Archive

Archive for the ‘Cybersecurity Policy’ Category

Artificial intelligence and cybersecurity: The future is here

November 14th, 2016 No comments

Although we’re a very long way from putting artificial intelligence (AI) in charge of national defense, the use of AI in cybersecurity isn’t science fiction. The ability of machines to rapidly analyze and respond to the unprecedented quantities of data is becoming indispensable as cyberattacks’ frequency, scale and sophistication all continue to increase.

The research being done today shows that automated cybersecurity systems can do many things with only limited human oversight. Through neural networks, heuristics, data science, etc. systems are being designed to identify cyberattacks, to spot and remove malware, and to find ways to fix bugs faster than any human could. In some respects, this work is simply an extension of the principles that people have got used to in their mail-filters or firewalls. That being said, there is something qualitatively different about the AI’s “end game”, i.e. having cybersecurity decisions taken by technology without human intermediation.

This novelty brings with it entirely new challenges. For example, what would legal frameworks around such cybersecurity look like? How would we regulate their creation and their use? What would we in fact regulate? There has already been some insightful writing and research done on this (see Potential AI Regulatory Problems and Regulating AI systems for example), but for policy-makers the fundamental challenge of defining what an AI is and what it is not remains. Without such fundamentals, even outcomes oriented approaches could fall short as there is no certainty about when they must be used.

If our brains were simple enough for us to understand them, we’d be so simple that we couldn’t.” Ian Stewart, The Collapse of Chaos: Discovering Simplicity in a Complex World)

In fact, AI technologies will be complex. Many government policymakers may struggle to understand them and how to best oversee their integration and evolution in government, society and key economic sectors. This is further complicated by the chance that the creation of AI might be a globally distributed effort, operating across jurisdictions with potentially distinct approaches to regulation. Smart cars, digital assistants, and algorithmic trading on financial markets are already pushing us towards AI, how could we improve the understanding of the technology, transparency about its decision making, integrity of its development and ethics, and the actual control of the technology in practical terms?

But it is also critical to understand the role AI can and will play in cybersecurity and resilience. The technology is initially likely to be “white hat” enabling critical infrastructures to protect themselves and the essential services they provide to the economy, society and public safety in new and novel ways. AI may enable systems to anticipate and rapidly mitigate security incidents or advanced persistent threats. But, as we have seen in cybersecurity, we will likely see criminal organizations or nation states seek to exploit AI to evade cybersecurity defenses or even attack. This means that reaching consensus on cybersecurity norms becomes more important and urgent. The work on cybersecurity norms will need more public and private sector cooperation globally.

In conclusion, it is worth noting that despite the challenges posed by AI in cybersecurity, there are also interesting and positive implications for the balance between cybersecurity and cyber-resilience. If cybersecurity teams can rely on smart systems to play defense, their focus can turn to preparing to handle a successful attack’s consequences. The ability to reinvent processes, to adapt to “black swan” events and to respond to developments that violate the fundamental assumptions on which an AI is built, should remain distinctly human for some time to come.

 

Categories: Cybersecurity Policy Tags:

Cybersecurity and cyber-resilience – Equally important but different

November 3rd, 2016 No comments

The  October Mirai-based IoT attack demonstrated an important and often neglected consequence of technology’s expansion into every aspect of our daily lives, as well as into the systems that underpin our economies and societies. We have never been as exposed to cyberattacks and because technology’s pervasiveness in our lives the possible consequences of attacks, such as the one that occurred last month, are going to be more widespread and troublesome than in the past.

The particulars of the attack, from its scale to the use of everyday devices such as webcams, are interesting and worrying in themselves (see here and here for excellent pieces) but they also raise a key question. Security professionals have long accepted that no interconnected system will ever be 100% secure, and that there will soon come a time when even the fundamental underpinnings of the Internet itself could be put at genuine risk of failure due to cyberattacks. If this is the case, should the resources we put into preventing successful cyberattacks be matched by our preparations for handling the a successful attack’s consequences? In other words, shouldn’t cyber-resilience be treated on a par with cybersecurity?

From a policy-making perspective, one challenge in answering this question is that there is no global definition of cyber-resilience, and therefore only limited agreement on how to achieve it. Even if we can sidestep this theoretical hurdle and consider how we could design our systems (social, commercial, political) so that they would be able to continue to operate at some level in the face of “black-swan” violations of those systems’ fundamental assumptions, we are not much closer to a solution. Suggesting we plan for even a brief period where, for example, there is simply no electricity may seem like planning for the sun not rising one morning. The reality is, however, that cyberattacks are not zero sum games where a breach means unavoidable system failure. With complex technologies there will be as many ways of working around an attack, as there are ways of carrying it out. Investing in cyber-resilience will make this practicable.

How could that be achieved? I believe it will be critical that we focus on readiness, responsiveness and being able to reinvent our systems and processes over the course of a cyberattack. Readiness is a long-term function, underpinned by assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions. Responsiveness is the detection, identification and alleviation of a cyberattack as it happens, keeping systems functioning in the process of doing so. Reinvention will lead off from the response, and should seek to adapt to what might be either a period of extended stress or a short, sharp shock, finding new ways to protect systems and deliver services that have been disrupted.

The structures and processes necessary for this kind of cyber-resilience are distinct from those that go into cybersecurity, although there are some shared technical skills and processes. For any organization realistically comparing its cybersecurity needs with its cyber-resilience needs, however, the differences between the two are clear. Specifically, resilience requires there to be a focus on culture, as much as there is on technology. Organizational leadership needs to set forward-looking, outcome-oriented goals with clear accountability, and to foster planning at all levels. Creativity in managerial, operational, and technological approaches is also essential, encouraging teams facing the consequences of a cyberattack to take risks, fail fast, learn faster, and maintain a can-do attitude in the face of adversity. Investment in research, education, and identification of best practices needs to underpin this cultural aspect in the long-term.

In conclusion, cybersecurity and cyber-resilience should be recognized as two distinct, but complementary disciplines. These disciplines grow more crucial with the rapid evolution and increasing ubiquity of technology in our modern society. For now, cybersecurity gets more headlines than resilience amongst political and business leaders, but one without the other will never be enough to secure our societies and economies or sufficient to withstand the chronic stresses and acute shocks.

 

Categories: cybersecurity, Cybersecurity Policy Tags:

FedRAMP High: Trust is cloud security validated

The latest Government Office of Accountability report dealing with the security of high impact information technology (IT) systems continues to point out opportunities for improvement in cybersecurity across the US Federal Government. While improvements have been made, the persistence of the challenge is disquieting.  Particularly troubling is that many of the concerns result from long-standing and well known inefficiencies in the government’s current IT environment, such as low asset utilization, fragmentation, legacy systems, and the challenging procurement processes. Cloud computing can help address many of those, and at the same time improve government service delivery – at a lower cost – ultimately providing agencies with the ability to deliver secure, reliable, and innovative services quickly despite resource constraints.

When the Obama Administration issued its Cloud First Policy five years ago, with a clear aim of encouraging the Federal Government to harness the benefits of cloud computing, one question remained for many agencies: Given the level of security required, would my data be secure? The Cloud First policy accelerated the rate in which government could realize the value of cloud computing by – among other things – requiring government agencies to evaluate the security of cloud computing options before making new investments. This single action not only required government agencies to familiarize themselves with cloud computing during each new acquisition, but also incentivized vendors to drive further investments in security.

To streamline this process, the Federal Risk and Authorization Management Program or FedRAMP was developed. It represents a government-wide, standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP was designed with the objective of saving between 30-40 percent of government IT costs, in addition to reducing the amount of agency time and staff needed to conduct redundant security assessments. However, up until last month, Federal agencies could only migrate low and moderate impact workloads to the cloud – not mission critical, high impact systems – as no vendors have been certified to provide those services.

These high impact data systems tend to sit in agencies that deal with security and where information, if disclosed, modified or denied access could have severe and even catastrophic effects on organizational operations and assets. While high impact systems only constitute 20 percent of all federal systems, they represent nearly 50 percent of government spending dollars – much of it given the additional security concerns noted above. The finalization of the FedRAMP High Security Baseline, a draft set of security controls at the High/High/High categorization level for confidentiality, integrity, at the end of June is therefore even more significant. It not only signals an important milestone in cloud security, is estimated that it will drive significant cost savings from the U.S. government’s annual $80 billion IT budget.

Microsoft was selected as one of the vendors that took part in the FedRAMP High Pilot earlier this year. The pilot sought to deepen the understanding of the objectives and the process for both the government and Cloud Service Providers, increase the level of rigor, shorten timeframes, as well as broaden the scope of control applicability. The success of the pilot contributed significantly to the development and refinement of the FedRAMP High Security Baseline and we are happy to report that we successfully received a High Impact Provisional Authority to Operate (P-ATO) approval for the Azure Government environment.

In addition to our work on FedRAMP with the US government, we are engaged with governments and customers around the world to ensure that they can adopt cloud computing securely and effectively. As a result of our global engagements and reflecting different cultural and organizational experiences, Microsoft developed the Transforming Government: A cloud assurance program guide. It was designed to help governments as they develop and implement cloud assurance programs – reflecting best practices, but also lessons learnt from initiatives such as FedRAMP. We understand that the primary goal of any government cloud assurance program needs to be managing information security risks, while at the same time enabling that government to take advantage of the many benefits and opportunities of cloud services. Achieving that goal requires risk-based decision making at every step of a government’s process of developing and implementing a cloud assurance program. While developing such a process, represent a substantial foundational investment, experience shows that it pays significant dividends over time, as it enables governments to leverage secure cloud solutions to deliver and extend citizen services.

Angela McKay
Director of Cybersecurity Policy

Categories: cybersecurity, Cybersecurity Policy Tags:

Microsoft’s Perspective on the Benefits, Challenges, and Potential Roles for Government in Fostering the Advancement of the Internet of Things (IoT)

June 15th, 2016 No comments

Microsoft recently filed comments with the U.S. Department of Commerce and the National Telecommunications and Information Administration (NTIA) on the benefits, challenges, and potential roles for the government in fostering the advancement of IoT, which can be read here. In addition to commending NTIA for undertaking this timely public consultation and for providing comments received for public review, I wanted to summarize Microsoft’s policy perspectives and recommendations.

Microsoft’s comments encourage policymakers to more broadly support efforts that will advance consumer and enterprise trust in IoT technology and help IoT realize its full potential. The government should encourage initiatives that recognize and emphasize the following:

  • Best practices for IoT cybersecurity that are appropriately scoped to the roles of different actors in the IoT ecosystem.
  • Modernization of traditional privacy frameworks, such as the “notice and consent” framework to increase the focus on transparency, context, and consumer expectations for scenarios where notice and consent are impractical.
  • Support for industry-led efforts to develop open, voluntary, consensus-based, and globally-relevant standards that promote innovation and preserve interoperability, to ensure new IoT systems and legacy technology systems can work together.
  • International engagement that takes into account other countries’ IoT strategies and initiatives as well as international trade commitments.

To put these policy priorities into action, Microsoft offers three recommendations for the government:

  • Create an IoT interagency task force. This task force can coordinate with existing organizational bodies to foster balanced perspectives between security, economic benefits, and potential risks. Participants from across government agencies would set milestones for completion, particularly focusing on 1) direct the update of federal strategic documents to consider the security aspects of the explosive growth and reliance on IoT; 2) direct the update of existing awareness and training programs; 3) encourage and incentivize academia to develop curricula focused on IoT and security challenges; and 4) encourage engagement in appropriate international forums for standards and policy development.
  • Convene and facilitate a government and industry standing body. Through a public-private standing body, key stakeholders can coordinate, collaborate and leverage the various industry IoT consortia to develop, update, and maintain IoT deployment guidelines to manage cybersecurity implications and risks. This body would adopt an international perspective that takes into account the significant work on IoT-related standards outside of traditional channels in standards development organizations.
  • Review current research and development (R&D) investments and recommend future R&D funding for fundamental IoT security and cyber-physical security research. The Office of Science and Technology Policy should review R&D funding and investments, specifically for fundamental IoT and cyber-physical security research and help ensure the R&D projects are addressing evolving cybersecurity challenges.

Governments have an important role in ensuring that IoT innovations continue. Microsoft looks forward to continuing to work with NTIA to address the benefits and challenges of IoT in the future. For more details on Microsoft’s approach to IoT security, please download our recent white paper,  Securing Your Internet of Things from the Ground Up, and visit www.InternetofYourThings.com if you would like to learn more about Microsoft’s role in the IoT ecosystem.

Categories: Cybersecurity Policy Tags:

Survival of the most (cyber) resilient

June 6th, 2016 No comments

By 2045, more than 70% of the world’s population will live in urban areas, giving cities a level of power and importance unrivaled in all of human history. But its leaders must also face new challenges that once were just the domain of the nation state, including unemployment and gentrification, climate change, terrorism, and the impact of rapid digitization.

Because cities wish to thrive, rather than merely survive, many are turning to technology for help. “Smart cities” which make use of Internet of Things, big data and cloud computing, are an increasing reality. This can pave the way for more prosperous, sustainable and competitive urban communities, but it also brings its challenges. The more data available to help cities, the higher their potential exposure. The digital systems which underpin a city’s inner workings and service provision can be vulnerable. And the digitization of systems such as energy and transport networks increases potential risks to the most critical infrastructure.

In order to make the most out of the transformative potential of technology without comprising security, cities are becoming increasingly innovative in how they manage such risks. A new discipline, known as “cyber resilience”, is emerging, with organizations shifting from a prevention-first mentality, to focus instead on capabilities for readiness, response and reinvention.

Rotterdam, the Netherlands’ second-largest city, is a case in point for what successful reinvention looks like. “Rotterdammers”, as the city’s 630,000 residents are known, have faced more than a few challenges in their time: from the near-constant threat of flooding (now kept at bay by a complex system of dykes and levees), to the total destruction of the city center during World War II. But resilience is in Rotterdam’s blood – the municipal motto is “stronger through struggle” after all – and it has grown into a thriving economic and industrial hub.

In 2013, the city’s determination to prepare for the future, led it to be chosen as one of the Rockefeller Foundation’s inaugural 100 Resilient Cities. This initiative aims to help cities across the globe “become more resilient to the physical, social and economic challenges that are a growing part of the 21st century.” In practice, this means giving cities the tools, resources and networks they need to adequately prepare for, and reduce the impact of, one-off shocks such as natural disasters, or daily stresses which make the city a less pleasant place to live.

The ability to bounce back from failure is as critical in cyberspace as in any other domain – if not more. That is why Rotterdam earlier this month launched a resilience strategy which includes a specific focus on cyber – making it the first European city to ever do so.

As a key economic engine of the Netherlands and Europe, Rotterdam is a large industrial complex in a relatively small area, with large scale infrastructure and thousands of companies which are all increasingly more dependent on properly functioning ICT to sustain jobs and maintain growth.

As a formal partner of 100 Resilient Cities for 18 months, Microsoft has worked closely with Rotterdam on the creation of this strategy which is to create a thriving, prosperous and cyber-resilient port city where the opportunities of digitization can be leveraged with minimal risk, and where businesses can innovate and grow for generations to come.

The world will continue to urbanize and digitize at a dramatic pace. Cities that adapt and innovate in the face of these constant changes will reap significant benefits for their citizens, economies, and security. But such success will not be easy. It requires commitment from both the public and private sector to develop and implement long-term cyber resilience strategies. These plans must be living documents with broad support from residents. The Rotterdam strategy helps to show that difference between surviving and thriving in the face of 21st century challenges is cyber resilience.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cyber Resilience: rethinking risk management

May 9th, 2016 No comments

The rapid pace of technological evolution and dramatic increases in connectivity are sparking discussion about what systemic cyber risks what might look like and how best manage them. In late April, Microsoft partnered with the World Economic Forum Council on Risk and Resilience on a workshop addressing the topics of systemic cyber risk and possible approaches to avert the dangers it poses. The interactive workshop focused on the financial services, transportation and healthcare sectors – given their importance to national economies, national security, the well-being of citizens and the potential impact of any systemic disruption.  The event was the first step in developing a World Economic Forum report on the topic and examined the challenges of building resilience in today’s rapidly evolving technology and threat environments.

Diagnosing the problem

In order to continue to improve resilience to systemic cybersecurity risks, we have to develop a more thorough understanding of what systemic risk really means and the role it has in some of the most important sectors of the economy.  I was fortunate to moderate our initial panel discussion, that was dedicated entirely to exploring the definitions of systemic risk and possible approaches to increasing resilience of the online ecosystems in light of those.  Panelists examined key vulnerabilities, identified single points of failure, and sought to understand the potential systemic consequences inherent in today’s risk environment. Perhaps Phil Reitinger captured it best, that this might be one of the “you know it when you see it” categories. Ultimately, although systemic risk is inherently difficult to describe, there was widespread agreement that without a stronger definition, the term loses all meaning and importance. While a simple way to think about systemic risk is as a cyber risk that rises above the enterprise level, we have to go deeper.

One way to do this is through refining those key characteristics we can agree help define systemic risk, including critical functions, interconnectedness, and contagion. We first must align on what is meant by systemic risk and the threat at hand if we are work cooperatively on what investments will be needed by enterprise and infrastructures to ensure greater cyber resilience.

Building better cyber resilience

As we improve our understanding of systemic cyber risk, the next challenge is taking this knowledge to build better cyber resilience. While this is a complex and long-term challenge, the first step is understanding that there will be no simple technological fix. Solving this issue will require proactive efforts and the adaptability to quickly learn from mistakes.  Moreover, harmonization of approaches – across geographies and infrastructures – will be critical in increasing resilience. Those were the issues raised in the second panel moderated by my colleague, Angela McKay.

Here participants discussed two steps: incentivizing collaboration between those facing or defending against cyberattacks and improving metrics for cyber resilience. To make meaningful progress, partnerships between private and public sectors, including at state and local levels is essential. While those perpetrating cyberattacks frequently actively collaborate and have strong, shared incentives, that is not always the case with the defenders. The panel explored measures that could help entities of all types and sizes refine their enterprise risk management strategies and identify targeted areas for key investment. It was acknowledged that metrics that can succinctly and effectively evaluate organizations’ resiliency to systemic cyber risk will go a long way in helping industry leaders and policymakers develop more rigorous cybersecurity defenses.  The conversation ended with a debate on incentives, in particular around how cultural and organizational change – rather than just technological – can be driven and highlighted challenges related to human resources, cyber-insurance, as well as ratings.

The future of cyber resilience

We are just beginning of what should constitute effective resilience strategies. As we explored during the workshop, we have tremendous opportunity and responsibility to work together on this topic.  This is an issue that can’t be fixed just one company or government, but instead will require focused effort from all parties affected. The workshop was a tremendous opportunity to start this work – as it will take critical investment by enterprise and governments to begin to increase our collective cyber resilience.  Microsoft was pleased to work with the World Economic Forum Council to bring key experts together and hear their perspectives and to help champion these efforts moving forward.

Categories: cybersecurity, Cybersecurity Policy Tags:

Global cybersecurity policy: Finding a balance between security and competitiveness

May 2nd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations and the global cybersecurity market is forecast to be worth US$170 billion by 2020, growing in step with significant advancements in cloud computing, the Internet of Things (IoT), and other technologies that are changing the way we communicate and work. The IoT security market itself is expected to grow from US$6.89 billion in 2015 to US$29 billion in 2020. Other high growth areas include security analytics, mobile security and cloud security.

The same concerns are also driving government decision makers to develop responses that seek to ensure that the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security. These efforts are beginning to solidify into security requirements for a range of businesses, from information technology (IT) providers, critical infrastructures and users of cloud services.

United States: Securing the government

In United States the focus on cybersecurity has never been greater, in particular if we single out the work done at the federal government level after the breach at the Office of Personnel Management (OPM). In early 2016, President Obama announced the Cybersecurity Action Plan, which aims to raise the levels of cybersecurity across the nation, but particular its high-risk assets. With it, the President is driving a new policy and operational focus, for example by appointment of a Federal Chief Information Security Officer, and by requesting an additional US$3.1 billion from Congress for the “Information Technology Modernization Fund”.

In parallel, the White House continues to drive policy efforts that seek to enhance the levels of cybersecurity across the country. One of the focus areas continues to be increasing the adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, both domestically and internationally. Another is the implementation of the Cybersecurity Act of 2015, which was signed into law in late December. The Act provides a paradigm for one of the essential element of cybersecurity: the sharing of information on cybersecurity threats and defensive measures among private sector entities and between the private sector and the government.

Japan: Preparation for taking the world stage

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity. In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. Furthermore, the government is preparing to revise its Cybersecurity Law, as well implement concrete action to protect its critical infrastructures, for example by examining structured information sharing.

China: Focusing on the rule of law

China has over the past two years proposed and passed a number of laws that touch on cybersecurity, including the National Security Law, the Anti-Terrorism Law, as well as the Amendment to its Criminal Code, which exposes the network service provides that fail to comply with certain cybersecurity obligations to criminal liability. The speed with which the laws are being adopted signals the importance the government places in this area.

The speed also led to concerns expressed by numerous multinational companies, as well as governments, who have been urging the Chinese government to reconsider some of the positions it has been taking. The draft Cybersecurity Law, which amongst other things includes provisions requiring companies to store data locally and to provide encryption keys, as well as incorporates an overarching structure for cybersecurity management in the country, was one such example. The latest step in the government push came last month, with the founding of China’s first national non-profit organization for cybersecurity, the Cybersecurity Association of China. It has 275 founding members, including major domestic Internet firms, cybersecurity companies, scientific research institutions.

Europe: Protecting critical infrastructures

After three years of intense negotiations, the European Union (EU) reached an agreement on the Network and Information Security (NIS) Directive this past December. While some of the details remain to be hammered out, the Directive focuses government efforts on creating cybersecurity capabilities and policies, through the obligation that each of the countries affected create Computer Security Incident Response Teams and national cybersecurity strategies.  In following a risk based approach it further concentrates government resources on protecting critical infrastructures. The question of how widely or narrowly the 28 EU Member States will interpret that definition will be revealed over the next two years.

The obligations that are being introduced are nevertheless important for a wide range of enterprises, which fall under that definition, including a broad number of digital services providers. While retained in the Directive, it recognizes the transnational nature of the online environment, as well as the need for greater harmonization of security requirements overall. An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

In the coming months, my team will use this blog to examine these and other policies around the word more closely. It is already clear that 2016 could be the year that shifts cybersecurity from a topic of conceptual debate to a more concrete set of practices, obligations and requirements, in particular for enterprises in the critical infrastructure sectors or those providing services to governments. Whether the different countries will be able to ensure that these policies are successful in increasing security for the broader ecosystem hinges on whether the requirements put in place will be complimentary, able to align to existing laws, as well as able to adapt to new technologies, such as IoT. Watch this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

A call to raise awareness and adoption of vulnerability disclosure and handling best practices

April 25th, 2016 No comments

Over the past few years, technology companies have increasingly moved toward partnering with security researchers to better protect their products, services, and customers. Recognizing that vulnerability research is a valuable part of securing the online environment, they have matured programs to work together with researchers in receiving, triaging, and responding to reports.

Microsoft’s focus on coordinating with researchers has developed over time. As we launched our first BlueHat Briefing in 2005, there was a significant level of distrust on both sides, and we listened to the security community as we evolved our approach. In 2011, we announced a new Coordinated Vulnerability Disclosure (CVD) policy and set of practices, aiming to be transparent and encouraging vulnerability finders to work with us. Since then, we have expanded our BlueHat prizes and bug bounty programs, further incentivizing researchers to work with us as we continue to strengthen our platforms.

Many companies are increasingly becoming software companies. In cars, elevators, wearable devices, and many other products and services, the practice of incorporating software components is exponentially growing. All of these devices and programs can suffer from vulnerabilities that are exploited by criminals. Moreover, unfortunately, for various reasons, including lack of resources, expertise, or understanding of vulnerability research, not all of these companies partner with security researchers that find and report potential vulnerabilities.

To address this gap and promote greater collaboration, Microsoft is working with the U.S. Department of Commerce National Telecommunications & Information Administration (NTIA) and numerous other stakeholders, including security researchers, technology providers, and civil society. In particular, we are co-chairing an NTIA working group that’s focused on increasing awareness and adoption of vulnerability disclosure and handling best practices. The group aims to highlight the overlapping interests of technology providers and security researchers and to develop resources that can support new partners in coordination and ecosystem security.

To guide our working group toward developing the most responsive and helpful resources, we’re seeking information about how vulnerability disclosure and handling is currently being approached. While we already have an appreciation of where concerns and obstacles might lie, we want to ensure that we are addressing the real needs and gaps that are being experienced in the ecosystem. To this end, we have developed short surveys, targeting both security researchers and technology providers and operators, and we encourage you to share and respond to them. Responses will be anonymized, and the surveys will close in mid-May.

The security researcher survey is available here:

https://www.surveymonkey.com/r/securityresearcher

The technology provider and operator survey is available here:

https://www.surveymonkey.com/r/techprovider

Ultimately, all stakeholders within and impacted by the vulnerability information sharing ecosystem—including security researchers, technology providers, technology operators, non-profit coordinators, bug bounty providers, governments, and users—have responsibilities to keep users safe. With your participation in this NTIA working group survey and broader engagement on this issue, we can learn more about how the ecosystem is maturing and what more we can do to support its advancement.

Categories: cybersecurity, Cybersecurity Policy Tags:

Working to increase the cyber resilience of cities around the globe

February 11th, 2016 No comments

A year ago, Microsoft and the Rockefeller Foundation announced that we will be partnering on their 100 Resilient Cities challenge, in an effort to help cities address emerging cyber resilience needs. Our particular objective for joining the effort has been to help cities improve their digital resilience, and ensure that they are better able to withstand and recover from the shocks and stresses that are a growing part of life in the 21st century.

Not a day goes by that we do not read about an organization being targeted by a cyberattack. Any organization or individual, of any size or global standing—is susceptible to a cyberattack. While businesses, governments and individuals are rushing to take advantage of the rapidly developing technologies to deliver a wide array of social and economic benefits, digitalization itself introduces a new range of risks. As a result, we have seen cybersecurity grow beyond being just the responsibility of an IT department to being acknowledged as a company or government-wide issue that carries far reaching consequences. Moreover, a new discipline – cyber resilience – has begun to emerge, as organizations slowly begin to make a shift from prevention to resilience, focusing on continuous assessment, preparation for, and response to cyber incidents. The realization that those who survive are not necessarily the strongest or the smartest, but those that can best adapt to new circumstances applies equally well in cyberspace.

While there is no internationally accepted definition of “cyber resilience” there is a growing consensus that cyber resilience can be defined as the ability of complex cyber systems to continuously deliver the intended outcome despite chronic stressors and acute shocks. Resilient cyber systems also exhibit common resilience attributes including (1) aware, (2) diverse, (3) integrated, (4) self-regulating, and (5) adaptive. Additionally, cyber resilience can best be understood and to some degree assessed by understanding capacities and capabilities for readiness, response, and reinvention. Given those attributes it is clear that cyber resilience is not something that an organization – or in this case a city – can purchase from a vendor. It is built through leadership, teamwork, risk taking, trust, flexibility, and commitment to advance and continually reinvent the digital city.

Since the inception of our partnership, my team has worked with individual cities to help them go beyond focusing on developing “safe to fail” approaches, to understanding what are the distributed set of capabilities and capacities that they require to be truly resilient – almost impossible too measure or identify form a strict quantitative perspective.

Through this ongoing work, there is a great opportunity to work with cities across the globe and change the thinking about cyber resilience to be about more than graceful degradation and instead encompass the ability to withstand diminished capacity/capability and to reinvent in the face of prolonged stressors or acute shocks.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cybersecurity norms: From concept to implementation

February 8th, 2016 No comments

Last year Microsoft put forward six cybersecurity norms with the aim of reducing conflict in cyberspace and protecting global trust in technology. They offer considerations for limiting nation-state activity against commercial, mass-market ICT; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. However, while we remain the only industry player to offer a proposal in this space, the dialogue on cybersecurity norms has evolved even since then.

Indeed, stakeholders from government, academia and civil society have put forward a number of proposals for cybersecurity norms, seeking to address a spectrum of challenges caused by the exploitation of ICT systems. While the proposals are not uniform, they offer a level of overlap that has meant that the discussion has slowly began to evolve from a conceptual discussion about the rights and responsibilities of nation states towards more clearly articulated norms. The key proposals driving the debate are:

However, even as these proposals begin to take root among governments, many question the feasibility of their implementation. Governments have acknowledged the centrality of international law in cybersecurity norms but international legal instruments often cannot address complexity of cyberspace, particularly in non-conflict, short-of-war scenarios. Cybersecurity attack attribution is arguably the most prominent example of this gap and it has been argued that without it, particularly whether an attack was perpetrated by a government or its proxies, norms implementation will lack accountability and therefore lack credibility as a policy tool.

Attribution is not impossible, but it can be difficult from both technical and international relations perspectives. The latter represents a typical challenge in diplomatic relations, as nation-states might choose not to act on particular intelligence, for reasons unrelated to cybersecurity (in this case). This lack of action might in the long-run undermine the framework itself. From a technical perspective, the private sector has been analyzing the attacks and its origins for many years in defending the online environment – irrespective whether attacks may have been sponsored or conducted by a state. Indeed, several global ICT companies, including Microsoft, have adopted policies and practices designed to alert users of popular online services when it appears that nation-states have targeted them.

In our view, these policies and practices can lay the groundwork for future collaboration with other norms stakeholders to drive accountability in nation-state behavior and ultimately to protect ICT users from compromise of their data by nation-states. As indicated, we believe implementation is only possible as a two-part process involving both technical assessment of the nature of the attack and political determination about nation-state responsibility. These are topics that we will address here and in a coming paper in the months to come.

Categories: cybersecurity, Cybersecurity Policy Tags:

The continued importance of cybersecurity capacity building

February 3rd, 2016 No comments

Over the past decade, billions around the world have benefited from the exponential growth of the online environment and associated economic opportunities. The Internet has transformed from an information exchange platform to a tool that is central to addressing some of our biggest challenges, from delivery of healthcare and education, to increasing energy efficiency and ensuring organizations are more effective and responsive. However, given the increases in computing power, the advances cloud computing and in big data capabilities, as well as the increasing prevalence of Internet of Things, it is clear that we are only scratching the surface of what information technology can do.
However, this pervasive use of computing has also given rise to the more nefarious elements of the criminal underworld. As a result, cybersecurity is now a major concern for organizations around the world and government decision makers are developing responses that seek to ensure the key assets, systems and networks remain protected in this new environment. Today more than half of nation states around the world are developing legislative initiatives that seek to regulate crime online, protect their critical infrastructures, or develop new frameworks for enhancing cloud security.

However, these approaches vary considerably, according to the different needs and stages of development of individual countries. My team has looked at how governments can prioritize their cybersecurity efforts, depending on where they are in the connectivity cycle, in a report a few years back (Hierarchy of Cybersecurity Needs: Developing national priorities in a connected world). Our work on capacity building since has confirmed that its conclusions continue to hold. We have particularly found that governments are increasingly recognizing the recommendation that highlights the importance of risk management and adaptability as the cornerstones of preparedness online.

Microsoft is a strong proponent of capacity building for cybersecurity and we have endeavoured to develop and share guides, principles and frameworks that we believe will support governments as they seek to tackle this complex environment. The frameworks we developed are based on our own efforts to protect our network and our customers, a practice developed and honed over the past 15 years, as well as on tried and tested practices that we have seen governments put forward. We hope that our efforts help fill the gap in the expertize needed to address the management, technical and operational challenges in cyberspace today.

However, we recognize that this is no simple effort and requires wide participation by industry, governments and non-governmental organizations alike, in particular when it comes to designing the delivery of the capacity building effort in a way that is scalable, sustainable and repeatable.  We therefore work closely on initiatives such as the Global Forum on Cyber Expertise and the United States Telecommunications Training Institute (USTTI)’s cybersecurity curriculum, focused on targeting senior government officials in developing markets and enhancing their understanding of risk management best practices. Later this month my team will join USTTI in Ghana to given an overview of our efforts in this space to representatives from over 20 countries in Africa, following on similar initiatives in Washington D.C. over the summer. We will also begin the work with the International Telecommunications Union and its partners to bridge the expertise gap further through developing a new national cybersecurity strategy framework. The thirst for knowledge we see is immense, it is time to work together to quench it.

Categories: cybersecurity, Cybersecurity Policy Tags:

What’s Next for EU Cybersecurity after the NIS Agreement?

January 25th, 2016 No comments

After three years of intense negotiations, the EU finally reached agreement on the Network and Information Security (NIS) Directive this past December. Politically, all that remains to be done is for the text to be formally approved by the European Parliament and the Council of the EU in the coming months. Then Member States will have 21 months to implement this landmark legislation. At a technical level, however, there’s still work to be done. But more on that later.

Firstly, I would like to commend governments on finalizing what I am sure at times seemed like an arduous and thankless process. The final text of the Directive is much more likely to increase cybersecurity readiness across the EU, given its tighter focus on outcomes and the effectiveness of the obligations introduced. It is also positive to see that all Member States are adopting a national cybersecurity strategy and establishing new national authorities dedicated to cybersecurity, as well as Computer Security Incident Response Teams (CSIRTs). The commitment to greater international and intra-European coordination is equally encouraging.

The risk-based approach laid out in the Directive rightly concentrates government resources on protecting critical infrastructure (“operators of essential services”), making an important distinction between digital service providers overall and those who support aforementioned essential services, by assigning them different sets of obligations. It is particularly important that the transnational nature of the online environment has been recognized and that governments are committed to greater harmonization of security and reporting requirements for digital services.

However, the extent to which EU Member States are able to harmonize the requirements will set the standard for judging the success of the Directive in years to come. The potential for this law to be replicated internationally hinges on the ability of Member States not only to develop new, complementary requirements, but also to align existing ones. Countries such as Germany, France and the Czech Republic have already adopted their own implementation of the NIS Directive ahead of its adoption.

An additional layer of complexity are the different sectoral requirements that could be developed for the different elements of essential services (i.e. transport vs. healthcare sectors) and how these will play out within a particular country and across the EU.

Designing a framework to address some of those concerns will be done through a combination of guidelines to be developed by the European Network and Information Security Agency (ENISA) and a set of implementing acts by the European Commission. ENISA’s ability to coordinate with both governments and the private sector will be critical in order for this process to yield effective and workable results in a relatively short timeframe. This is particularly true with regards to developing an incident reporting scheme – the first of its kind for the technology sector – and effective security baselines.

However, this will not be the only area the EU will focus on. In late December, the European Commission launched a new consultation on how to establish a public private partnership (PPP) on cybersecurity, which is part of the EU’s Digital Single Market Strategy. The PPP is expected to become operational this year, which is an ambitious timeline. The consultation also includes issues vital to increasing the level of network and information security across Europe: certification, standardization and labelling.

All of this could make 2016 the year that shifts cybersecurity in Europe from a topic of conceptual debate to becoming the concrete foundation that is so urgently needed. It is time to roll-up our sleeves.

Jan Neutze, Director of Cybersecurity Policy, EMEA

Categories: cybersecurity, Cybersecurity Policy Tags:

Cloud computing in government: security considerations

January 14th, 2016 No comments

The last few months have seen a number of government information technology (IT) departments around the world move towards adopting cloud computing as one of the solutions deployed to delivered services to their citizens. Countries as diverse as Slovenia and Saudi Arabia are recognizing that cloud computing can ultimately mean more agile government services – with more predictable cost, reduced infrastructure overheads and increased efficiency and responsiveness. Government adoption of this technology, beyond the traditional first movers such as Estonia, represents a strong validation of how far cloud computing has come in the past few years.

However, moving important workloads to cloud requires more than just pressing a button. Governments have explored different approaches towards ensuring that the cloud services they use address their privacy, security, availability and other concerns. A particularly prescriptive approach was developed by the U.S. government, which with the Federal Risk and Authorization Management Program (FedRAMP) introduced a laundry list of requirements that need to be met before a particular cloud vendor can be engaged. Other governments have issued guidelines that leave more room for the vendors to determine how to a particular requirement should be met, recognizing the pace of innovation makes inflexible policy making impossible. One such example are the New Zealand’s Requirements for cloud computing and the associated Security and Privacy Considerations, which together represent a robust risk based approach towards adopting cloud computing.

To assists governments in understanding the principles of cloud security, Microsoft frequently responds to government consultations and works with others in the industry to drive awareness and understanding of how cloud services differ from on-premise computing. We also share information to help different agencies evaluate the ability of Microsoft’s cloud services to meet the requirements they put in place. To extend the example given above, we have recently published documents specifically aimed to address the New Zealand Security and Privacy Considerations for Microsoft Azure, Microsoft Office 365, Microsoft Dynamics CRM Online and Microsoft Intune which are available for download at the following links:

Moreover, we seek to drive best practices by consolidating different approaches we have seen and highlighting those that have been proven to drive best security outcomes. For instance, to support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft in 2015 developed Transforming Government: A cloud policy framework for innovation, security, and resilience, which I blogged about before.  The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.   More detailed papers specific to cloud security will follow in the coming months.

Ultimately, we hope our work will enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.

Categories: cybersecurity, Cybersecurity Policy Tags:

Japan zeros in on cybersecurity

January 13th, 2016 No comments

Japan is poised to take exciting steps towards improving cybersecurity in 2016. A confluence of events in 2015 catalyzed important actions from the Government of Japan action. A key wakeup call was the May Japan Pension Service Hack, which brought home the realization that as personal information is increasingly stored online, it also needs to be better protected. Additionally, as Japan readies itself to host the 2016 G7 Summit and the 2020 Olympics and Paralympics – these global events will allow the country to demonstrate its technology prowess and its commitment to cybersecurity.

In preparation for these events, the government is taking important steps to secure and increase the resilience of the Japanese online ecosystem. In September 2015, the Japanese Cabinet approved the second Japanese Cybersecurity Strategy, which outlines the country’s approach to cybersecurity for the next three years. The Strategy is worth highlighting given its unique focus on the Internet of Things. Unlike other similar documents around the world, the Japanese government recognizes the opportunities of this budding technology, as well as the inherent security risks, and sets the country on the path towards leadership in this space – finding solutions that are scalable and globally harmonized. The recognition of the value and importance of innovation and partnership with the private sector, not just for the economy, but for increasing security, represents another important aspect of the document.

The Strategy is also important as it puts forward a desire of the Japanese government to play a greater role in international cybersecurity efforts, a step that can only be welcomed. Japan already engages in capacity building, in particular in the Asia-Pacific region and has also developed a number of bilateral relationships in this space. However, with its technology capability, established trusted relations with key governmental players, and its unique perspective, a strengthened commitment to capacity building and developing cybersecurity norms will be noted and beneficial.

This was clear at the Cyber3 Conference, which was hosted by the Japanese government in partnership with the World Economic Forum last November. The two-day conference looked at opportunities to address challenges across three different topics areas: cybercrime, cybersecurity and cyber-connection and attracted stakeholders from Japan and across the world. Microsoft was delighted to have been invited as a participant and led the policy section of the cybercrime track. Four key calls to action emerged: 1) there is a clear need for building coordinated public-private partnerships and information sharing to manage cyber-risk; 2) as technology adopts, so must our security responses; 3) similarly, policy and legal frameworks need to keep pace with innovation; and finally 4) international frameworks, in particular the mutual legal assistance treaty processes, need to be revisited for us to be able to successfully fight cybercrime. You can find the detailed overview of the discussion here.

The government has however not left it at that. We expect that the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the agency responsible for developing the national cybersecurity policy and ensuing the security of the different public sector organizations, to put forward a number of proposals in the coming months – spanning cloud security, vulnerability reporting, as well as the revision of the Basic Cybersecurity Act, even though it is barely a year old. These are all critical issues to a country poised to take the lead in an area important to the global economy and Microsoft remains a committed partner to ensuring the government’s success in this space.

Categories: cybersecurity, Cybersecurity Policy Tags:

Transforming Government: Presenting a cloud policy framework for innovation, security, and resilience

October 23rd, 2015 No comments

Around the world, organizations big and small are moving to the cloud to achieve more, faster. Cloud computing is no longer considered solely a transformative new generation of technology but a platform to enable ever greater efficiencies, deliver big data analytics, and empower the Internet of Things. As KPMG recently put it: “The question is no longer: ‘How do I move to the cloud?’ Instead, it’s ‘Now that I’m in the cloud, how do I make sure I’ve optimized my investment and risk exposure?’”.

While the first wave of cloud adopters has largely been from the private sector, in recent years, governments are increasingly and incrementally adopting a cloud-first approach – instructing their ministries, departments and agencies to choose cloud services whenever possible. Those countries have understood that cloud computing provides a secure, efficient and cost-effective alternative to traditional on-premises systems. In addition, they are recognizing the innovative potential that cloud computing brings, allowing them to work more closely with their citizens and deliver more intuitive e-government services.

However, the fundamentally different nature of cloud computing has meant that governments are uncertain about how to best adjust to and optimize for the distinct challenges and opportunities that cloud services introduce. Understanding how to make the right policy, operational, and procurement decisions can be difficult with any new technology, and doing so can seem especially daunting with cloud computing because it has the potential to alter the paradigm of how business is done.

To support governments as they think through their approaches to information and communication technology (ICT) policy and transition to cloud services, Microsoft has developed Transforming Government: A cloud policy framework for innovation, security, and resilience. This white paper is the first in our series of cloud security policy publications, advancing ideas and cloud security concepts about which later papers will provide more detail.

The paper presents and describes six policy principles, which seek to help government ICT decision-makers develop a framework for secure cloud computing adoption. The principles are designed to support governments as they develop cloud policies that strategically advance innovation, enable flexibility in cloud architecture choice, and demonstrate data awareness to ensure security of critical data. With the principles, we also seek to help governments evaluate risks, leverage global standards to manage those risks, and establish transparent processes for developing requirements and evaluating cloud service providers. Each principle is accompanied by what we perceive as a best practice implementation, often by governments around the world, which highlights how the principles can be practically realized.

Later papers will go into more detail on relevant international standards and best practices for data governance, mitigating cloud security risks, and structuring government policy decisions and responsibilities – building on the framework provided today and focusing on the questions that we frequently hear from government customers. Ultimately, this series of papers seeks to enable governments to take advantage of cloud computing, unlock innovation potential in their countries, and improve the security and resiliency of their services. We look forward to continuing to partner with governments as they achieve these and other ICT goals.

A Week in The Hague: The Global Conference on Cyberspace (GCCS)

May 1st, 2015 No comments

Cybersecurity experts from around the world recently gathered at the Global Conference on Cyberspace (GCCS) in The Hague. Over a thousand delegates from across the private sector, government and civil society attended the main conference, and many used the opportunity to promote practical cooperation in cyberspace, enhance capacity building and to discuss norms of state behavior in cyberspace.

While such events are easily dismissed, I came away from the conference more convinced than ever that there that meaningful international cooperation possible. Public private sector cooperation is critical to protect the free, open and secure Internet that we have all grown used to and our economies increasingly depend on. Numerous events have taken place over the past year –one only needs to open a newspaper- that drove home the fact that while cyberspace provides us with numerous opportunities, it also increases the potential for actors wishing to do harm. Indeed, many of my discussions highlighted the increased awareness that virtual attacks might cause real and physical damage that could result in loss of life, or indeed spill over into a kinetic reaction.

Unintended escalations can only be avoided if all stakeholders can work together across borders to come to an agreement around what is acceptable and what is unacceptable behavior online. Dialogue such as that initiated at The Hague further cements my view that governments in particular need to define the appropriate parameters of government behavior online. With the advance of an open and global internet, governments need to balance the national security or law enforcement interests it may have against its interests to promote a protected and open environment for commerce and communication.

One such example is the Mutual Legal Assistance Treaty (MLAT), which governments currently rely on to seek to collect or compel information across borders. We talked about this before, most recently on our Microsoft on the Issues blog. The bureaucratic hurdles it puts into place might have been appropriate for the problems of the 19th century, but are no match for the speed of the 21st. The panel I participated on univocally called for the review of the Treaty approach, establishing a new international legal framework with independent and accountable courts and subject to strong checks and balances.

Similarly, many of the participants called for the discussion around cybersecurity norms of behavior to be taken to the next level. We agree with that view. Late last year Microsoft put forward six potential norms for discussion in our “International cybersecurity norms, reducing conflict in an internet-dependent world” paper. Nation states need to continue this dialogue and work to evolve in this space.

What I found particularly positive was the growing acknowledgement that the private sector has key role to play in the development of international cybersecurity norms. The ongoing international public-private dialogue that began in London, and continued through Budapest and Seoul conferences, has played an important role in galvanizing the commitment to multi-stakeholder cooperation. With this year’s event the Dutch government has taken it to the next level. We need to leverage the momentum from The Hague and drive for concrete improvements between now and the next GCCS in 2017 in Mexico.

Categories: cybersecurity, Cybersecurity Policy Tags:

Cloud computing and government: understanding security and resiliency benefits

March 12th, 2015 No comments

Around the world, governments are looking to cloud computing to help them meet their goals. On February 12, I published a blog post within which I highlighted that, in recent years, more than 50 governments have published strategies or initiatives that focus on cloud computing. As I described, their approaches to cloud adoption vary. However, certain government perspectives consistently emerge.

For instance, many governments devote considerable space to articulating the benefits of cloud computing. They capture how using cloud services can help them achieve far greater computing power and scalable, on-demand services, enabling them to address key public priorities with increased agility. In addition, they recognize how cloud computing might dramatically reduce their operating costs and enable them to shift employee resources toward innovating and better serving their communities. However, few governments devote much space to exploring how cloud computing might help improve their security or better ensure the availability or resilience of their data or services.

Instead, cloud security is often framed in government strategies and initiatives as a challenge. Likewise, in its 2014 paper entitled Cloud Computing: The Concept, Impacts and the Role of Government Policy, the Organization for Economic Co-operation and Development (OECD) characterized security and risk management in the cloud as a challenge. However, the OECD paper also acknowledged “the potential for cloud computing to diminish vulnerabilities—an aspect that is sometimes neglected.” Indeed, the OECD paper listed numerous security benefits of cloud computing, especially when the resources of large cloud services providers (CSPs) are utilized. Relative to governments, OECD wrote that large CSPs may provide physical access control more cheaply, improve computing resources dedicated to security more easily, and install critical updates more habitually.

Hand image

The potential security and resiliency benefits of cloud may sometimes be neglected or overlooked not only because moving IT resources off premises creates real challenges but also because of the anxiety that accompanies any major change. Still, a few governments have recently started to acknowledge the potential security and resiliency benefits of utilizing cloud services. For instance, in late 2014, Estonia conduced a successful research project with Microsoft, testing the resiliency benefits of moving two government services to the public cloud. Indeed, in Comparison of Availability Between Local and Cloud Storage, a 2015 study, the Leviathan Security Group explained that large CSPs can better ensure high availability during emergencies than on-premises IT because of geographic replication. In addition, in February 2015, in the wake of several Bolivian government websites being hacked, Bolivian lawmakers announced that they are developing a “sovereign cloud” to strengthen the nation’s cybersecurity.

As they evaluate all of the ways in which cloud computing can help them achieve their goals, Microsoft encourages governments to consider the security and resiliency benefits that may be applicable to certain government data sets or services. In the coming months, this blog series will continue to evaluate what we’ve learned from working with governments on cloud security. It will also examine how cloud strategies might help governments to mitigate cloud security and compliance risks, enabling them to realize cloud benefits, including security and resilience as well as lower costs and increased agility.

Transparency & Trust in the Cloud Series: Kansas City, St. Louis, Minneapolis

March 5th, 2015 No comments

Over the last few months, Microsoft has hosted a series of events to bring together Chief Information Officers (CIO) and their legal counsels, Chief Information Security Officers (CISO), as well as IT operations leaders from enterprises in cities across the US. These “Transparency & Trust in the Cloud” events aim to highlight and discuss the security, privacy, compliance, and transparency capabilities of Microsoft’s cloud services.

Recently, I was given the opportunity to attend and speak at those in Kansas City, St. Louis, and Minneapolis. I was also able speak directly with many enterprise customers in each city. I was joined by other Microsoft cloud subject matter experts, where together, we answered a range of technology, business process, and legal questions that attendees had—and believe me, they had some well-thought, complex questions!

For example, in Kansas City, attendees asked about service level agreements and were provided with the Microsoft perspective by our Assistant General Counsel, Dennis Garcia. In St. Louis, we were asked about Microsoft’s own journey to move workloads and applications from on premise to the cloud. Ryan Reed, from Microsoft IT, has been doing this work at Microsoft for some time, and shared architectural and development considerations with the audience. Enterprise customers in Minneapolis asked questions ranging from eDiscovery to security incident notifications, to the right to audit, to protecting sensitive healthcare information. These discussions are also extremely helpful to us, at Microsoft, to better understand which topics are top of mind for enterprise customers who are evaluating the use of or adopting cloud services.

I would like to again thank those customers who attended these events. Thank-you!

More meetings like these have been scheduled in different cities across the country. If you are a CIO, CISO, legal counsel, or operations leader for an enterprise organization and would like to learn more about the Microsoft approach to building the industry’s most trustworthy cloud, please reach out to your account team to inquire.

I’m looking forward to meeting more customers and having deeper discussions on trust and transparency in the cloud in the coming weeks.

The Importance of Effective Information Sharing

January 29th, 2015 No comments

SCharney2 012815

This week, I testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing on “Protecting America from Cyber Attacks: the Importance of Information Sharing.” It was good to see that the committee’s first hearing of the 114th Congress focuses on cybersecurity issues generally, and information sharing in particular, and I’d like to summarize the key points of my testimony.

There is no doubt that cybersecurity is an important issue for America, other nations, the private sector, and individuals. In an effort to better understand and help address the challenges we face, I regularly engage with government leaders from around the world, security-focused colleagues in the IT and Communications Sectors, companies that manage critical infrastructures, and customers of all sizes. From those interactions, I have concluded that cyber-attacks have joined terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts countries, corporations, and its citizens at risk.

With global threats, global actors, and global networks, no one organization – public or private – can have full awareness of all the threats, vulnerabilities, and incidents that shed light on what must be managed. There is no doubt that sharing such information can and has protected computer users and increased the effectiveness of the security community’s response to attacks. For example, in 2009, the Conficker Working Group came together to share information and develop a coordinated response to the Conficker worm, which had infected millions of computers around the world. After the working group developed a mitigation strategy, Information Sharing and Analysis Centers (“ISACs”) were mobilized, company incident response teams were activated, government responders were engaged, and the media reported as milestones were reached and services were restored. The challenge was addressed, and quickly.

Why is it, then, that after 20 years of discussion and proof of effectiveness, information sharing efforts are viewed as insufficient? The short answer is that while there are success stories, it is often true that those with critical information are unable or unwilling to share it. They may be unable to share it due to law, regulation, or contract, all of which can create binding obligations of secrecy and expose a company to legal risk if information is shared. Even when those restrictions permit sharing pursuant to authorized exceptions, legal risks remain, as parties may disagree on the scope of the exception. There are also non-legal, non-contractual risks; for example, a company that discloses its vulnerabilities may suffer reputational risk, causing both customers and investors to become concerned. It may even suggest to hackers that security is inadequate, encouraging other attacks.

With all these challenges in mind, we believe there are six core tenets that must guide information sharing arrangements:

1. Information sharing is a tool, not an objective.

2. Information sharing has clear benefits, but poses risks that must be mitigated.

3. Privacy is a fundamental value, and must be protected when sharing information to maintain the trust of users – individual consumers, enterprises, and governments – globally.

4. Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing.

5. Government and industry policies on information sharing should take into account international implications.

6. Governments should adhere to legal processes for law enforcement and national security requests, and governments should not use computer security information sharing mechanisms to advance law enforcement and national security objectives.

Information sharing has and does work. But it works because the parties see that the benefits (better protection, detection and response) outweigh the risks. History also teaches, however, that information sharing tends to work best when those involved trust each other to respect informal and sometimes formal agreements (e.g., non-disclosure agreements) on information use and disclosure.

The two most important things Congress can do are (1) ensure that the information sharing arrangements that are working effectively are left undisturbed; and (2) encourage additional information sharing by providing protections for shared information and addressing risks posed by information sharing, including privacy risks.

You can read my full testimony here.

Putting Information Sharing into Context

January 27th, 2015 No comments

Putting Information Sharing into Context: New Whitepaper Offers Framework for Risk Reduction

The nearly incessant drumbeat of cybersecurity incidents over the past weeks and months has brought about renewed interested in information sharing across the technical and political spheres. For example, earlier this month the White House proposed legislation to encourage information sharing which President Obama also referred to in his State of the Union address. When it comes to cybersecurity, the right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency. In this case, forewarned really can mean forearmed.

Information sharing is not a novel idea. A number of initiatives around the world have been in place and working successfully for some time. For example, here at Microsoft we have a program in place that gives security software providers early access to vulnerability information so that they can provide updated protections to customers faster. From this and other programs of various sizes we have learned that despite the increased focus on collective action from both private practitioners and policy makers around the world, effective information sharing is not an easy undertaking. It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements. Furthermore, it is all too often viewed simply as a goal in and of itself rather than as a mechanism for improving security, cybersecurity assessment, and risk management. Finally, and from the public-private partnership perspective most pressingly, information sharing can quickly expand into controversies involving originator control, trust, transparency, privacy and liability.

To help put this complex issue into context, today we are releasing a new white paper: A framework for cybersecurity information sharing and risk reduction. Leveraging Microsoft’s decades of experience in managing security for our products, infrastructure, and customers, the paper provides a taxonomy for information exchanges including types, actors, and methods. We believe that understanding how to incentivize information sharing and how to better harness the practice for risk reduction can help move policy and strategy debates forward and support better defence of cyber assets and infrastructure. The paper concludes with a discussion of best practices and seeks to lay the groundwork for a more formalized, collaborative approach to information sharing and implementing exchanges through a set of recommendations. I hope that it can serve as a relevant and timely guide for anyone with responsibility for developing new ideas and solutions for information exchanges.

Information Sharing Infographic