Mary Ann Davidson (Courtesy Oracle)

• Oracle.com • Davidson Bio • Cybersecurity Headlines • TechNews.com • Cindy Webb's Filter

Cybersecurity: New Challenges for Software and Internet Security
Guest: Mary Ann Davidson, Oracle Corp.'s chief security officer

Wednesday, Nov. 6, 2002, 1 p.m. ET

Cindy Webb (washingtonpost.com)

Cybersecurity is a critical component of the Bush administration's war on terrorism, and technology companies are playing a greater role in securing critical infrastructures from hackers and cyberattacks. The role of the chief security officer in Corporate America is fast becoming a hig-profile position.

About Davidson

Davidson has worked at Oracle since 1988. Prior to joining Oracle, she served as a commissioned officer in the U.S. Navy Civil Engineer Corps and received the Navy Achievement Medal. She has a bachelor's in science in mechanical engineering from the University of Virginia and a MBA from the University of Pennsylvania's Wharton School.

A Transcript Follows:

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

To read the most recent responses, click "Get New Text" or select "Automatically Update Page."

Cynthia L. Webb: Good afternoon! Our chat with Oracle's Mary Ann Davidson will be staring in a few minutes. Please keep your great questions about cybersecurity coming.

Cynthia L. Webb: Thanks again for being online with us today, Mary Ann. Let's start by talking about the broader issue of cybersecurity policy. The issue of cybersecurity has gained more attention this year, particularly with the Bush Administration getting involved recently with its own cybersecurity "blueprint" to address information security problems. How has this increased push by government -- including asking for cooperating from industry -- changed your job and the initiatives you help carry out at Oracle?

Mary Ann Davidson: The scope of responsibilities for me as CSO has not materially altered as a result of the government's cybersecurity initiatives, though the pace has increased substantially. Since our most security-aware customers include the US Federal government, we continue to build and deliver products to their exacting security requirements. What I have seen is more of an effort by the US government to make security a requirement in their procurement decisions, as evidenced by Federal policy directives, such as NSTISSP #11, requiring products used in national security systems to have independent measures of assurance (i.e. security evaluations). Oracle strongly believes in product evaluations, having done 15 of them over the past 10 years.

Washington, D.C.: Richard Clarke, President Bush's cybersecurity czar, says private industry must cooperate with the government and with other companies to ensure IT systems are secure. Is Oracle embracing Clarke's mantra? Or is it too naive to assume that competitors in the software industry would ever cooperate on security?

Mary Ann Davidson: Mr. Clarke is absolutely right that the issue of cybersecurity is greater than one vendor or one customer. We are indeed "all in this together." As it happens, competitors do cooperate in the area of information sharing about security vulnerabilities, through the IT industry Information Sharing and Analysis Center (ISAC).

Cynthia L. Webb: A number of companies from the Silicon Valley and other tech centers have been involved with providing input and guidance for the White House's cybersecurity overhaul. Could you elaborate on how Oracle been involved in this effort?

Mary Ann Davidson: Many of the technology companies, including Oracle, are effectively providers for key elements of the nation's critical infrastructure. As such, we did comment on early versions of the draft strategy document, and our comments were accepted. We are reviewing the Sept. 18 draft-for-comment, and we will be submitting our comments shortly.

Cynthia L. Webb: Here's a link to the draft cybersecurity report, support by the White House. It's a PDF file: http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf

Cynthia L. Webb: You mention federal policy mandates, including NSTISSP #11. Separate from evaluations, does your security team at Oracle have special clearance to work with your federal government clients? Have these employees been hard to hire and/or keep?

Mary Ann Davidson: Oracle began via a contract for one of the intelligence agencies, and we have had close ties to government customers ever since. As such, we have a number of employees working on secure systems development who have clearances. Finding good employees is never easy, but the fact that we have long-standing domain expertise in building secure products for discriminating customers makes it less difficult than might be the case for a smaller or emerging company.

Wheaton, Md.: Ms. Davidson,
I also work in the security industry. From what I have experienced, I don't see much improvement with all the post 9/11 security changes. The new security policies and procedures seem to have little or no added value to the pre-existing security programs. Is this also true with cyber-security or is it any better now? Thanks.

Mary Ann Davidson: In the commercial sector, there has not been a big "wake up call" as regards IT security specifically since 9/11. In fact, some analysts believe that spending has moved from IT security to physical security. The National Strategy is not an instant solution, but as cybersecurity is an issue that affects everyone, and in which there are many stakeholders, it's appropriate that there be an initiative at the national level to drive improvements in cybersecurity.

Washington, DC: After looking over the President's plan to secure cyberspace, it looks like there's plenty for the home user to do. Where do you feel that a corporation's responsibility ends and an individual's starts? How about where the government's responsibility ends and a corporation's starts?

Mary Ann Davidson: Security is at some level a cultural issue for the simple reason that you cannot hire enough security police. Every individual has some responsibility for security. That said, corporations need to make it easier for people who are not technical experts to be secure, especially in the consumer sector. Products ought to be designed to operate securely with minimal "secure configuration" by the user, "security by default," if you will. Consider the Cuisinart. Users have to do something deliberate and unnatural to insert their fingers while the blades are whirling; the product was designed to operate securely, instead of putting the burden on the user to figure out what secure operation is. Software - especially for the home user - needs to be more like that.

Herndon, Va.: Oracle is an international company, selling to customers everywhere. When it comes to developing secure products for the government sector, are you under obligations not to distribute certain systems overseas?

Mary Ann Davidson: As a global company, we comply with both the export laws of the United States and the import and customs laws of the countries to which we export products. The US does restrict the sale of some types of products to certain nations, and to certain individuals, and we must obtain licenses for shipping our source code overseas, as well.

Cynthia L. Webb: We have 30 minutes left in our chat with Mary Ann. Thanks for your great questions and participation.

Silver Spring, Md.: Early this year, Microsoft halted development on products for a short period to completely reevaluate security issues in its products. Has Oracle contemplated a similar effort?

Mary Ann Davidson: Oracle has built security into our development processes for years, and as such has a strong reputation for building and delivering secure products. We do not rest on our laurels, however, since you are never done with security. We already engineer security into functional, design, and test specifications and product release criteria, we have secure coding standards, we do formal (third party) security evaluations, and we even have "ethical hackers" who try to break our products before bad guys do. In every release, I look for what we can do better to make our products bulletproof. Because of the years we have spent building products secure from inception, we have a very strong culture of security. This is Microsoft's biggest challenge - to change its corporate culture. It's in everyone's interests that they succeed.

Falls Church, Va.: Advocates of open-source software maintain that it is the best way to assure security, as many more experts are available to detect and fix bugs. What does Oracle think about open-source software?

Cynthia L. Webb: This is a good question. Could you also address how the open source movement is changing strategy for your company and key competitors of Oracle's, including Microsoft and IBM?

Mary Ann Davidson: For some, the issue of open source vs. proprietary is almost a religious one. I would phrase the issue differently. Given that people use open source, and it is here to stay, how can you make it as secure as possible? There are several things that industry needs to do to improve the security of open source. One of them is that open source software needs to be evaluated against international standards of security, such as the international Common Criteria (ISO-15408), just as proprietary software must be evaluated. There is a group at George Washington University trying to form a consortium to do a Common Criteria evaluation of Linux. This is a great start. Oracle runs on Linux, and we incorporate open source software (e.g., Apache) into some of our products. We encourage the evaluation of open source software.

Fairfax, Virginia: I noticed almost 50 active security alerts on your Web site - some dating back more than a year. Is the industry really that slow to address problems?

Mary Ann Davidson: Part of our responsibility for security is notifying customers when there is a serious security flaw in a product. We make every effort to notify our customers via "security alerts," fix issues on all affected platforms (which is sometimes quite a task, as we run on up to 20 operating systems) and we also incorporate fixes into patch sets to make it easier for customers to be up-to-date. We don't "retire" security alerts because we want everyone to be informed. Yes, some people are slow to apply patches; this is the main reason some of the viruses of the past 18 months were so virulent. (We did not have any damage from Code Red, Nimda, etc., internally since we run Oracle Corporation on Oracle software.)

Westminster, MD: Most mature software products, like those from Oracle and Microsoft (which recently gained Common Criteria certification for Windows 2000), can be made secure. That leaves people as the greatest security vulnerability. How do we educate them as to proper security practices like complex passwords, deleting e-mail attachments from unknown senders, and clues to social engineering attempts?

Mary Ann Davidson: Security is a cultural issue, which is why organizations need to educate their members about the importance of security, and hold them appropriately accountable. Many users would not know a social engineering attempt unless trained to recognize one ("Hi, I'm from the help desk, can you please give me your password so we can test the system?"). If you don't tell your employees security is important, explain what are the most important aspects, and what they need to do, don't be surprised if nobody cares about it.

Washington, D.C.: What do you think of SBC's announcement that it is creating the Internet Assurance and Security Center to develop anti-hacking strategies? Is this something Oracle already has or would consider doing?

Mary Ann Davidson: We already have an information assurance group whose mandate includes ethical hacking. This group does penetration tests on our networks as well as "creative product destruction." We use the results of our hacking team's assessments to improve secure coding standards, training, and product release criteria. If I can't put our own hackers out of a job, I want them to have a very difficult job. In short, I think there is a definite place for ethical hacking, to improve your own products and networks.

Cynthia L. Webb: Readers, Mary Ann has graciously agreed to stay on a bit longer for our chat since we have so many great questions. So if you have more questions you'd like Mary Ann to address, please send them in.

Chevy Chase, MD: Does ISO15408 (Common Criteria) factor significantly into security strategies,particularly in the federal government? Or are different approaches taking precedence over ISO 15408?

Cynthia L. Webb: Could you also clarify this criteria for readers who might not be familiar with it?

Mary Ann Davidson: It sure does. NSTISSP #11 (in effect since July 2002) requires evaluated products for national security systems (which can include the human resources system for the US armed forces, as an example). The Common Criteria is one of the evaluation criteria allowed under NSTISSP #11. The National Strategy to Secure Cyberspace also mentions the possibility of extending the requirement for evaluated products to all Federal systems. As a very large purchaser of IT systems, the government can change the security marketplace by requiring evaluated products. Everyone would have to build products securely (since evaluations force vendors to follow a secure development process), instead of throwing their products over the wall and hoping nobody notices they are insecure. You can't bolt security onto a product: you have to build it in from inception.

Bethesda, Md.: In answering a previous question you wrote: "Consider the Cuisinart. Users have to do something deliberate and unnatural to insert their fingers while the blades are whirling; the product was designed to operate securely, instead of putting the burden on the user to figure out what secure operation is. Software - especially for the home user - needs to be more like that."

But software systems are very different from a blender or a chainsaw. Software is more like a biological system, where new threats evolved all the time that the system must be able to defeat. Do you foresee a new software generation that is able to detect and deter security threats, much like the human body detects and fights the common cold?

Mary Ann Davidson: There is clearly an argument for defense-in-depth. Banks, for example, have very sophisticated technical security mechanisms, but that does not stop them from using surveillance cameras, guards and dogs. In theory, anit-virus systems should not need to exist, and in fact, an anti-virus system will not make all your pain go away. Vendors whose security flaws allow viruses to propagate have to fix those issues anyway, and users need to apply patches anyway. There is no third party tool that will protect against an enterprise software vendor's failure to build secure products. Another way you can be smarter about anti-virus strategies is through centralization. For example, we run all Oracle Corporation on one mail server (Oracle Collaboration Suite), which means whatever viruses we don't nuke at the mail gateway (by stripping attachments), we clean at the server. We got rid of Melissa in 20 minutes by deleting all the messages at our central Oracle mail server.

Evolving technologies to inoculate against viruses or adapt to them sound great and are worthy of research, but whenever I hear someone say 'neural network,' I'm very skeptical.

San Jose, California: The last I heard, Oracle had about 40 developers working on security issues. Any plans to increase that count as new issues arise?

Mary Ann Davidson: We don't cite exact numbers of developers working in any particular area, but we have added people to security recently, specifically in the area of information assurance (evaluations, secure coding standards and training, security release criteria, and ethical hacking). There were some eyebrows lifted when we started running an ad campaign called "Unbreakable," but this was all about assurance, and Unbreakable is a long-term commitment for us, not merely an ad campaign. Our customers are the most security-aware in the world and we owe them bulletproof software.

Annandale, Virginia: The Bush administration and the FBI are pressing companies to share more data on attacks on their networks. Certainly there has been a stronger outreach effort to companies after Sept. 11, but do you get the sense that companies are feeling any more comfortable these days about sharing vulnerability and attack information with the federal government?

Mary Ann Davidson: It's certainly appropriate that some types of information be shared with other vendors and communities (e.g., protocol vulnerabilities that affect many companies). There are also occasions when companies will not share information because the most responsible thing they can do is to fix the problem for all customers and notify all customers at the same time, so everyone's systems are protected. It's very hard to have an "A" list of customers and a "B" list, because every customer wants to secure its systems and few want to be in the last group to get the news. One of the things the government needs to do is to have a central clearinghouse so that when information is shared (i.e., a security flaw that has a patch available), the information is disseminated as rapidly as possible to all affected parties.

Washington, D.C.: How will yesterday's mid-term elections affect the technology and legislative issues your company is most invested in?

Mary Ann Davidson: It's not clear. Security seems to be largely a non-partisan issue.

Baltimore, Md.: Are there professional associations or societies in existence yet for CSOs? Seems that the CSO job title could use an open forum to swap ideas etc. with people who have the same title and responsibility at other firms. What resources can you suggest?

Mary Ann Davidson: The CSO job description seems to vary from company to company in terms of position description, reporting structure, and "clout." In general, it's a relatively new construct and there has not, as yet, been an industry-wide CSO forum. There are some resources available (two new publications in the last few months, CSO and CISO magazines).

Vancouver, Canada:
What is the most secure platform/operating system these days and why? Does Oracle's security strategy differ between platforms?

Mary Ann Davidson: One our our strengths is that we do run on many different operating systems. Our broad strategy is that we want to be as secure as possible on every platform we run on. One of our release criterion, for example, is that the file permissions on any operating system be as restrictive as possible. For example, we do not want the file permissions on the Oracle files to be world readable, writeable, and updateable for obvious reasons; we make them as restrictive as possible on installation as part of our "security by default" requirements.

Cynthia L. Webb: A final question: What are the biggest challenges Oracle faces in regards to cybersecurity?

Mary Ann Davidson: I don't think the biggest challenge is an Oracle challenge; it's an industry one. I would be very happy if everyone "got religion" and started building security into their products from inception and independently evaluating them. Information assurance should be table stakes for everyone, not a competitive issue. The reason I feel strongly about this is that it's an interconnected world. If one of my customer's systems is breached, does it matter whether it was due to a vulnerability from vendor X, vendor Y or vendor Z?

I think we are doing the right things already, but we need to go higher and deeper. Security is like painting the Golden Gate Bridge. There's a team of painters working up one side and down the other, and when they finish, they start all over again. You're never done with security.

Cynthia L. Webb: We are out of time for today's chat. Mary Ann, thanks again for staying on to answer some additional questions and for covering so many issues in our discussion today. And readers, thanks for your excellent participation. Have a great afternoon.

   |      |