communications and connectivity infrastructure of your organization is the focus of this KnowledgeVault Exchange, sponsored by Comcast Business.
- Advanced Voice Solutions for Your Business
- How can hosted business class voice services help mid-sized business be more agile, competitive and ready for growth? All Government IT Webcasts