Archive for the ‘Cybersecurity Policy’ Category

Guarding against supply chain attacks—Part 1: The big picture

October 16th, 2019 No comments

Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. Moreover, these vulnerabilities can be inserted into the end product via physical access as a physical component is being transported or delivered, during pre-production access in a factory or manufacturing facility, via a technical insertion point, or other means.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security.

Finding the signal of community in all the noise at Black Hat

August 16th, 2018 No comments

I dont know about you, but I find large conferences overwhelming. Dont get me wrong, nothing beats the innovative potential of bringing a diverse group of brilliant people together to hash through thorny issues and share insights. But there are so many speakers, booths, and people, it can be a challenge to find the signal in all the noisedid I mention conferences are also really loud?

So last week when I stepped into the first of multiple showrooms at the Mandalay Hotel in Las Vegas for the Black Hat Briefing, I have to admit I felt a little nostalgia for the very first Black Hat Conference. It was 1997 at the old Aladdin Casino in Las Vegas. A casino with a long and colorful history, slated to close a few months after the conference ended. 1997: That was before Facebook and the iPhone, before the cloud. At the time, the RSA Conference was still mostly focused on cryptography, and those of us concerned about security vulnerabilities and how they impacted practitioners day in and day out had few opportunities to just get together and talk. The first Black Hat Briefing was very special. If my memory serves, there were only a couple hundred of us in attendancecompared to thousands todayand through those connections we built a community and an industry.

Building a community was key to creating the information security industry that exists today, and I believe that building community is just as critical now as we face down the new security threats of a cloud-and-edge world, an IoT world. We need the whole defender communitywhite hat hackers, industry, and governmentworking together to protect the security of our customers.

The security research community plays a fundamental role in community-based defense

Over the last few years, Microsoft has been expanding and redefining what makes up our security communityone of the many positive evolutions since that first Black Hat. Like most tech companies, we once believed that any hacker outside of the organization posed a risk, but as weve gotten to know each other through many years of hard-earned trust and collaboration, we, and the security research community, have learned that our values arent so different. Sometimes the only way to make something stronger is to break it. We know we cant on our own find all the gaps and errors in code that lead to vulnerabilities that criminals exploit to steal money and data. We need great minds both inside and outside our organization. Many of those great minds in the security research community collaborate with us through the Microsoft Security Response Center, and Black Hat was the perfect place to announce the subset of those researchers that made our annual Top 100 Security Researchers List.

Image of the Top 100 sign at the Black Hat Conference.


We really appreciate the ongoing support from the community and encourage new researchers to report vulnerabilities to the Microsoft Security Response Center and participate in the Microsoft Bounty Program.

It takes a community to protect the security of our customers

As much as Microsoft values the relationship we have with researchers, we also attended Black Hat as industry partners. We want to help educate our peers on notable vulnerabilities and exploits, and share knowledge following major security events. As an example, one of our sessions focused on how Spectre and Meltdown are a wake-up call on multiple dimensions: how we engineer, how we partner, how we react when we find new security vulnerabilities, and how we need to become more coordinated. When I think about what was so exciting about that first conference, this is what comes to mind: those moments when we hear what our partners have learned, share what we know, and build on those insights to strengthen our collective response. The tech industry is increasingly interdependent. Its going to take all of us working together to protect the safety and security of our customers devices and data.

Image of the Black Hat Conference in Las Vegas.


But the meeting of the minds at annual security conferences, while important, is not enough. Microsoft also believes that we need a more structured approach to our collaboration. Cybersecurity is not just about threats from hackers and criminal groups; it has increasingly become a situation where we’re facing a cyberweapons arms race with governments attacking users around the world. We know this is a challenge we must pursue with our partners and customers, with a sense of shared responsibility and a focus on constantly making it easier for everyone to benefit from the latest in security advances. Microsoft has been working to help organize the industry in pursuit of this goal.

This past April during the RSA Conference, we came together as initially 34 companies, now 44 companies, and agreed to a new Cybersecurity Tech Accord. In this accord, we all pledge to help protect every customer, regardless of nationality, and will refrain from helping governments attack innocent civilians. It’s a foundationon which we are buildingto take coordinated action and to work with all our partners and many others to strengthen the resilience of the ecosystem for all our customers.

I admit it, I do sometimes miss attending those small, tightly knit conferences of old. But Im even more inspired about the possibilities that I see as we continue to build on these collaborative models. Weve seen a lot of progress recently working with our partners and the security research community. If you listen closely, I think you can hear the signal breaking through.

Building on experience: a framework for cybersecurity policy

August 9th, 2018 No comments

Each year, more and more governments are developing policies to address security challenges presented by an increasingly digitized world. And to support those efforts, Im excited today to announce the release of Microsofts new Cybersecurity Policy Framework, a resource for policymakers that provides an overview of the building blocks of effective cybersecurity policies and that is aligned with the best practices from around the globe. Nations coming online today, and building their cybersecurity infrastructures, should notand need notbe burdened with the stumbling blocks that characterized previous generations of cybersecurity policies. Instead, such nations should be empowered to leapfrog outdated challenges and unnecessary hurdles.

For years, Microsoft has worked with policymakers in advanced and emerging economies, and across many social and political contexts, to support the development of policies to address a wide range of cybersecurity challenges. This new publication captures and distills the important lessons learned from those years of experience partnering with governments. And as increasing numbers of countries wrestle with how to best address cybersecurity challenges, the Cybersecurity Policy Framework is an indispensable resource for the policymakers joining this work.

According to the last analysis provided by the United Nations, half of the countries on earth today either have or are developing national cybersecurity strategies. I have little doubt that in the next decade every single outstanding country will add its name to that list. And this trend highlights the importance of this new resource. The policies established today will impact how technologies are used for years to come and how safe or dangerous the online world becomes for all of us. Truly, there is no going back, only forward.

The Cybersecurity Policy Framework is not one-stop shopping for cybersecurity policymakers, but it does serve as an important umbrella document, providing a high-level overview of concepts and priorities that must be top of mind when developing an effective and resilient cybersecurity policy environment.

Specifically, this new resource outlines:

  • National strategies for cybersecurity.
  • How to establish a national cyber agency.
  • How to develop and update cybercrime laws.
  • How to develop and update critical infrastructure protections.
  • International strategies for cybersecurity.

We at Microsoft have been at this work for a long time and have developed a wide variety of resources to help those who are working to position their industries and nations to capitalize on the benefits of new technologiesso many that they can often be difficult to find! And this highlights another strength of the Cybersecurity Policy Framework, while it is not one-stop shopping, each section does provide an overview of a critical policy topic as well as links to the associated and more in-depth resources my team has developed over the years to assist policymakers. In this way, this new resource serves not only as essential, high-level guidance, but also as a key to a broader catalogue of resources built on years of experience partnering with governments around the world.

Reading through this new resource, I am proud of the work we have done in pursuit of a safer online world. Important progress has been made and these foundational principles underscore much todays cybersecurity discourse. However, we haveand will always havemore work to do as a result of the changes and innovations in technology always on the horizon, and their implications for cybersecurity. Im glad to put this resource forward today to support a new generation of policymakers and also look forward to partnering with them to tackle the new challenges we will face together tomorrow.

Download your copy of the Cybersecurity Policy Framework today.

Categories: Cybersecurity Policy Tags:

Artificial intelligence and cybersecurity: The future is here

November 14th, 2016 No comments

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.


Categories: Cybersecurity Policy Tags:

Cybersecurity and cyber-resilience – Equally important but different

November 3rd, 2016 No comments

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.


Categories: cybersecurity, Cybersecurity Policy Tags:

FedRAMP High: Trust is cloud security validated

The latest Government Office of Accountability report dealing with the security of high impact information technology (IT) systems continues to point out opportunities for improvement in cybersecurity across the US Federal Government. While improvements have been made, the persistence of the challenge is disquieting.  Particularly troubling is that many of the concerns result from long-standing and well known inefficiencies in the government’s current IT environment, such as low asset utilization, fragmentation, legacy systems, and the challenging procurement processes. Cloud computing can help address many of those, and at the same time improve government service delivery – at a lower cost – ultimately providing agencies with the ability to deliver secure, reliable, and innovative services quickly despite resource constraints.

When the Obama Administration issued its Cloud First Policy five years ago, with a clear aim of encouraging the Federal Government to harness the benefits of cloud computing, one question remained for many agencies: Given the level of security required, would my data be secure? The Cloud First policy accelerated the rate in which government could realize the value of cloud computing by – among other things – requiring government agencies to evaluate the security of cloud computing options before making new investments. This single action not only required government agencies to familiarize themselves with cloud computing during each new acquisition, but also incentivized vendors to drive further investments in security.

To streamline this process, the Federal Risk and Authorization Management Program or FedRAMP was developed. It represents a government-wide, standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP was designed with the objective of saving between 30-40 percent of government IT costs, in addition to reducing the amount of agency time and staff needed to conduct redundant security assessments. However, up until last month, Federal agencies could only migrate low and moderate impact workloads to the cloud – not mission critical, high impact systems – as no vendors have been certified to provide those services.

These high impact data systems tend to sit in agencies that deal with security and where information, if disclosed, modified or denied access could have severe and even catastrophic effects on organizational operations and assets. While high impact systems only constitute 20 percent of all federal systems, they represent nearly 50 percent of government spending dollars – much of it given the additional security concerns noted above. The finalization of the FedRAMP High Security Baseline, a draft set of security controls at the High/High/High categorization level for confidentiality, integrity, at the end of June is therefore even more significant. It not only signals an important milestone in cloud security, is estimated that it will drive significant cost savings from the U.S. government’s annual $80 billion IT budget.

Microsoft was selected as one of the vendors that took part in the FedRAMP High Pilot earlier this year. The pilot sought to deepen the understanding of the objectives and the process for both the government and Cloud Service Providers, increase the level of rigor, shorten timeframes, as well as broaden the scope of control applicability. The success of the pilot contributed significantly to the development and refinement of the FedRAMP High Security Baseline and we are happy to report that we successfully received a High Impact Provisional Authority to Operate (P-ATO) approval for the Azure Government environment.

In addition to our work on FedRAMP with the US government, we are engaged with governments and customers around the world to ensure that they can adopt cloud computing securely and effectively. As a result of our global engagements and reflecting different cultural and organizational experiences, Microsoft developed the Transforming Government: A cloud assurance program guide. It was designed to help governments as they develop and implement cloud assurance programs – reflecting best practices, but also lessons learnt from initiatives such as FedRAMP. We understand that the primary goal of any government cloud assurance program needs to be managing information security risks, while at the same time enabling that government to take advantage of the many benefits and opportunities of cloud services. Achieving that goal requires risk-based decision making at every step of a government’s process of developing and implementing a cloud assurance program. While developing such a process, represent a substantial foundational investment, experience shows that it pays significant dividends over time, as it enables governments to leverage secure cloud solutions to deliver and extend citizen services.

Angela McKay
Director of Cybersecurity Policy

Categories: cybersecurity, Cybersecurity Policy Tags:

Microsoft’s Perspective on the Benefits, Challenges, and Potential Roles for Government in Fostering the Advancement of the Internet of Things (IoT)

June 15th, 2016 No comments

Microsoft recently filed comments with the U.S. Department of Commerce and the National Telecommunications and Information Administration (NTIA) on the benefits, challenges, and potential roles for the government in fostering the advancement of IoT, which can be read here. In addition to commending NTIA for undertaking this timely public consultation and for providing comments received for public review, I wanted to summarize Microsoft’s policy perspectives and recommendations.

Microsoft’s comments encourage policymakers to more broadly support efforts that will advance consumer and enterprise trust in IoT technology and help IoT realize its full potential. The government should encourage initiatives that recognize and emphasize the following:

  • Best practices for IoT cybersecurity that are appropriately scoped to the roles of different actors in the IoT ecosystem.
  • Modernization of traditional privacy frameworks, such as the “notice and consent” framework to increase the focus on transparency, context, and consumer expectations for scenarios where notice and consent are impractical.
  • Support for industry-led efforts to develop open, voluntary, consensus-based, and globally-relevant standards that promote innovation and preserve interoperability, to ensure new IoT systems and legacy technology systems can work together.
  • International engagement that takes into account other countries’ IoT strategies and initiatives as well as international trade commitments.

To put these policy priorities into action, Microsoft offers three recommendations for the government:

  • Create an IoT interagency task force. This task force can coordinate with existing organizational bodies to foster balanced perspectives between security, economic benefits, and potential risks. Participants from across government agencies would set milestones for completion, particularly focusing on 1) direct the update of federal strategic documents to consider the security aspects of the explosive growth and reliance on IoT; 2) direct the update of existing awareness and training programs; 3) encourage and incentivize academia to develop curricula focused on IoT and security challenges; and 4) encourage engagement in appropriate international forums for standards and policy development.
  • Convene and facilitate a government and industry standing body. Through a public-private standing body, key stakeholders can coordinate, collaborate and leverage the various industry IoT consortia to develop, update, and maintain IoT deployment guidelines to manage cybersecurity implications and risks. This body would adopt an international perspective that takes into account the significant work on IoT-related standards outside of traditional channels in standards development organizations.
  • Review current research and development (R&D) investments and recommend future R&D funding for fundamental IoT security and cyber-physical security research. The Office of Science and Technology Policy should review R&D funding and investments, specifically for fundamental IoT and cyber-physical security research and help ensure the R&D projects are addressing evolving cybersecurity challenges.

Governments have an important role in ensuring that IoT innovations continue. Microsoft looks forward to continuing to work with NTIA to address the benefits and challenges of IoT in the future. For more details on Microsoft’s approach to IoT security, please download our recent white paper,  Securing Your Internet of Things from the Ground Up, and visit if you would like to learn more about Microsoft’s role in the IoT ecosystem.

Categories: Cybersecurity Policy Tags:

Survival of the most (cyber) resilient

June 6th, 2016 No comments

By 2045, more than 70% of the world’s population will live in urban areas, giving cities a level of power and importance unrivaled in all of human history. But its leaders must also face new challenges that once were just the domain of the nation state, including unemployment and gentrification, climate change, terrorism, and the impact of rapid digitization.

Because cities wish to thrive, rather than merely survive, many are turning to technology for help. “Smart cities” which make use of Internet of Things, big data and cloud computing, are an increasing reality. This can pave the way for more prosperous, sustainable and competitive urban communities, but it also brings its challenges. The more data available to help cities, the higher their potential exposure. The digital systems which underpin a city’s inner workings and service provision can be vulnerable. And the digitization of systems such as energy and transport networks increases potential risks to the most critical infrastructure.

In order to make the most out of the transformative potential of technology without comprising security, cities are becoming increasingly innovative in how they manage such risks. A new discipline, known as “cyber resilience”, is emerging, with organizations shifting from a prevention-first mentality, to focus instead on capabilities for readiness, response and reinvention.

Rotterdam, the Netherlands’ second-largest city, is a case in point for what successful reinvention looks like. “Rotterdammers”, as the city’s 630,000 residents are known, have faced more than a few challenges in their time: from the near-constant threat of flooding (now kept at bay by a complex system of dykes and levees), to the total destruction of the city center during World War II. But resilience is in Rotterdam’s blood – the municipal motto is “stronger through struggle” after all – and it has grown into a thriving economic and industrial hub.

In 2013, the city’s determination to prepare for the future, led it to be chosen as one of the Rockefeller Foundation’s inaugural 100 Resilient Cities. This initiative aims to help cities across the globe “become more resilient to the physical, social and economic challenges that are a growing part of the 21st century.” In practice, this means giving cities the tools, resources and networks they need to adequately prepare for, and reduce the impact of, one-off shocks such as natural disasters, or daily stresses which make the city a less pleasant place to live.

The ability to bounce back from failure is as critical in cyberspace as in any other domain – if not more. That is why Rotterdam earlier this month launched a resilience strategy which includes a specific focus on cyber – making it the first European city to ever do so.

As a key economic engine of the Netherlands and Europe, Rotterdam is a large industrial complex in a relatively small area, with large scale infrastructure and thousands of companies which are all increasingly more dependent on properly functioning ICT to sustain jobs and maintain growth.

As a formal partner of 100 Resilient Cities for 18 months, Microsoft has worked closely with Rotterdam on the creation of this strategy which is to create a thriving, prosperous and cyber-resilient port city where the opportunities of digitization can be leveraged with minimal risk, and where businesses can innovate and grow for generations to come.

The world will continue to urbanize and digitize at a dramatic pace. Cities that adapt and innovate in the face of these constant changes will reap significant benefits for their citizens, economies, and security. But such success will not be easy. It requires commitment from both the public and private sector to develop and implement long-term cyber resilience strategies. These plans must be living documents with broad support from residents. The Rotterdam strategy helps to show that difference between surviving and thriving in the face of 21st century challenges is cyber resilience.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cyber Resilience: rethinking risk management

May 9th, 2016 No comments

The rapid pace of technological evolution and dramatic increases in connectivity are sparking discussion about what systemic cyber risks what might look like and how best manage them. In late April, Microsoft partnered with the World Economic Forum Council on Risk and Resilience on a workshop addressing the topics of systemic cyber risk and possible approaches to avert the dangers it poses. The interactive workshop focused on the financial services, transportation and healthcare sectors – given their importance to national economies, national security, the well-being of citizens and the potential impact of any systemic disruption.  The event was the first step in developing a World Economic Forum report on the topic and examined the challenges of building resilience in today’s rapidly evolving technology and threat environments.

Diagnosing the problem

In order to continue to improve resilience to systemic cybersecurity risks, we have to develop a more thorough understanding of what systemic risk really means and the role it has in some of the most important sectors of the economy.  I was fortunate to moderate our initial panel discussion, that was dedicated entirely to exploring the definitions of systemic risk and possible approaches to increasing resilience of the online ecosystems in light of those.  Panelists examined key vulnerabilities, identified single points of failure, and sought to understand the potential systemic consequences inherent in today’s risk environment. Perhaps Phil Reitinger captured it best, that this might be one of the “you know it when you see it” categories. Ultimately, although systemic risk is inherently difficult to describe, there was widespread agreement that without a stronger definition, the term loses all meaning and importance. While a simple way to think about systemic risk is as a cyber risk that rises above the enterprise level, we have to go deeper.

One way to do this is through refining those key characteristics we can agree help define systemic risk, including critical functions, interconnectedness, and contagion. We first must align on what is meant by systemic risk and the threat at hand if we are work cooperatively on what investments will be needed by enterprise and infrastructures to ensure greater cyber resilience.

Building better cyber resilience

As we improve our understanding of systemic cyber risk, the next challenge is taking this knowledge to build better cyber resilience. While this is a complex and long-term challenge, the first step is understanding that there will be no simple technological fix. Solving this issue will require proactive efforts and the adaptability to quickly learn from mistakes.  Moreover, harmonization of approaches – across geographies and infrastructures – will be critical in increasing resilience. Those were the issues raised in the second panel moderated by my colleague, Angela McKay.

Here participants discussed two steps: incentivizing collaboration between those facing or defending against cyberattacks and improving metrics for cyber resilience. To make meaningful progress, partnerships between private and public sectors, including at state and local levels is essential. While those perpetrating cyberattacks frequently actively collaborate and have strong, shared incentives, that is not always the case with the defenders. The panel explored measures that could help entities of all types and sizes refine their enterprise risk management strategies and identify targeted areas for key investment. It was acknowledged that metrics that can succinctly and effectively evaluate organizations’ resiliency to systemic cyber risk will go a long way in helping industry leaders and policymakers develop more rigorous cybersecurity defenses.  The conversation ended with a debate on incentives, in particular around how cultural and organizational change – rather than just technological – can be driven and highlighted challenges related to human resources, cyber-insurance, as well as ratings.

The future of cyber resilience

We are just beginning of what should constitute effective resilience strategies. As we explored during the workshop, we have tremendous opportunity and responsibility to work together on this topic.  This is an issue that can’t be fixed just one company or government, but instead will require focused effort from all parties affected. The workshop was a tremendous opportunity to start this work – as it will take critical investment by enterprise and governments to begin to increase our collective cyber resilience.  Microsoft was pleased to work with the World Economic Forum Council to bring key experts together and hear their perspectives and to help champion these efforts moving forward.

Categories: cybersecurity, Cybersecurity Policy Tags:

Global cybersecurity policy: Finding a balance between security and competitiveness

May 2nd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations and the global cybersecurity market is forecast to be worth US$170 billion by 2020, growing in step with significant advancements in cloud computing, the Internet of Things (IoT), and other technologies that are changing the way we communicate and work. The IoT security market itself is expected to grow from US$6.89 billion in 2015 to US$29 billion in 2020. Other high growth areas include security analytics, mobile security and cloud security.

The same concerns are also driving government decision makers to develop responses that seek to ensure that the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security. These efforts are beginning to solidify into security requirements for a range of businesses, from information technology (IT) providers, critical infrastructures and users of cloud services.

United States: Securing the government

In United States the focus on cybersecurity has never been greater, in particular if we single out the work done at the federal government level after the breach at the Office of Personnel Management (OPM). In early 2016, President Obama announced the Cybersecurity Action Plan, which aims to raise the levels of cybersecurity across the nation, but particular its high-risk assets. With it, the President is driving a new policy and operational focus, for example by appointment of a Federal Chief Information Security Officer, and by requesting an additional US$3.1 billion from Congress for the “Information Technology Modernization Fund”.

In parallel, the White House continues to drive policy efforts that seek to enhance the levels of cybersecurity across the country. One of the focus areas continues to be increasing the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, both domestically and internationally. Another is the implementation of the Cybersecurity Act of 2015, which was signed into law in late December. The Act provides a paradigm for one of the essential element of cybersecurity: the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government.

Japan: Preparation for taking the world stage

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity. In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Furthermore, the government is preparing to revise its Cybersecurity Law, as well implement concrete action to protect its critical infrastructures, for example by examining structured information sharing.

China: Focusing on the rule of law

China has over the past two years proposed and passed a number of laws that touch on cybersecurity, including the National Security Law, the Anti-Terrorism Law, as well as the Amendment to its Criminal Code, which exposes the network service provides that fail to comply with certain cybersecurity obligations to criminal liability. The speed with which the laws are being adopted signals the importance the government places in this area.

The speed also led to concerns expressed by numerous multinational companies, as well as governments, who have been urging the Chinese government to reconsider some of the positions it has been taking. The draft Cybersecurity Law, which amongst other things includes provisions requiring companies to store data locally and to provide encryption keys, as well as incorporates an overarching structure for cybersecurity management in the country, was one such example. The latest step in the government push came last month, with the founding of China’s first national non-profit organization for cybersecurity, the Cybersecurity Association of China. It has 275 founding members, including major domestic Internet firms, cybersecurity companies, scientific research institutions.

Europe: Protecting critical infrastructures

After three years of intense negotiations, the European Union (EU) reached an agreement on the Network and Information Security (NIS) Directive this past December. While some of the details remain to be hammered out, the Directive focuses government efforts on creating cybersecurity capabilities and policies, through the obligation that each of the countries affected create Computer Security Incident Response Teams and national cybersecurity strategies.  In following a risk based approach it further concentrates government resources on protecting critical infrastructures. The question of how widely or narrowly the 28 EU Member States will interpret that definition will be revealed over the next two years.

The obligations that are being introduced are nevertheless important for a wide range of enterprises, which fall under that definition, including a broad number of digital services providers. While retained in the Directive, it recognizes the transnational nature of the online environment, as well as the need for greater harmonization of security requirements overall. An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

In the coming months, my team will use this blog to examine these and other policies around the word more closely. It is already clear that 2016 could be the year that shifts cybersecurity from a topic of conceptual debate to a more concrete set of practices, obligations and requirements, in particular for enterprises in the critical infrastructure sectors or those providing services to governments. Whether the different countries will be able to ensure that these policies are successful in increasing security for the broader ecosystem hinges on whether the requirements put in place will be complimentary, able to align to existing laws, as well as able to adapt to new technologies, such as IoT. Watch this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

A call to raise awareness and adoption of vulnerability disclosure and handling best practices

April 25th, 2016 No comments

Over the past few years, technology companies have increasingly moved toward partnering with security researchers to better protect their products, services, and customers. Recognizing that vulnerability research is a valuable part of securing the online environment, they have matured programs to work together with researchers in receiving, triaging, and responding to reports.

Microsoft’s focus on coordinating with researchers has developed over time. As we launched our first BlueHat Briefing in 2005, there was a significant level of distrust on both sides, and we listened to the security community as we evolved our approach. In 2011, we announced a new Coordinated Vulnerability Disclosure (CVD) policy and set of practices, aiming to be transparent and encouraging vulnerability finders to work with us. Since then, we have expanded our BlueHat prizes and bug bounty programs, further incentivizing researchers to work with us as we continue to strengthen our platforms.

Many companies are increasingly becoming software companies. In cars, elevators, wearable devices, and many other products and services, the practice of incorporating software components is exponentially growing. All of these devices and programs can suffer from vulnerabilities that are exploited by criminals. Moreover, unfortunately, for various reasons, including lack of resources, expertise, or understanding of vulnerability research, not all of these companies partner with security researchers that find and report potential vulnerabilities.

To address this gap and promote greater collaboration, Microsoft is working with the U.S. Department of Commerce National Telecommunications & Information Administration (NTIA) and numerous other stakeholders, including security researchers, technology providers, and civil society. In particular, we are co-chairing an NTIA working group that’s focused on increasing awareness and adoption of vulnerability disclosure and handling best practices. The group aims to highlight the overlapping interests of technology providers and security researchers and to develop resources that can support new partners in coordination and ecosystem security.

To guide our working group toward developing the most responsive and helpful resources, we’re seeking information about how vulnerability disclosure and handling is currently being approached. While we already have an appreciation of where concerns and obstacles might lie, we want to ensure that we are addressing the real needs and gaps that are being experienced in the ecosystem. To this end, we have developed short surveys, targeting both security researchers and technology providers and operators, and we encourage you to share and respond to them. Responses will be anonymized, and the surveys will close in mid-May.

The security researcher survey is available here:

The technology provider and operator survey is available here:

Ultimately, all stakeholders within and impacted by the vulnerability information sharing ecosystem—including security researchers, technology providers, technology operators, non-profit coordinators, bug bounty providers, governments, and users—have responsibilities to keep users safe. With your participation in this NTIA working group survey and broader engagement on this issue, we can learn more about how the ecosystem is maturing and what more we can do to support its advancement.

Categories: cybersecurity, Cybersecurity Policy Tags:

Working to increase the cyber resilience of cities around the globe

February 11th, 2016 No comments

A year ago, Microsoft and the Rockefeller Foundation announced that we will be partnering on their 100 Resilient Cities challenge, in an effort to help cities address emerging cyber resilience needs. Our particular objective for joining the effort has been to help cities improve their digital resilience, and ensure that they are better able to withstand and recover from the shocks and stresses that are a growing part of life in the 21st century.

Not a day goes by that we do not read about an organization being targeted by a cyberattack. Any organization or individual, of any size or global standing—is susceptible to a cyberattack. While businesses, governments and individuals are rushing to take advantage of the rapidly developing technologies to deliver a wide array of social and economic benefits, digitalization itself introduces a new range of risks. As a result, we have seen cybersecurity grow beyond being just the responsibility of an IT department to being acknowledged as a company or government-wide issue that carries far reaching consequences. Moreover, a new discipline – cyber resilience – has begun to emerge, as organizations slowly begin to make a shift from prevention to resilience, focusing on continuous assessment, preparation for, and response to cyber incidents. The realization that those who survive are not necessarily the strongest or the smartest, but those that can best adapt to new circumstances applies equally well in cyberspace.

While there is no internationally accepted definition of “cyber resilience” there is a growing consensus that cyber resilience can be defined as the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks. Resilient cyber systems also exhibit common resilience attributes including (1) aware, (2) diverse, (3) integrated, (4) self-regulating, and (5) adaptive. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or in this case a city – can purchase from a vendor. It is built through leadership, teamwork, risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city.

Since the inception of our partnership, my team has worked with individual cities to help them go beyond focusing on developing “safe to fail” approaches, to understanding what are the distributed set of capabilities and capacities that they require to be truly resilient – almost impossible too measure or identify form a strict quantitative perspective.

Through this ongoing work, there is a great opportunity to work with cities across the globe and change the thinking about cyber resilience to be about more than graceful degradation and instead encompass the ability to withstand diminished capacity/capability and to reinvent in the face of prolonged stressors or acute shocks.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cybersecurity norms: From concept to implementation

February 8th, 2016 No comments

Last year Microsoft put forward six cybersecurity norms with the aim of reducing conflict in cyberspace and protecting global trust in technology. They offer considerations for limiting nation-state activity against commercial, mass-market ICT; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. However, while we remain the only industry player to offer a proposal in this space, the dialogue on cybersecurity norms has evolved even since then.

Indeed, stakeholders from government, academia and civil society have put forward a number of proposals for cybersecurity norms, seeking to address a spectrum of challenges caused by the exploitation of ICT systems. While the proposals are not uniform, they offer a level of overlap that has meant that the discussion has slowly began to evolve from a conceptual discussion about the rights and responsibilities of nation states towards more clearly articulated norms. The key proposals driving the debate are:

However, even as these proposals begin to take root among governments, many question the feasibility of their implementation. Governments have acknowledged the centrality of international law in cybersecurity norms but international legal instruments often cannot address complexity of cyberspace, particularly in non-conflict, short-of-war scenarios. Cybersecurity attack attribution is arguably the most prominent example of this gap and it has been argued that without it, particularly whether an attack was perpetrated by a government or its proxies, norms implementation will lack accountability and therefore lack credibility as a policy tool.

Attribution is not impossible, but it can be difficult from both technical and international relations perspectives. The latter represents a typical challenge in diplomatic relations, as nation-states might choose not to act on particular intelligence, for reasons unrelated to cybersecurity (in this case). This lack of action might in the long-run undermine the framework itself. From a technical perspective, the private sector has been analyzing the attacks and its origins for many years in defending the online environment – irrespective whether attacks may have been sponsored or conducted by a state. Indeed, several global ICT companies, including Microsoft, have adopted policies and practices designed to alert users of popular online services when it appears that nation-states have targeted them.

In our view, these policies and practices can lay the groundwork for future collaboration with other norms stakeholders to drive accountability in nation-state behavior and ultimately to protect ICT users from compromise of their data by nation-states. As indicated, we believe implementation is only possible as a two-part process involving both technical assessment of the nature of the attack and political determination about nation-state responsibility. These are topics that we will address here and in a coming paper in the months to come.

Categories: cybersecurity, Cybersecurity Policy Tags:

The continued importance of cybersecurity capacity building

February 3rd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. The Internet has transformed from an information exchange platform to a tool that is central to addressing some of our biggest challenges, from delivery of healthcare and education, to increasing energy efficiency and ensuring organizations are more effective and responsive. However, given the increases in computing power, the advances cloud computing and in big data capabilities, as well as the increasing prevalence of Internet of Things, it is clear that we are only scratching the surface of what information technology can do.
However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations around the world and government decision makers are developing responses that seek to ensure the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security.

However, these approaches vary considerably, according to the different needs and stages of development of individual countries. My team has looked at how governments can prioritize their cybersecurity efforts, depending on where they are in the connectivity cycle, in a report a few years back (Hierarchy of Cybersecurity Needs: Developing national priorities in a connected world). Our work on capacity building since has confirmed that its conclusions continue to hold. We have particularly found that governments are increasingly recognizing the recommendation that highlights the importance of risk management and adaptability as the cornerstones of preparedness online.

Microsoft is a strong proponent of capacity building for cybersecurity and we have endeavoured to develop and share guides, principles and frameworks that we believe will support governments as they seek to tackle this complex environment. The frameworks we developed are based on our own efforts to protect our network and our customers, a practice developed and honed over the past 15 years, as well as on tried and tested practices that we have seen governments put forward. We hope that our efforts help fill the gap in the expertize needed to address the management, technical and operational challenges in cyberspace today.

However, we recognize that this is no simple effort and requires wide participation by industry, governments and non-governmental organizations alike, in particular when it comes to designing the delivery of the capacity building effort in a way that is scalable, sustainable and repeatable.  We therefore work closely on initiatives such as the Global Forum on Cyber Expertise and the United States Telecommunications Training Institute (USTTI)’s cybersecurity curriculum, focused on targeting senior government officials in developing markets and enhancing their understanding of risk management best practices. Later this month my team will join USTTI in Ghana to given an overview of our efforts in this space to representatives from over 20 countries in Africa, following on similar initiatives in Washington D.C. over the summer. We will also begin the work with the International Telecommunications Union and its partners to bridge the expertise gap further through developing a new national cybersecurity strategy framework. The thirst for knowledge we see is immense, it is time to work together to quench it.

Categories: cybersecurity, Cybersecurity Policy Tags:

What’s Next for EU Cybersecurity after the NIS Agreement?

January 25th, 2016 No comments

After three years of intense negotiations, the EU finally reached agreement on the Network and Information Security (NIS) Directive this past December. Politically, all that remains to be done is for the text to be formally approved by the European Parliament and the Council of the EU in the coming months. Then Member States will have 21 months to implement this landmark legislation. At a technical level, however, there’s still work to be done. But more on that later.

Firstly, I would like to commend governments on finalizing what I am sure at times seemed like an arduous and thankless process. The final text of the Directive is much more likely to increase cybersecurity readiness across the EU, given its tighter focus on outcomes and the effectiveness of the obligations introduced. It is also positive to see that all Member States are adopting a national cybersecurity strategy and establishing new national authorities dedicated to cybersecurity, as well as Computer Security Incident Response Teams (CSIRTs). The commitment to greater international and intra-European coordination is equally encouraging.

The risk-based approach laid out in the Directive rightly concentrates government resources on protecting critical infrastructure (“operators of essential services”), making an important distinction between digital service providers overall and those who support aforementioned essential services, by assigning them different sets of obligations. It is particularly important that the transnational nature of the online environment has been recognized and that governments are committed to greater harmonization of security and reporting requirements for digital services.

However, the extent to which EU Member States are able to harmonize the requirements will set the standard for judging the success of the Directive in years to come. The potential for this law to be replicated internationally hinges on the ability of Member States not only to develop new, complementary requirements, but also to align existing ones. Countries such as Germany, France and the Czech Republic have already adopted their own implementation of the NIS Directive ahead of its adoption.

An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

Designing a framework to address some of those concerns will be done through a combination of guidelines to be developed by the European Network and Information Security Agency (ENISA) and a set of implementing acts by the European Commission. ENISA’s ability to coordinate with both governments and the private sector will be critical in order for this process to yield effective and workable results in a relatively short timeframe. This is particularly true with regards to developing an incident reporting scheme – the first of its kind for the technology sector – and effective security baselines.

However, this will not be the only area the EU will focus on. In late December, the European Commission launched a new consultation on how to establish a public private partnership (PPP) on cybersecurity, which is part of the EU’s Digital Single Market Strategy. The PPP is expected to become operational this year, which is an ambitious timeline. The consultation also includes issues vital to increasing the level of network and information security across Europe: certification, standardization and labelling.

All of this could make 2016 the year that shifts cybersecurity in Europe from a topic of conceptual debate to becoming the concrete foundation that is so urgently needed. It is time to roll-up our sleeves.

Jan Neutze, Director of Cybersecurity Policy, EMEA

Categories: cybersecurity, Cybersecurity Policy Tags:

Cloud computing in government: security considerations

January 14th, 2016 No comments

The last few months have seen a number of government information technology (IT) departments around the world move towards adopting cloud computing as one of the solutions deployed to delivered services to their citizens. Countries as diverse as Slovenia and Saudi Arabia are recognizing that cloud computing can ultimately mean more agile government services – with more predictable cost, reduced infrastructure overheads and increased efficiency and responsiveness. Government adoption of this technology, beyond the traditional first movers such as Estonia, represents a strong validation of how far cloud computing has come in the past few years.

However, moving important workloads to cloud requires more than just pressing a button. Governments have explored different approaches towards ensuring that the cloud services they use address their privacy, security, availability and other concerns. A particularly prescriptive approach was developed by the U.S. government, which with the Federal Risk and Authorization Management Program (FedRAMP) introduced a laundry list of requirements that need to be met before a particular cloud vendor can be engaged. Other governments have issued guidelines that leave more room for the vendors to determine how to a particular requirement should be met, recognizing the pace of innovation makes inflexible policy making impossible. One such example are the New Zealand’s Requirements for cloud computing and the associated Security and Privacy Considerations, which together represent a robust risk based approach towards adopting cloud computing.

To assists governments in understanding the principles of cloud security, Microsoft frequently responds to government consultations and works with others in the industry to drive awareness and understanding of how cloud services differ from on-premise computing. We also share information to help different agencies evaluate the ability of Microsoft’s cloud services to meet the requirements they put in place. To extend the example given above, we have recently published documents specifically aimed to address the New Zealand Security and Privacy Considerations for Microsoft Azure, Microsoft Office 365, Microsoft Dynamics CRM Online and Microsoft Intune which are available for download at the following links:

Moreover, we seek to drive best practices by consolidating different approaches we have seen and highlighting those that have been proven to drive best security outcomes. For instance, to support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft in 2015 developed Transforming Government: A cloud policy framework for innovation, security, and resilience, which I blogged about before.  The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.   More detailed papers specific to cloud security will follow in the coming months.

Ultimately, we hope our work will enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.

Categories: cybersecurity, Cybersecurity Policy Tags:

Japan zeros in on cybersecurity

January 13th, 2016 No comments

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A confluence of events in 2015 catalyzed important actions from the Government of Japan action. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity.

In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. The Strategy is worth highlighting given its unique focus on the Internet of Things. Unlike other similar documents around the world, the Japanese government recognizes the opportunities of this budding technology, as well as the inherent security risks, and sets the country on the path towards leadership in this space – finding solutions that are scalable and globally harmonized. The recognition of the value and importance of innovation and partnership with the private sector, not just for the economy, but for increasing security, represents another important aspect of the document.

The Strategy is also important as it puts forward a desire of the Japanese government to play a greater role in international cybersecurity efforts, a step that can only be welcomed. Japan already engages in capacity building, in particular in the Asia-Pacific region and has also developed a number of bilateral relationships in this space. However, with its technology capability, established trusted relations with key governmental players, and its unique perspective, a strengthened commitment to capacity building and developing cybersecurity norms will be noted and beneficial.

This was clear at the Cyber3 Conference, which was hosted by the Japanese government in partnership with the World Economic Forum last November. The two-day conference looked at opportunities to address challenges across three different topics areas: cybercrime, cybersecurity and cyber-connection and attracted stakeholders from Japan and across the world. Microsoft was delighted to have been invited as a participant and led the policy section of the cybercrime track. Four key calls to action emerged: 1) there is a clear need for building coordinated public-private partnerships and information sharing to manage cyber-risk; 2) as technology adopts, so must our security responses; 3) similarly, policy and legal frameworks need to keep pace with innovation; and finally 4) international frameworks, in particular the mutual legal assistance treaty processes, need to be revisited for us to be able to successfully fight cybercrime. You can find the detailed overview of the discussion here.

The government has however not left it at that. We expect that the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the agency responsible for developing the national cybersecurity policy and ensuing the security of the different public sector organizations, to put forward a number of proposals in the coming months – spanning cloud security, vulnerability reporting, as well as the revision of the Basic Cybersecurity Act, even though it is barely a year old. These are all critical issues to a country poised to take the lead in an area important to the global economy and Microsoft remains a committed partner to ensuring the government’s success in this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

Transforming Government: Presenting a cloud policy framework for innovation, security, and resilience

October 23rd, 2015 No comments

Around the world, organizations big and small are moving to the cloud to achieve more, faster. Cloud computing is no longer considered solely a transformative new generation of technology but a platform to enable ever greater efficiencies, deliver big data analytics, and empower the Internet of Things. As KPMG recently put it: “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’”.

While the first wave of cloud adopters has largely been from the private sector, in recent years, governments are increasingly and incrementally adopting a cloud-first approach – instructing their ministries, departments and agencies to choose cloud services whenever possible. Those countries have understood that cloud computing provides a secure, efficient and cost-effective alternative to traditional on-premises systems. In addition, they are recognizing the innovative potential that cloud computing brings, allowing them to work more closely with their citizens and deliver more intuitive e-government services.

However, the fundamentally different nature of cloud computing has meant that governments are uncertain about how to best adjust to and optimize for the distinct challenges and opportunities that cloud services introduce. Understanding how to make the right policy, operational, and procurement decisions can be difficult with any new technology, and doing so can seem especially daunting with cloud computing because it has the potential to alter the paradigm of how business is done.

To support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft has developed Transforming Government: A cloud policy framework for innovation, security, and resilience. This white paper is the first in our series of cloud security policy publications, advancing ideas and cloud security concepts about which later papers will provide more detail.

The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.

Later papers will go into more detail on relevant international standards and best practices for data governance, mitigating cloud security risks, and structuring government policy decisions and responsibilities – building on the framework provided today and focusing on the questions that we frequently hear from government customers. Ultimately, this series of papers seeks to enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.

A Week in The Hague: The Global Conference on Cyberspace (GCCS)

May 1st, 2015 No comments

Cybersecurity experts from around the world recently gathered at the Global Conference on Cyberspace (GCCS) in The Hague. Over a thousand delegates from across the private sector, government and civil society attended the main conference, and many used the opportunity to promote practical cooperation in cyberspace, enhance capacity building and to discuss norms of state behavior in cyberspace.

While such events are easily dismissed, I came away from the conference more convinced than ever that there that meaningful international cooperation possible. Public private sector cooperation is critical to protect the free, open and secure Internet that we have all grown used to and our economies increasingly depend on. Numerous events have taken place over the past year –one only needs to open a newspaper- that drove home the fact that while cyberspace provides us with numerous opportunities, it also increases the potential for actors wishing to do harm. Indeed, many of my discussions highlighted the increased awareness that virtual attacks might cause real and physical damage that could result in loss of life, or indeed spill over into a kinetic reaction.

Unintended escalations can only be avoided if all stakeholders can work together across borders to come to an agreement around what is acceptable and what is unacceptable behavior online. Dialogue such as that initiated at The Hague further cements my view that governments in particular need to define the appropriate parameters of government behavior online. With the advance of an open and global internet, governments need to balance the national security or law enforcement interests it may have against its interests to promote a protected and open environment for commerce and communication.

One such example is the Mutual Legal Assistance Treaty (MLAT), which governments currently rely on to seek to collect or compel information across borders. We talked about this before, most recently on our Microsoft on the Issues blog. The bureaucratic hurdles it puts into place might have been appropriate for the problems of the 19th century, but are no match for the speed of the 21st. The panel I participated on univocally called for the review of the Treaty approach, establishing a new international legal framework with independent and accountable courts and subject to strong checks and balances.

Similarly, many of the participants called for the discussion around cybersecurity norms of behavior to be taken to the next level. We agree with that view. Late last year Microsoft put forward six potential norms for discussion in our “International cybersecurity norms, reducing conflict in an internet-dependent world” paper. Nation states need to continue this dialogue and work to evolve in this space.

What I found particularly positive was the growing acknowledgement that the private sector has key role to play in the development of international cybersecurity norms. The ongoing international public-private dialogue that began in London, and continued through Budapest and Seoul conferences, has played an important role in galvanizing the commitment to multi-stakeholder cooperation. With this year’s event the Dutch government has taken it to the next level. We need to leverage the momentum from The Hague and drive for concrete improvements between now and the next GCCS in 2017 in Mexico.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cloud computing and government: understanding security and resiliency benefits

March 12th, 2015 No comments

Around the world, governments are looking to cloud computing to help them meet their goals. On February 12, I published a blog post within which I highlighted that, in recent years, more than 50 governments have published strategies or initiatives that focus on cloud computing. As I described, their approaches to cloud adoption vary. However, certain government perspectives consistently emerge.

For instance, many governments devote considerable space to articulating the benefits of cloud computing. They capture how using cloud services can help them achieve far greater computing power and scalable, on-demand services, enabling them to address key public priorities with increased agility. In addition, they recognize how cloud computing might dramatically reduce their operating costs and enable them to shift employee resources toward innovating and better serving their communities. However, few governments devote much space to exploring how cloud computing might help improve their security or better ensure the availability or resilience of their data or services.

Instead, cloud security is often framed in government strategies and initiatives as a challenge. Likewise, in its 2014 paper entitled Cloud Computing: The Concept, Impacts and the Role of Government Policy, the Organization for Economic Co-operation and Development (OECD) characterized security and risk management in the cloud as a challenge. However, the OECD paper also acknowledged “the potential for cloud computing to diminish vulnerabilities—an aspect that is sometimes neglected.” Indeed, the OECD paper listed numerous security benefits of cloud computing, especially when the resources of large cloud services providers (CSPs) are utilized. Relative to governments, OECD wrote that large CSPs may provide physical access control more cheaply, improve computing resources dedicated to security more easily, and install critical updates more habitually.

Hand image

The potential security and resiliency benefits of cloud may sometimes be neglected or overlooked not only because moving IT resources off premises creates real challenges but also because of the anxiety that accompanies any major change. Still, a few governments have recently started to acknowledge the potential security and resiliency benefits of utilizing cloud services. For instance, in late 2014, Estonia conduced a successful research project with Microsoft, testing the resiliency benefits of moving two government services to the public cloud. Indeed, in Comparison of Availability Between Local and Cloud Storage, a 2015 study, the Leviathan Security Group explained that large CSPs can better ensure high availability during emergencies than on-premises IT because of geographic replication. In addition, in February 2015, in the wake of several Bolivian government websites being hacked, Bolivian lawmakers announced that they are developing a “sovereign cloud” to strengthen the nation’s cybersecurity.

As they evaluate all of the ways in which cloud computing can help them achieve their goals, Microsoft encourages governments to consider the security and resiliency benefits that may be applicable to certain government data sets or services. In the coming months, this blog series will continue to evaluate what we’ve learned from working with governments on cloud security. It will also examine how cloud strategies might help governments to mitigate cloud security and compliance risks, enabling them to realize cloud benefits, including security and resilience as well as lower costs and increased agility.