Growth and change can come in big doses or small increments. That can be professional or organizational growth or technical or societal change. Since we started doing BlueHat waaay back in 2005, I’ve seen some significant change at Microsoft, experienced a fair bit of professional and personal growth, and witnessed stunning technical and social change.

 This year I have a slightly different role in BlueHat.

As I reflect on this year’s BlueHat, there is a three letter (or occasionally four-) acronym that nicely tees up a number of topics – AFGO - Another Fun Growth Opportunity. Over the course of time, new attacks, new relationships, new positions, new technical or business challenges offer opportunities to expand our skills, tune our strategies, and take on new challenges. We see that despite the progress already made, there are still challenges ahead along with plenty of growing and learning available to the interested and the willing.

The BlueHat attendees are the interested and the willing. They come for the official program on attacks, threats, and technologies. More importantly, they come for the “hallway track”, the discussions that happen between like-minded security “apassionados”. This year’s program challenges the attendees to go beyond the easily understood remedies. Presentations on Targeted Attacks should give the attendees that visceral learning experience – AFGOs that challenge us to accept we have done great work and yet more remains in order to protect our infrastructure and intellectual property and that of our customers.  Similarly, there are a number of
talks that explore the painful reality of “wait, I thought I did the right things” – You incorporated security into the development culture and operations, and yet your risk profile may still be higher than desired. Money spent and certifications earned don’t equal security – AFGO.  

These days I find myself focused on two growth areas – one is anti-abuse as an engineering discipline and the other is the area of security policy.

Attackers are moving away from implementation errors such as buffer overflow attacks and towards abuse of the design seams of the networked system. This presents us with a more complex challenge that may not be as straightforward to eliminate with traditional security tools or testing. We must engineer anti-abuse solutions for Microsoft services that minimize customer impact and at the same time improve the customer’s trust experience and ease of use.   We can do both, we have done it before. I see before us an opportunity for a second wave of security culture change within Microsoft as we harden our services to withstand abuse and enhance the user experience.

The helpful short hand I use to describe my work on Security Policy issues is that I am looking for solutions to non-technical security problems. I look to help governments and industry come up with reasonable, effective, and implementable policy/legislative/regulatory solutions to security problems.  Talk about growth opportunities! Technical solutions are relatively straightforward, unemotional and fact based, while politics usually has to do with business model or personality. In the Office of Global Security Strategy and Diplomacy offers me an opportunity to leverage my technical background and bring my unique perspective to the strategy discussions of how countries and organizations manage the security risks at a global level.

Can’t wait to see you all at BlueHat.

Andrew Cushman
Director, GSSD, Microsoft Corporation