Archive for the ‘Cybersecurity Policy’ Category

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.

Changing the Monolith—Part 3: What’s your process?

January 30th, 2020 No comments

In my 25-year journey, I have led security and privacy programs for corporations and provided professional advisory services for organizations of all types. Often, I encounter teams frantically running around in their own silos, trying to connect the dots and yet unsure if those are the right dots. Connecting the dots becomes exponentially difficult in an environment where everyone is trying to achieve a different goal.

Here are a few tips to create teams unified around a common mission:

1. Define the mission and implement it like any other business plan

First, you must know what you are trying to achieve. Are you protecting trade secrets? Limiting reputation damage? Reducing the chance of unauthorized access to sensitive data? Complying with all local, regional, and national data protection laws? Trying to keep employees safe? Keep patients, passengers, customers, and business partners safe? Is the answer “All the above?” Define an order of risk magnitude.

Focus on what success looks like, identify quick wins, and get the opinions of executive leadership. What do they view as success? Don’t settle for unrealistic answers such as “We want 100 percent security.” Explain what is realistic and offer your approach as a business plan.

2. Define success—be able to articulate what it is and how it can be measured

When you start any endeavor, how do you determine when it is finished? While information security has a lifecycle that never ends, certain foundations must be established to foster a culture of security and privacy. Success could look like reducing risk to trade secrets, reducing the impact of third-party risk, or protecting an organization’s reputation.

However, success is defined for your mission, success needs to be measurable. If you can’t summarize success during an elevator pitch, a monthly CEO report, or a board presentation, you haven’t defined it appropriately.

3. Leverage a methodology and make it part of the game plan

Think of the methodology as a game plan. There aren’t enough people, not enough time, and a finite amount of money. Attempting to do everything all at once is a fool’s errand. The moment you know what you’re trying to achieve, it allows you to create a plan of attack. The plan should follow a proven set of steps that move in the right direction.

A popular methodology right now is the Zero Trust model, which has been waiting in the wings for its big debut for over a decade. Zero Trust has made it to the spotlight largely because the conventional perimeter has been deemed a myth. So, what is your approach to achieving security, compliance, and privacy once you have chosen a methodology?

Zero Trust

Reach the optimal state in your Zero Trust journey.

Learn more

4. Market the plan

One of the main hurdles I constantly witness is that the larger the organization, the more isolated the business units—especially in IT. In many cases, cybersecurity leadership does not engage in regular communication within factions of IT. To name a few, there are application development, user support, database teams, infrastructure, and cloud teams. And almost always outside their purview resides HR, Legal, Finance, Procurement, Corporate Communications, and Physical Security departments.

In a previous role, I found success by borrowing employees from some of these other departments. Not only to help build political capital for the cybersecurity team, but to land the security awareness message with the populace and connect with the aforementioned units within IT and business leadership. To do the same, start by building a plan and define your message. Repeat the message often enough so it’s recognized, and people are energized to help drive the mission forward.

5. Teamwork in the form of governance

Once “inter-IT” and business relationships are established, governance can commence—that ultimately means creating process and policy. Involve as many stakeholders as possible and document everything you can. Make everyone aware of their role in the mission and hold them accountable.

Take for example a mobile device policy. Whose input should be solicited? At a minimum, you should involve HR, Legal, Finance, the CIO, and the user community. What do they want and need? When everyone agrees and all requirements are negotiated, it’s amazing how quickly a policy is ratified and becomes official.

Cybersecurity, privacy, compliance, and risk management should be managed like any other business; and any business values process. Without process, product doesn’t get manufactured or shipped, patients don’t heal, and the supply chain grinds to a halt. Without process, there can be no consensus on how to protect the organization.

Stay tuned

Stay tuned for the next installment of my series, Changing the Monolith: People, Process, and Technology. In the meantime, check out the first two posts in the series, on people:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 3: What’s your process? appeared first on Microsoft Security.

Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution

January 29th, 2020 No comments

Technology continues to play a critical role in shaping the global risks landscape for individuals, governments, and businesses. According to the World Economic Forum’s Global Risks Report 2020, cyberattacks are ranked as the second risk of greatest concern for business globally over the next 10 years. Cyberattacks on critical infrastructure—rated the fifth top risk in 2020 by the expert network—have become the new normal across sectors such as energy, healthcare, and transportation. This confirms a pattern recorded in previous years, with cyber risks consolidating their position alongside environmental risks in the high-impact, high-likelihood quadrant of the report’s Global Risks Landscape.

The cyberattack surface (the totality of all information system and internet exposure) is growing at a rapid pace. In parallel, inherently borderless cybercrime is impacting victims around the globe, with the authority of law enforcement often constrained by jurisdiction and the limitations of legal processes serving to request information beyond national borders. Moreover, cybercrime-as-a-service is a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.

In this context, a cyber-risk assessment is crucial to any organization’s risk management strategy. A cyber-risk assessment provides an informed overview of an organization’s cybersecurity posture and provides data for cybersecurity-related decisions. A well-managed assessment process prevents costly wastes of time, effort, and resources and enables informed decision-making.

Many jurisdictional instruments, including the European Union General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 in the United Kingdom, require risk assessments to be conducted. Any organization with a digital footprint should have an understanding of their cyber preparedness to ensure that the leadership does not underestimate or overlook risks that could cause significant damage.


Yet today, cybersecurity awareness is largely insufficient and there is no standard approach among investors and corporate leadership for evaluating the cybersecurity preparedness of their own, or their portfolio of companies. A cybersecurity-focused culture, based on cyber expertise and awareness, is vital to prioritizing cybersecurity in the investment process.

Including cybersecurity risk assessment in the investment and decision-making process is a rather new approach. The World Economic Forum along with leaders and cybersecurity experts in the investment industry have developed a due care standard to guide investor responsibility in terms of cybersecurity. Tailored to investors’ needs and principle-based, it aims to influence behavioral change rather than merely prescribe specific action to be taken.

According to a World Economic Forum report, adequate cybersecurity expertise is foundational and vital to exercising the cyber due care principles. Investors should ensure requisite cybersecurity expertise is available to them and their investment portfolio companies either internally or through external experts. An investor’s attention to cybersecurity should extend well beyond regulatory compliance and legal obligations and include regular briefings on evolving cyber risks.

Expertise should evolve to guarantee optimal efforts to stay abreast of cybersecurity developments. Overall, investors are urged to foster a cybersecurity awareness culture as most businesses, investment targets, and their key assets are either becoming digital or are already in the digital domain.

Principles to follow

Incorporate a cyber-risk tolerance—The investor incorporates cyber-risk tolerance into their portfolio risk methodology similar to other types of risks monitored, such as financial and management risks. This cyber-risk tolerance threshold indicates the investor’s risk appetite and serves as a reference when making investment decisions.

Conduct cyber due diligence—The investor conducts a business-relevant cybersecurity assessment of the target company in terms of people, processes and technology, as part of the due diligence evaluation and weighs the potential cyber risks against the valuation and strategic benefits of investment.

Determine appropriate incentive structure—In the early stage of investment negotiations, the investor clearly defines ongoing cybersecurity expectations, benchmarks, and incentives for portfolio companies within investment mandates and term sheets.

Secure integration and development—The investor develops and follows systematic action plans to securely integrate the investment target according to the nature of the investment. These action plans span the secure integration of people, processes, and technology, as well as define the support that the investor will offer to develop the target’s cybersecurity capabilities. The extent of integration may vary according to the type of investor (financial vs. strategic) and the motivation for the investment.

Regularly review and encourage collaboration—The investor reviews the cybersecurity capabilities of its portfolio companies on a regular basis. These reviews assess adherence to the cybersecurity requirements set out by the investor and serve as a basis for sharing cybersecurity challenges, best practices, and lessons learned across the investor’s portfolio.

Investing in innovation is one way to reduce the likelihood of unexpected disruption, identify “blue oceans” (markets associated with high potential profits), and contribute to achieving desired returns. Whereas entrepreneurs drive innovation and experimentation, investors play an important role in helping them to grow, optimize, and mature their businesses. Helping entrepreneurs to prioritize cybersecurity is one significant way in which investors can increase the likelihood of long-term success and a product’s resilience in the market, thereby strengthening the brand name and consumer trust.

When investing in a technology company, investors need to consider the degree of cyber-risk exposure to understand how to manage and mitigate it. Investors play a critical role in leading their investment portfolio companies towards better security consideration and implementation.

Cyber expertise comprises not only technical know-how but also cybersecurity awareness in governance and investment. The principles and the cybersecurity due diligence assessment framework are designed for investors who want to include cybersecurity among the criteria for their investment consideration and decision. One of the main barriers to prioritizing cybersecurity is the lack of cyber expertise in the market. Yet every investor who understands the importance of cybersecurity in our technological age can ask the right questions to assess and understand a target’s cybersecurity preparedness, thus play a significant role in securing our shared digital future.

The post Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution appeared first on Microsoft Security.

Guarding against supply chain attacks—Part 1: The big picture

October 16th, 2019 No comments

Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. Moreover, these vulnerabilities can be inserted into the end product via physical access as a physical component is being transported or delivered, during pre-production access in a factory or manufacturing facility, via a technical insertion point, or other means.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security.

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.


We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.


But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

Building on experience: a framework for cybersecurity policy

August 9th, 2018 No comments

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, Im excited today to announce the release of Microsofts new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should notand need notbe burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important umbrella document, providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologiesso many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much todays cybersecurity discourse. However, we haveand will always havemore work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. Im glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

Categories: Cybersecurity Policy Tags:

Artificial intelligence and cybersecurity: The future is here

November 14th, 2016 No comments

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.


Categories: Cybersecurity Policy Tags:

Cybersecurity and cyber-resilience – Equally important but different

November 3rd, 2016 No comments

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.


Categories: cybersecurity, Cybersecurity Policy Tags:

FedRAMP High: Trust is cloud security validated

The latest Government Office of Accountability report dealing with the security of high impact information technology (IT) systems continues to point out opportunities for improvement in cybersecurity across the US Federal Government. While improvements have been made, the persistence of the challenge is disquieting.  Particularly troubling is that many of the concerns result from long-standing and well known inefficiencies in the government’s current IT environment, such as low asset utilization, fragmentation, legacy systems, and the challenging procurement processes. Cloud computing can help address many of those, and at the same time improve government service delivery – at a lower cost – ultimately providing agencies with the ability to deliver secure, reliable, and innovative services quickly despite resource constraints.

When the Obama Administration issued its Cloud First Policy five years ago, with a clear aim of encouraging the Federal Government to harness the benefits of cloud computing, one question remained for many agencies: Given the level of security required, would my data be secure? The Cloud First policy accelerated the rate in which government could realize the value of cloud computing by – among other things – requiring government agencies to evaluate the security of cloud computing options before making new investments. This single action not only required government agencies to familiarize themselves with cloud computing during each new acquisition, but also incentivized vendors to drive further investments in security.

To streamline this process, the Federal Risk and Authorization Management Program or FedRAMP was developed. It represents a government-wide, standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP was designed with the objective of saving between 30-40 percent of government IT costs, in addition to reducing the amount of agency time and staff needed to conduct redundant security assessments. However, up until last month, Federal agencies could only migrate low and moderate impact workloads to the cloud – not mission critical, high impact systems – as no vendors have been certified to provide those services.

These high impact data systems tend to sit in agencies that deal with security and where information, if disclosed, modified or denied access could have severe and even catastrophic effects on organizational operations and assets. While high impact systems only constitute 20 percent of all federal systems, they represent nearly 50 percent of government spending dollars – much of it given the additional security concerns noted above. The finalization of the FedRAMP High Security Baseline, a draft set of security controls at the High/High/High categorization level for confidentiality, integrity, at the end of June is therefore even more significant. It not only signals an important milestone in cloud security, is estimated that it will drive significant cost savings from the U.S. government’s annual $80 billion IT budget.

Microsoft was selected as one of the vendors that took part in the FedRAMP High Pilot earlier this year. The pilot sought to deepen the understanding of the objectives and the process for both the government and Cloud Service Providers, increase the level of rigor, shorten timeframes, as well as broaden the scope of control applicability. The success of the pilot contributed significantly to the development and refinement of the FedRAMP High Security Baseline and we are happy to report that we successfully received a High Impact Provisional Authority to Operate (P-ATO) approval for the Azure Government environment.

In addition to our work on FedRAMP with the US government, we are engaged with governments and customers around the world to ensure that they can adopt cloud computing securely and effectively. As a result of our global engagements and reflecting different cultural and organizational experiences, Microsoft developed the Transforming Government: A cloud assurance program guide. It was designed to help governments as they develop and implement cloud assurance programs – reflecting best practices, but also lessons learnt from initiatives such as FedRAMP. We understand that the primary goal of any government cloud assurance program needs to be managing information security risks, while at the same time enabling that government to take advantage of the many benefits and opportunities of cloud services. Achieving that goal requires risk-based decision making at every step of a government’s process of developing and implementing a cloud assurance program. While developing such a process, represent a substantial foundational investment, experience shows that it pays significant dividends over time, as it enables governments to leverage secure cloud solutions to deliver and extend citizen services.

Angela McKay
Director of Cybersecurity Policy

Categories: cybersecurity, Cybersecurity Policy Tags:

Microsoft’s Perspective on the Benefits, Challenges, and Potential Roles for Government in Fostering the Advancement of the Internet of Things (IoT)

June 15th, 2016 No comments

Microsoft recently filed comments with the U.S. Department of Commerce and the National Telecommunications and Information Administration (NTIA) on the benefits, challenges, and potential roles for the government in fostering the advancement of IoT, which can be read here. In addition to commending NTIA for undertaking this timely public consultation and for providing comments received for public review, I wanted to summarize Microsoft’s policy perspectives and recommendations.

Microsoft’s comments encourage policymakers to more broadly support efforts that will advance consumer and enterprise trust in IoT technology and help IoT realize its full potential. The government should encourage initiatives that recognize and emphasize the following:

  • Best practices for IoT cybersecurity that are appropriately scoped to the roles of different actors in the IoT ecosystem.
  • Modernization of traditional privacy frameworks, such as the “notice and consent” framework to increase the focus on transparency, context, and consumer expectations for scenarios where notice and consent are impractical.
  • Support for industry-led efforts to develop open, voluntary, consensus-based, and globally-relevant standards that promote innovation and preserve interoperability, to ensure new IoT systems and legacy technology systems can work together.
  • International engagement that takes into account other countries’ IoT strategies and initiatives as well as international trade commitments.

To put these policy priorities into action, Microsoft offers three recommendations for the government:

  • Create an IoT interagency task force. This task force can coordinate with existing organizational bodies to foster balanced perspectives between security, economic benefits, and potential risks. Participants from across government agencies would set milestones for completion, particularly focusing on 1) direct the update of federal strategic documents to consider the security aspects of the explosive growth and reliance on IoT; 2) direct the update of existing awareness and training programs; 3) encourage and incentivize academia to develop curricula focused on IoT and security challenges; and 4) encourage engagement in appropriate international forums for standards and policy development.
  • Convene and facilitate a government and industry standing body. Through a public-private standing body, key stakeholders can coordinate, collaborate and leverage the various industry IoT consortia to develop, update, and maintain IoT deployment guidelines to manage cybersecurity implications and risks. This body would adopt an international perspective that takes into account the significant work on IoT-related standards outside of traditional channels in standards development organizations.
  • Review current research and development (R&D) investments and recommend future R&D funding for fundamental IoT security and cyber-physical security research. The Office of Science and Technology Policy should review R&D funding and investments, specifically for fundamental IoT and cyber-physical security research and help ensure the R&D projects are addressing evolving cybersecurity challenges.

Governments have an important role in ensuring that IoT innovations continue. Microsoft looks forward to continuing to work with NTIA to address the benefits and challenges of IoT in the future. For more details on Microsoft’s approach to IoT security, please download our recent white paper,  Securing Your Internet of Things from the Ground Up, and visit if you would like to learn more about Microsoft’s role in the IoT ecosystem.

Categories: Cybersecurity Policy Tags:

Survival of the most (cyber) resilient

June 6th, 2016 No comments

By 2045, more than 70% of the world’s population will live in urban areas, giving cities a level of power and importance unrivaled in all of human history. But its leaders must also face new challenges that once were just the domain of the nation state, including unemployment and gentrification, climate change, terrorism, and the impact of rapid digitization.

Because cities wish to thrive, rather than merely survive, many are turning to technology for help. “Smart cities” which make use of Internet of Things, big data and cloud computing, are an increasing reality. This can pave the way for more prosperous, sustainable and competitive urban communities, but it also brings its challenges. The more data available to help cities, the higher their potential exposure. The digital systems which underpin a city’s inner workings and service provision can be vulnerable. And the digitization of systems such as energy and transport networks increases potential risks to the most critical infrastructure.

In order to make the most out of the transformative potential of technology without comprising security, cities are becoming increasingly innovative in how they manage such risks. A new discipline, known as “cyber resilience”, is emerging, with organizations shifting from a prevention-first mentality, to focus instead on capabilities for readiness, response and reinvention.

Rotterdam, the Netherlands’ second-largest city, is a case in point for what successful reinvention looks like. “Rotterdammers”, as the city’s 630,000 residents are known, have faced more than a few challenges in their time: from the near-constant threat of flooding (now kept at bay by a complex system of dykes and levees), to the total destruction of the city center during World War II. But resilience is in Rotterdam’s blood – the municipal motto is “stronger through struggle” after all – and it has grown into a thriving economic and industrial hub.

In 2013, the city’s determination to prepare for the future, led it to be chosen as one of the Rockefeller Foundation’s inaugural 100 Resilient Cities. This initiative aims to help cities across the globe “become more resilient to the physical, social and economic challenges that are a growing part of the 21st century.” In practice, this means giving cities the tools, resources and networks they need to adequately prepare for, and reduce the impact of, one-off shocks such as natural disasters, or daily stresses which make the city a less pleasant place to live.

The ability to bounce back from failure is as critical in cyberspace as in any other domain – if not more. That is why Rotterdam earlier this month launched a resilience strategy which includes a specific focus on cyber – making it the first European city to ever do so.

As a key economic engine of the Netherlands and Europe, Rotterdam is a large industrial complex in a relatively small area, with large scale infrastructure and thousands of companies which are all increasingly more dependent on properly functioning ICT to sustain jobs and maintain growth.

As a formal partner of 100 Resilient Cities for 18 months, Microsoft has worked closely with Rotterdam on the creation of this strategy which is to create a thriving, prosperous and cyber-resilient port city where the opportunities of digitization can be leveraged with minimal risk, and where businesses can innovate and grow for generations to come.

The world will continue to urbanize and digitize at a dramatic pace. Cities that adapt and innovate in the face of these constant changes will reap significant benefits for their citizens, economies, and security. But such success will not be easy. It requires commitment from both the public and private sector to develop and implement long-term cyber resilience strategies. These plans must be living documents with broad support from residents. The Rotterdam strategy helps to show that difference between surviving and thriving in the face of 21st century challenges is cyber resilience.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cyber Resilience: rethinking risk management

May 9th, 2016 No comments

The rapid pace of technological evolution and dramatic increases in connectivity are sparking discussion about what systemic cyber risks what might look like and how best manage them. In late April, Microsoft partnered with the World Economic Forum Council on Risk and Resilience on a workshop addressing the topics of systemic cyber risk and possible approaches to avert the dangers it poses. The interactive workshop focused on the financial services, transportation and healthcare sectors – given their importance to national economies, national security, the well-being of citizens and the potential impact of any systemic disruption.  The event was the first step in developing a World Economic Forum report on the topic and examined the challenges of building resilience in today’s rapidly evolving technology and threat environments.

Diagnosing the problem

In order to continue to improve resilience to systemic cybersecurity risks, we have to develop a more thorough understanding of what systemic risk really means and the role it has in some of the most important sectors of the economy.  I was fortunate to moderate our initial panel discussion, that was dedicated entirely to exploring the definitions of systemic risk and possible approaches to increasing resilience of the online ecosystems in light of those.  Panelists examined key vulnerabilities, identified single points of failure, and sought to understand the potential systemic consequences inherent in today’s risk environment. Perhaps Phil Reitinger captured it best, that this might be one of the “you know it when you see it” categories. Ultimately, although systemic risk is inherently difficult to describe, there was widespread agreement that without a stronger definition, the term loses all meaning and importance. While a simple way to think about systemic risk is as a cyber risk that rises above the enterprise level, we have to go deeper.

One way to do this is through refining those key characteristics we can agree help define systemic risk, including critical functions, interconnectedness, and contagion. We first must align on what is meant by systemic risk and the threat at hand if we are work cooperatively on what investments will be needed by enterprise and infrastructures to ensure greater cyber resilience.

Building better cyber resilience

As we improve our understanding of systemic cyber risk, the next challenge is taking this knowledge to build better cyber resilience. While this is a complex and long-term challenge, the first step is understanding that there will be no simple technological fix. Solving this issue will require proactive efforts and the adaptability to quickly learn from mistakes.  Moreover, harmonization of approaches – across geographies and infrastructures – will be critical in increasing resilience. Those were the issues raised in the second panel moderated by my colleague, Angela McKay.

Here participants discussed two steps: incentivizing collaboration between those facing or defending against cyberattacks and improving metrics for cyber resilience. To make meaningful progress, partnerships between private and public sectors, including at state and local levels is essential. While those perpetrating cyberattacks frequently actively collaborate and have strong, shared incentives, that is not always the case with the defenders. The panel explored measures that could help entities of all types and sizes refine their enterprise risk management strategies and identify targeted areas for key investment. It was acknowledged that metrics that can succinctly and effectively evaluate organizations’ resiliency to systemic cyber risk will go a long way in helping industry leaders and policymakers develop more rigorous cybersecurity defenses.  The conversation ended with a debate on incentives, in particular around how cultural and organizational change – rather than just technological – can be driven and highlighted challenges related to human resources, cyber-insurance, as well as ratings.

The future of cyber resilience

We are just beginning of what should constitute effective resilience strategies. As we explored during the workshop, we have tremendous opportunity and responsibility to work together on this topic.  This is an issue that can’t be fixed just one company or government, but instead will require focused effort from all parties affected. The workshop was a tremendous opportunity to start this work – as it will take critical investment by enterprise and governments to begin to increase our collective cyber resilience.  Microsoft was pleased to work with the World Economic Forum Council to bring key experts together and hear their perspectives and to help champion these efforts moving forward.

Categories: cybersecurity, Cybersecurity Policy Tags:

Global cybersecurity policy: Finding a balance between security and competitiveness

May 2nd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations and the global cybersecurity market is forecast to be worth US$170 billion by 2020, growing in step with significant advancements in cloud computing, the Internet of Things (IoT), and other technologies that are changing the way we communicate and work. The IoT security market itself is expected to grow from US$6.89 billion in 2015 to US$29 billion in 2020. Other high growth areas include security analytics, mobile security and cloud security.

The same concerns are also driving government decision makers to develop responses that seek to ensure that the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security. These efforts are beginning to solidify into security requirements for a range of businesses, from information technology (IT) providers, critical infrastructures and users of cloud services.

United States: Securing the government

In United States the focus on cybersecurity has never been greater, in particular if we single out the work done at the federal government level after the breach at the Office of Personnel Management (OPM). In early 2016, President Obama announced the Cybersecurity Action Plan, which aims to raise the levels of cybersecurity across the nation, but particular its high-risk assets. With it, the President is driving a new policy and operational focus, for example by appointment of a Federal Chief Information Security Officer, and by requesting an additional US$3.1 billion from Congress for the “Information Technology Modernization Fund”.

In parallel, the White House continues to drive policy efforts that seek to enhance the levels of cybersecurity across the country. One of the focus areas continues to be increasing the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, both domestically and internationally. Another is the implementation of the Cybersecurity Act of 2015, which was signed into law in late December. The Act provides a paradigm for one of the essential element of cybersecurity: the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government.

Japan: Preparation for taking the world stage

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity. In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Furthermore, the government is preparing to revise its Cybersecurity Law, as well implement concrete action to protect its critical infrastructures, for example by examining structured information sharing.

China: Focusing on the rule of law

China has over the past two years proposed and passed a number of laws that touch on cybersecurity, including the National Security Law, the Anti-Terrorism Law, as well as the Amendment to its Criminal Code, which exposes the network service provides that fail to comply with certain cybersecurity obligations to criminal liability. The speed with which the laws are being adopted signals the importance the government places in this area.

The speed also led to concerns expressed by numerous multinational companies, as well as governments, who have been urging the Chinese government to reconsider some of the positions it has been taking. The draft Cybersecurity Law, which amongst other things includes provisions requiring companies to store data locally and to provide encryption keys, as well as incorporates an overarching structure for cybersecurity management in the country, was one such example. The latest step in the government push came last month, with the founding of China’s first national non-profit organization for cybersecurity, the Cybersecurity Association of China. It has 275 founding members, including major domestic Internet firms, cybersecurity companies, scientific research institutions.

Europe: Protecting critical infrastructures

After three years of intense negotiations, the European Union (EU) reached an agreement on the Network and Information Security (NIS) Directive this past December. While some of the details remain to be hammered out, the Directive focuses government efforts on creating cybersecurity capabilities and policies, through the obligation that each of the countries affected create Computer Security Incident Response Teams and national cybersecurity strategies.  In following a risk based approach it further concentrates government resources on protecting critical infrastructures. The question of how widely or narrowly the 28 EU Member States will interpret that definition will be revealed over the next two years.

The obligations that are being introduced are nevertheless important for a wide range of enterprises, which fall under that definition, including a broad number of digital services providers. While retained in the Directive, it recognizes the transnational nature of the online environment, as well as the need for greater harmonization of security requirements overall. An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

In the coming months, my team will use this blog to examine these and other policies around the word more closely. It is already clear that 2016 could be the year that shifts cybersecurity from a topic of conceptual debate to a more concrete set of practices, obligations and requirements, in particular for enterprises in the critical infrastructure sectors or those providing services to governments. Whether the different countries will be able to ensure that these policies are successful in increasing security for the broader ecosystem hinges on whether the requirements put in place will be complimentary, able to align to existing laws, as well as able to adapt to new technologies, such as IoT. Watch this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

A call to raise awareness and adoption of vulnerability disclosure and handling best practices

April 25th, 2016 No comments

Over the past few years, technology companies have increasingly moved toward partnering with security researchers to better protect their products, services, and customers. Recognizing that vulnerability research is a valuable part of securing the online environment, they have matured programs to work together with researchers in receiving, triaging, and responding to reports.

Microsoft’s focus on coordinating with researchers has developed over time. As we launched our first BlueHat Briefing in 2005, there was a significant level of distrust on both sides, and we listened to the security community as we evolved our approach. In 2011, we announced a new Coordinated Vulnerability Disclosure (CVD) policy and set of practices, aiming to be transparent and encouraging vulnerability finders to work with us. Since then, we have expanded our BlueHat prizes and bug bounty programs, further incentivizing researchers to work with us as we continue to strengthen our platforms.

Many companies are increasingly becoming software companies. In cars, elevators, wearable devices, and many other products and services, the practice of incorporating software components is exponentially growing. All of these devices and programs can suffer from vulnerabilities that are exploited by criminals. Moreover, unfortunately, for various reasons, including lack of resources, expertise, or understanding of vulnerability research, not all of these companies partner with security researchers that find and report potential vulnerabilities.

To address this gap and promote greater collaboration, Microsoft is working with the U.S. Department of Commerce National Telecommunications & Information Administration (NTIA) and numerous other stakeholders, including security researchers, technology providers, and civil society. In particular, we are co-chairing an NTIA working group that’s focused on increasing awareness and adoption of vulnerability disclosure and handling best practices. The group aims to highlight the overlapping interests of technology providers and security researchers and to develop resources that can support new partners in coordination and ecosystem security.

To guide our working group toward developing the most responsive and helpful resources, we’re seeking information about how vulnerability disclosure and handling is currently being approached. While we already have an appreciation of where concerns and obstacles might lie, we want to ensure that we are addressing the real needs and gaps that are being experienced in the ecosystem. To this end, we have developed short surveys, targeting both security researchers and technology providers and operators, and we encourage you to share and respond to them. Responses will be anonymized, and the surveys will close in mid-May.

The security researcher survey is available here:

The technology provider and operator survey is available here:

Ultimately, all stakeholders within and impacted by the vulnerability information sharing ecosystem—including security researchers, technology providers, technology operators, non-profit coordinators, bug bounty providers, governments, and users—have responsibilities to keep users safe. With your participation in this NTIA working group survey and broader engagement on this issue, we can learn more about how the ecosystem is maturing and what more we can do to support its advancement.

Categories: cybersecurity, Cybersecurity Policy Tags:

Working to increase the cyber resilience of cities around the globe

February 11th, 2016 No comments

A year ago, Microsoft and the Rockefeller Foundation announced that we will be partnering on their 100 Resilient Cities challenge, in an effort to help cities address emerging cyber resilience needs. Our particular objective for joining the effort has been to help cities improve their digital resilience, and ensure that they are better able to withstand and recover from the shocks and stresses that are a growing part of life in the 21st century.

Not a day goes by that we do not read about an organization being targeted by a cyberattack. Any organization or individual, of any size or global standing—is susceptible to a cyberattack. While businesses, governments and individuals are rushing to take advantage of the rapidly developing technologies to deliver a wide array of social and economic benefits, digitalization itself introduces a new range of risks. As a result, we have seen cybersecurity grow beyond being just the responsibility of an IT department to being acknowledged as a company or government-wide issue that carries far reaching consequences. Moreover, a new discipline – cyber resilience – has begun to emerge, as organizations slowly begin to make a shift from prevention to resilience, focusing on continuous assessment, preparation for, and response to cyber incidents. The realization that those who survive are not necessarily the strongest or the smartest, but those that can best adapt to new circumstances applies equally well in cyberspace.

While there is no internationally accepted definition of “cyber resilience” there is a growing consensus that cyber resilience can be defined as the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks. Resilient cyber systems also exhibit common resilience attributes including (1) aware, (2) diverse, (3) integrated, (4) self-regulating, and (5) adaptive. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or in this case a city – can purchase from a vendor. It is built through leadership, teamwork, risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city.

Since the inception of our partnership, my team has worked with individual cities to help them go beyond focusing on developing “safe to fail” approaches, to understanding what are the distributed set of capabilities and capacities that they require to be truly resilient – almost impossible too measure or identify form a strict quantitative perspective.

Through this ongoing work, there is a great opportunity to work with cities across the globe and change the thinking about cyber resilience to be about more than graceful degradation and instead encompass the ability to withstand diminished capacity/capability and to reinvent in the face of prolonged stressors or acute shocks.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cybersecurity norms: From concept to implementation

February 8th, 2016 No comments

Last year Microsoft put forward six cybersecurity norms with the aim of reducing conflict in cyberspace and protecting global trust in technology. They offer considerations for limiting nation-state activity against commercial, mass-market ICT; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. However, while we remain the only industry player to offer a proposal in this space, the dialogue on cybersecurity norms has evolved even since then.

Indeed, stakeholders from government, academia and civil society have put forward a number of proposals for cybersecurity norms, seeking to address a spectrum of challenges caused by the exploitation of ICT systems. While the proposals are not uniform, they offer a level of overlap that has meant that the discussion has slowly began to evolve from a conceptual discussion about the rights and responsibilities of nation states towards more clearly articulated norms. The key proposals driving the debate are:

However, even as these proposals begin to take root among governments, many question the feasibility of their implementation. Governments have acknowledged the centrality of international law in cybersecurity norms but international legal instruments often cannot address complexity of cyberspace, particularly in non-conflict, short-of-war scenarios. Cybersecurity attack attribution is arguably the most prominent example of this gap and it has been argued that without it, particularly whether an attack was perpetrated by a government or its proxies, norms implementation will lack accountability and therefore lack credibility as a policy tool.

Attribution is not impossible, but it can be difficult from both technical and international relations perspectives. The latter represents a typical challenge in diplomatic relations, as nation-states might choose not to act on particular intelligence, for reasons unrelated to cybersecurity (in this case). This lack of action might in the long-run undermine the framework itself. From a technical perspective, the private sector has been analyzing the attacks and its origins for many years in defending the online environment – irrespective whether attacks may have been sponsored or conducted by a state. Indeed, several global ICT companies, including Microsoft, have adopted policies and practices designed to alert users of popular online services when it appears that nation-states have targeted them.

In our view, these policies and practices can lay the groundwork for future collaboration with other norms stakeholders to drive accountability in nation-state behavior and ultimately to protect ICT users from compromise of their data by nation-states. As indicated, we believe implementation is only possible as a two-part process involving both technical assessment of the nature of the attack and political determination about nation-state responsibility. These are topics that we will address here and in a coming paper in the months to come.

Categories: cybersecurity, Cybersecurity Policy Tags:

The continued importance of cybersecurity capacity building

February 3rd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. The Internet has transformed from an information exchange platform to a tool that is central to addressing some of our biggest challenges, from delivery of healthcare and education, to increasing energy efficiency and ensuring organizations are more effective and responsive. However, given the increases in computing power, the advances cloud computing and in big data capabilities, as well as the increasing prevalence of Internet of Things, it is clear that we are only scratching the surface of what information technology can do.
However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations around the world and government decision makers are developing responses that seek to ensure the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security.

However, these approaches vary considerably, according to the different needs and stages of development of individual countries. My team has looked at how governments can prioritize their cybersecurity efforts, depending on where they are in the connectivity cycle, in a report a few years back (Hierarchy of Cybersecurity Needs: Developing national priorities in a connected world). Our work on capacity building since has confirmed that its conclusions continue to hold. We have particularly found that governments are increasingly recognizing the recommendation that highlights the importance of risk management and adaptability as the cornerstones of preparedness online.

Microsoft is a strong proponent of capacity building for cybersecurity and we have endeavoured to develop and share guides, principles and frameworks that we believe will support governments as they seek to tackle this complex environment. The frameworks we developed are based on our own efforts to protect our network and our customers, a practice developed and honed over the past 15 years, as well as on tried and tested practices that we have seen governments put forward. We hope that our efforts help fill the gap in the expertize needed to address the management, technical and operational challenges in cyberspace today.

However, we recognize that this is no simple effort and requires wide participation by industry, governments and non-governmental organizations alike, in particular when it comes to designing the delivery of the capacity building effort in a way that is scalable, sustainable and repeatable.  We therefore work closely on initiatives such as the Global Forum on Cyber Expertise and the United States Telecommunications Training Institute (USTTI)’s cybersecurity curriculum, focused on targeting senior government officials in developing markets and enhancing their understanding of risk management best practices. Later this month my team will join USTTI in Ghana to given an overview of our efforts in this space to representatives from over 20 countries in Africa, following on similar initiatives in Washington D.C. over the summer. We will also begin the work with the International Telecommunications Union and its partners to bridge the expertise gap further through developing a new national cybersecurity strategy framework. The thirst for knowledge we see is immense, it is time to work together to quench it.

Categories: cybersecurity, Cybersecurity Policy Tags:

What’s Next for EU Cybersecurity after the NIS Agreement?

January 25th, 2016 No comments

After three years of intense negotiations, the EU finally reached agreement on the Network and Information Security (NIS) Directive this past December. Politically, all that remains to be done is for the text to be formally approved by the European Parliament and the Council of the EU in the coming months. Then Member States will have 21 months to implement this landmark legislation. At a technical level, however, there’s still work to be done. But more on that later.

Firstly, I would like to commend governments on finalizing what I am sure at times seemed like an arduous and thankless process. The final text of the Directive is much more likely to increase cybersecurity readiness across the EU, given its tighter focus on outcomes and the effectiveness of the obligations introduced. It is also positive to see that all Member States are adopting a national cybersecurity strategy and establishing new national authorities dedicated to cybersecurity, as well as Computer Security Incident Response Teams (CSIRTs). The commitment to greater international and intra-European coordination is equally encouraging.

The risk-based approach laid out in the Directive rightly concentrates government resources on protecting critical infrastructure (“operators of essential services”), making an important distinction between digital service providers overall and those who support aforementioned essential services, by assigning them different sets of obligations. It is particularly important that the transnational nature of the online environment has been recognized and that governments are committed to greater harmonization of security and reporting requirements for digital services.

However, the extent to which EU Member States are able to harmonize the requirements will set the standard for judging the success of the Directive in years to come. The potential for this law to be replicated internationally hinges on the ability of Member States not only to develop new, complementary requirements, but also to align existing ones. Countries such as Germany, France and the Czech Republic have already adopted their own implementation of the NIS Directive ahead of its adoption.

An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

Designing a framework to address some of those concerns will be done through a combination of guidelines to be developed by the European Network and Information Security Agency (ENISA) and a set of implementing acts by the European Commission. ENISA’s ability to coordinate with both governments and the private sector will be critical in order for this process to yield effective and workable results in a relatively short timeframe. This is particularly true with regards to developing an incident reporting scheme – the first of its kind for the technology sector – and effective security baselines.

However, this will not be the only area the EU will focus on. In late December, the European Commission launched a new consultation on how to establish a public private partnership (PPP) on cybersecurity, which is part of the EU’s Digital Single Market Strategy. The PPP is expected to become operational this year, which is an ambitious timeline. The consultation also includes issues vital to increasing the level of network and information security across Europe: certification, standardization and labelling.

All of this could make 2016 the year that shifts cybersecurity in Europe from a topic of conceptual debate to becoming the concrete foundation that is so urgently needed. It is time to roll-up our sleeves.

Jan Neutze, Director of Cybersecurity Policy, EMEA

Categories: cybersecurity, Cybersecurity Policy Tags:

Cloud computing in government: security considerations

January 14th, 2016 No comments

The last few months have seen a number of government information technology (IT) departments around the world move towards adopting cloud computing as one of the solutions deployed to delivered services to their citizens. Countries as diverse as Slovenia and Saudi Arabia are recognizing that cloud computing can ultimately mean more agile government services – with more predictable cost, reduced infrastructure overheads and increased efficiency and responsiveness. Government adoption of this technology, beyond the traditional first movers such as Estonia, represents a strong validation of how far cloud computing has come in the past few years.

However, moving important workloads to cloud requires more than just pressing a button. Governments have explored different approaches towards ensuring that the cloud services they use address their privacy, security, availability and other concerns. A particularly prescriptive approach was developed by the U.S. government, which with the Federal Risk and Authorization Management Program (FedRAMP) introduced a laundry list of requirements that need to be met before a particular cloud vendor can be engaged. Other governments have issued guidelines that leave more room for the vendors to determine how to a particular requirement should be met, recognizing the pace of innovation makes inflexible policy making impossible. One such example are the New Zealand’s Requirements for cloud computing and the associated Security and Privacy Considerations, which together represent a robust risk based approach towards adopting cloud computing.

To assists governments in understanding the principles of cloud security, Microsoft frequently responds to government consultations and works with others in the industry to drive awareness and understanding of how cloud services differ from on-premise computing. We also share information to help different agencies evaluate the ability of Microsoft’s cloud services to meet the requirements they put in place. To extend the example given above, we have recently published documents specifically aimed to address the New Zealand Security and Privacy Considerations for Microsoft Azure, Microsoft Office 365, Microsoft Dynamics CRM Online and Microsoft Intune which are available for download at the following links:

Moreover, we seek to drive best practices by consolidating different approaches we have seen and highlighting those that have been proven to drive best security outcomes. For instance, to support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft in 2015 developed Transforming Government: A cloud policy framework for innovation, security, and resilience, which I blogged about before.  The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.   More detailed papers specific to cloud security will follow in the coming months.

Ultimately, we hope our work will enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.

Categories: cybersecurity, Cybersecurity Policy Tags:

Japan zeros in on cybersecurity

January 13th, 2016 No comments

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A confluence of events in 2015 catalyzed important actions from the Government of Japan action. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity.

In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. The Strategy is worth highlighting given its unique focus on the Internet of Things. Unlike other similar documents around the world, the Japanese government recognizes the opportunities of this budding technology, as well as the inherent security risks, and sets the country on the path towards leadership in this space – finding solutions that are scalable and globally harmonized. The recognition of the value and importance of innovation and partnership with the private sector, not just for the economy, but for increasing security, represents another important aspect of the document.

The Strategy is also important as it puts forward a desire of the Japanese government to play a greater role in international cybersecurity efforts, a step that can only be welcomed. Japan already engages in capacity building, in particular in the Asia-Pacific region and has also developed a number of bilateral relationships in this space. However, with its technology capability, established trusted relations with key governmental players, and its unique perspective, a strengthened commitment to capacity building and developing cybersecurity norms will be noted and beneficial.

This was clear at the Cyber3 Conference, which was hosted by the Japanese government in partnership with the World Economic Forum last November. The two-day conference looked at opportunities to address challenges across three different topics areas: cybercrime, cybersecurity and cyber-connection and attracted stakeholders from Japan and across the world. Microsoft was delighted to have been invited as a participant and led the policy section of the cybercrime track. Four key calls to action emerged: 1) there is a clear need for building coordinated public-private partnerships and information sharing to manage cyber-risk; 2) as technology adopts, so must our security responses; 3) similarly, policy and legal frameworks need to keep pace with innovation; and finally 4) international frameworks, in particular the mutual legal assistance treaty processes, need to be revisited for us to be able to successfully fight cybercrime. You can find the detailed overview of the discussion here.

The government has however not left it at that. We expect that the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the agency responsible for developing the national cybersecurity policy and ensuing the security of the different public sector organizations, to put forward a number of proposals in the coming months – spanning cloud security, vulnerability reporting, as well as the revision of the Basic Cybersecurity Act, even though it is barely a year old. These are all critical issues to a country poised to take the lead in an area important to the global economy and Microsoft remains a committed partner to ensuring the government’s success in this space.

Categories: cybersecurity, Cybersecurity Policy Tags: