Microsoft hires former DOJ cybercop

Computerworld US has learned that Microsoft Corp. plans to name Scott Charney, the former chief of computer crime at the U.S. Department of Justice (DOJ) and a partner at New York-based PricewaterhouseCoopers LLP, as its new chief security strategist. He replaces Howard Schmidt, who left the company on Jan. 28 to join the Bush administration.

Charney confirmed his appointment in a telephone interview this morning. He assumes his new position on April 1.

The change in title from chief security officer to chief security strategist does not indicate a major shift in responsibilities, said Charney. Rather, it’s “actually a more accurate description of the role Howard had been filling,” he said. “I will be working to secure products and services and developing domestic and international polices that support a more secure infrastructure.”

Microsoft officials declined to comment on the appointment this morning.

Sources close to the interview process said that while they wouldn’t necessarily place Charney on the short list of top IT security experts in the country, he landed the job because of his long career at the DOJ, where he earned a reputation as a skilled and staunch antihacking, cybercrime hardliner.

“I realized that [one Microsoft executive] in particular was looking for someone with significant [government] ties and current contacts,” said a source close to the selection process. Microsoft “saw Howard [Schmidt] as unique and wanted to define the position around their real needs and the strengths of the new [executive].”

Schmidt left Microsoft to become vice chairman of the President’s Critical Infrastructure Protection Board and is admired by many throughout industry and government for having a rare combination of technical and interpersonal skills, especially on Capitol Hill.

However, the job search for a new security strategist hasn’t gone as smoothly as the company would have liked, said a senior Microsoft executive, speaking on condition of anonymity.

“It’s hard to find somebody who knows the technology and has a little bit of business sense and can talk to people on Capitol Hill,” said the executive. Senior officials at Microsoft viewed many of the candidates that applied for Schmidt’s position as being good at one aspect of the job but not others, the executive said.

Eric Friedberg, a former computer crimes coordinator at the DOJ who reported to Charney indirectly, called him one of the “shining lights” in information security. “He’s got national credibility,” said Friedberg, who credited Charney with developing the DOJ’s computer crime and intellectual property division. “He is responsible for building the federal prosecutorial infrastructure for computer crimes cases.”

Alan Paller, research director at the SANS Institute in Bethesda, Maryland, said Charney is the best candidate to carry on Schmidt’s Trusted Computing initiative — not because of his technical background but because of his experience at the DOJ.

“Remember the job [Charney] has to do. He has to get marketing-driven development people to delay, assess and correct their tools so they do not cause harm to the outside world,” Paller said. “[Charney] is probably the best guy in the country to pull that off, because he comes from the purest understanding of the damage that the bad guys do. What a brilliant choice, because you have to prove to some very strong-willed people that it’s worth doing this right. And who better than someone who’s been in the heat of the battles of computer crime?”

An executive said that Microsoft founder Bill Gates and dhief executive officer Steve Ballmer had considered restructuring the company’s security organization in the aftermath of Schmidt’s departure. One option on the table included hiring two executives to fill the slot, with one individual focusing strictly on product architecture and the other taking responsibility for business strategy as well as physical and executive security.

According to the executive, Schmidt approached Gates and Ballmer last year with a proposal to change the role of chief security officer from one involving oversight of both product and physical security, including executive protection, to strictly product development. Although Ballmer initially balked at the idea, Gates eventually agreed to the proposal and Schmidt shed his physical security responsibilities, the executive said.

A source with ties to the interview process who asked that his name not be disclosed confirmed that “the issue of placement and emphasis” was a primary topic of discussion within Microsoft. However, there were no indications, the source said, that Gates and Ballmer were in disagreement.

Charney, who holds degrees in English and history, also considers himself “more technical than your average lawyer for sure.” However, Charney, the son of a systems administrator who started programming in Cobol when he was eight, acknowledges that he is “not a Microsoft-level technologist.”

On the technical side, Charney will be supported by a small but elite team, Paller said. This team includes Eric Schultz, co-author of Hacking Exposed, David LeBlanc, a Windows security expert formerly with Internet Security Systems Inc., and Jasper Johansen, a former SANS faculty member.