Scott Charney is Corporate Vice President for Microsoft’s Trustworthy Computing Group. Mr. Charney is responsible for a range of corporate programs that influence the security, privacy and reliability of Microsoft’s products, services and internal networks. He also manages the Engineering Excellence Team, a group focused on promoting best-of-breed engineering practices and ensuring compliance with Microsoft’s mandatory engineering policies.
Prior to joining Microsoft, Mr. Charney served as a Principal at PricewaterhouseCoopers, where he led the firm’s Digital Risk Management and Forensics Practice. Before that, Mr. Charney served as Chief of the Computer Crime and Intellectual Property Section (CCIPS) where he was responsible for implementing the Justice Department's computer crime and intellectual property initiatives. Prior to leading CCIPS, Mr. Charney served as an Assistant United States Attorney responsible for the investigation and prosecution of complex cases involving organized crime and as an Assistant District Attorney in Bronx County, New York, where he was responsible for prosecuting persistent violent felony offenders. He also served as Deputy Chief of the Investigations Bureau.
Mr. Charney has received numerous awards during his career, including the Justice Department’s John Marshall Award for Outstanding Legal Achievement and the Attorney General's Award for Distinguished Service. Mr. Charney graduated from the Syracuse University College of Law with honors, and received his undergraduate degrees from the State University of New York at Binghamton.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals, organizations (including nation-states), and society at large, and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns. Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. In my Rethinking Cyber Threats and Strategies paper I discuss a framework for categorizing and assessing cyber threats, the problem with attribution, and possible ways for society to prevent and respond to cyber threats. In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I proposed one possible approach to addressing botnets and other malware impacting consumer machines. This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.” In the paper I discuss how commonly available cyber defenses such as firewalls, antivirus and automatic updates for security patches can reduce risk, but they’re not enough. Despite our best efforts, many consumer computers are host to malware or are part of a botnet. “Bots,” networks of compromised computers controlled by hackers, can provide criminals with a relatively easy means to commit identity theft and also lead to much more devastating consequences if used for an attack on critical government infrastructure or financial systems. Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources. Cyber security policy and corresponding legislation is being actively discussed in many nations around the world and there is a huge opportunity to promote this Internet health model. As part of this discussion, it is important to focus on building a socially acceptable model. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern. With both security and privacy in mind, the following statements reflect proposed principles for progress outlined in my paper and are intended to help guide stakeholders’ efforts, promote action, address challenges, and influence future initiatives. • The risk that botnets present to Internet users and critical infrastructures must be addressed. • Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats.• A public health model can empower consumers and improve Internet security.• Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced. • Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association. Within the current legal and political landscape, and with the current state-of-the-art in technology, there are collective defense actions we can take now and we should commit to continued cooperation, collaboration and investment to fully leverage current tools and technology. With examples like France’s Signal Spam or Japan’s Cyber Clean Center as models, industry and governments need to build upon the successes to more systematically help improve and maintain the health of Internet connected systems and to disrupt cybercrime and other threats to individuals and society. For its part, Microsoft looks forward to continuing to provide and promote research and development that will make system scanning and cleanup more cost effective, along with looking to solve current technical barriers. We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy.
Posted by Scott Charney Corporate Vice President, Trustworthy Computing
Today I’m testifying at a hearing of the House Committee on Oversight and Government Reform. The hearing is on the benefits and risks of the federal government’s adoption of cloud computing.
Cloud computing in its many forms creates tremendous new opportunities for cost savings, flexibility, scalability and improved computing performance for government, enterprises and citizens. At the same time, it presents new security, privacy and reliability challenges, which raise questions about functional responsibility (who must maintain controls) and legal accountability (who is legally accountable if those controls fail). Customers, including the government, need to make informed decisions about adoption of the cloud and its various service models because the model that is embraced will entail different allocations of responsibility between the customer and the cloud provider(s).
This shifting responsibility requires that both cloud providers and governments take seriously their distinct and shared responsibilities for addressing the security, privacy and reliability of cloud services. Both customers and cloud providers must understand their respective roles. Customers must be able to communicate their compliance requirements, and cloud providers must be transparent about the controls in place to meet those requirements:
In addition to speaking about security, privacy, and reliability, I raised one other issue worthy of note. The mechanisms to provide identity, authentication and attribution in cyberspace do not yet meet the needs of citizens, enterprises or governments in traditional computing environments or for the cloud. This inability to manage online identities well puts computer users at risk and reduces their trust in the IT ecosystem.
The cloud only amplifies the need for more robust identity management to help solve some of the fundamental security and privacy problems inherent in current Internet systems. As people move more and more of their data to the cloud, and share resources across cloud platforms, their credentials are the key to accessing that data. The draft National Strategy for Trusted Identities in Cyberspace, recently released by the White House, represents significant progress to help improve the ability to identify and authenticate the organizations, individuals and underlying infrastructure involved in an online transaction. Government and industry must continue to work together on this initiative, as well as on advancing standards and formats on both a national as well as a global basis, to enable a robust identity ecosystem.
Microsoft is committed to helping the federal government as it looks to adopt cloud computing services. As part of this effort, we recently encouraged industry and policymakers to take action to build confidence in cloud computing, and proposed the Cloud Computing Advancement Act to promote innovation, protect consumers and provide government with new tools to address the critical issues of data privacy and security. In a recent interview on C-SPAN, Microsoft’s general counsel Brad Smith talked about the need for new rules to protect business and consumer information.
I thank Chairman Towns, Ranking Member Issa, Chairwoman Watson, Ranking Member Bilbray and members of the House Committee on Oversight and Government reform for their leadership on this important issue. I look forward to continuing to work with them, other Members of Congress, the Obama Administration and others in the industry on advancing government adoption of cloud computing. You can read my full testimony here.
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing
Today I had the privilege of attending an event at the White House where President Barack Obama announced the results of the 60-day cybersecurity review and highlighted the steps the United States Government would be taking to help ensure the security of our nation’s computer networks. This is an important step in ensuring we have a comprehensive and coordinated national strategy for cybersecurity.
Advances in information technology have revolutionized the way we live and our increased dependence on IT systems makes addressing cybersecurity risks an increasingly important priority for both the government and the private sector.
Right now, we are locked in an escalating but often hidden conflict in cyberspace, as cyber attacks steadily grow in sophistication and target critical infrastructures and sensitive data. According to Microsoft’s latest Security Intelligence Report, 40 percent of attacks in 2008 were considered “moderately complex”; less than 20 percent earned that descriptor in 2003.
Addressing these attacks and securing cyberspace is going to require a comprehensive and coordinated national strategy, and the 60-day review provides a baseline to inform its development. Such a strategy requires that the White House, the Congress and the private sector to collaborate on common security goals and we look forward to contributing to this important effort.
As I blogged last month, the increasing quantity and sophistication of cyber attacks requires a comprehensive and coordinated strategy to secure the nation’s critical infrastructure and sensitive data.
Today I had an opportunity to continue the discussion while testifying before a congressional hearing on “Assessing Cybersecurity Activities at the National Institute of Standards and Technology and the Department of Homeland Security,” convened by the House Subcommittee on Technology and Innovation.
As I explained to the committee, the complexity and breadth of national governments, and the wide array of constituents they serve, require a careful and thoughtful approach to managing government-wide cybersecurity.
Most governments function like a conglomeration of businesses, each with different missions, partners, customers, data, assets and risks. The number and diversity of component organizations and systems make centralized management impractical—if not impossible. Each agency or ministry has a unique security paradigm with its own threats, so each must manage its own risk.
I believe a hybrid model to government cybersecurity can create both a “horizontal,” centrally managed security framework and customized, “vertical” solutions that meet the specialized security needs of individual agencies.
Such a combination of horizontal and vertical functions would help ensure that minimum security goals and standards are set, while enabling agencies to manage risks appropriately for their unique operating environments.
To maximize the value of a horizontal cybersecurity function, governments must collect the right data; analyze that data; and use the data to drive action.
To achieve these core objectives, I highlighted several tools I believe are essential:
These capabilities are necessary to build an effective government cybersecurity function, but we must also recognize that cyberspace threats are not going to disappear. Technology alone will not create the trust necessary to secure cyberspace and realize the full potential of the Internet. Technological innovation must be aligned with social, political, economic and IT forces to enable change. Microsoft works with partners in the ecosystem to help drive and shape these forces to create a safer, more trusted Internet through our End-to-End Trust vision. Governments must similarly drive forward with clear vision and holistic Information Age strategies to combat these threats to national and economic security, and public safety. As long as threats evolve, so must our efforts to protect against them.
Last summer, I testified before the House Science and Technology Committee’s Subcommittee on Technology and Innovation about the need for government to develop security strategies to address the full spectrum of risks in the Information Age. Last week, the House passed The Cybersecurity Enhancement Act, H.R. 4061, which represents an important step to better address those risks. In recognition of the long-term nature of this challenge, the bill appropriately aims to drive strategic investments toward the development of the skilled workers and advanced technologies we will need to improve our nation’s cybersecurity. Promoting and resourcing innovative approaches will help government and industry to have the necessary skills, capabilities, techniques, and tools to counter evolving cyber threats and continue to grow and lead in the connected world.
The provisions regarding identity management are particularly noteworthy because creating the ability to know reliably the person and/or device that is sending a particular data stream in cyberspace is essential for attribution. Strong identity management and attribution capabilities help deter cyber attacks, so driving toward a coordinated, interoperable, and scalable security- and privacy-sensitive system for managing identities will benefit all Internet users.
Passage of this legislation in the House represents an initial step to address the broader challenge the United States is facing in cyberspace. The Information Age has arrived, yet much work still needs to be done to prepare for the realities of today and of tomorrow. Long-term investments must be complemented by near-term planning and action to better secure the nation’s critical infrastructure and sensitive networks and data. Government and private industry must collaborate more effectively to drive strategic planning and enhance operational capabilities in several key areas, including:
• Updating existing strategies to recognize the ever-mounting importance of economic security, more comprehensively address the various elements of national power, and articulate a clearer understanding of norms, attribution, and deterrence;• Establishing a hybrid model that improves security across the Federal enterprise and fosters agility to counter evolving threats; such a model recognizes that there are some responsibilities and practices that should be done by each Federal agency, but that a fully centralized model for managing security will not work;• Building operational partnerships that let us effectively mitigate and respond to threats in a more coordinated manner; and• Managing the real-time health of networks by using information provided by IT assets, such as routers, hosts, and proxy servers, to evaluate operational and security status, and by promoting meaningful audit to drive behavior and provide accountability.
Every day, we work to improve the technologies, processes, and procedures used to protect our connected assets in this increasingly networked world. Even dramatic and demonstrable improvements in cybersecurity are being challenged by the increasing availability and value of data online and the escalation of cyber attacks in terms of both number and sophistication. There is much more computer security to be done. Microsoft congratulates the House for passing The Cybersecurity Enhancement Act, which we view as a significant step towards transforming government for the Information Age. We look forward to continuing to work with government and industry partners to enhance cybersecurity and the resiliency of our critical infrastructures
Posted by Scott CharneyCorporate Vice President, Trustworthy Computing, Microsoft
Cybersecurity and the overall health of the Internet has become a key concern for governments, enterprises and computer users.
As more people, computers and devices come online (there are approximately 2 billion people using the Internet today), cyber threats have grown more sophisticated and cybercriminals have successfully gathered sensitive data, disrupted critical operations or engaged in other illegal activity such as fraud. Governments around the world have expressed concern that the critical information infrastructures that support their countries could be targeted. In response, many countries have sought to improve critical information infrastructure policy, to build effective information sharing and collaboration capabilities that address threats and vulnerabilities, and to coordinate on responses to increasingly complex cyber incidents.
A year ago, I shared a Rethinking Cyber Threats white paper and recommended a framework for progress within four categories of threat. Since that time, we have witnessed several high profile security and privacy breaches that reinforced the need to develop independent strategic approaches for cybercrime, industrial and military espionage and future cyber conflict. Since that time, and recognizing that we need scalable solutions that work throughout the IT ecosystem, I proposed and continue to evangelize the need for global public-private partnership to ensure a healthy IT environment for Internet citizens around the world.
Today and tomorrow, at the 2nd EastWest Institute Cybersecurity Summit in London, the concept of applying public health models to the Internet will grow beyond the proposal stage in the form of a breakthrough group entitled Collective Action to Improve Global Internet Health. In the session, cyber security policy leaders and security strategists from governments and leading global technology companies will examine the current state of the Internet ecosystem, and collaborate on ways to improve consumer device health and help reduce security risks for all computer users, from individuals, to enterprises (including those managing critical infrastructures), to governments.
More specifically, the group will review the state of current efforts; diagnose major obstacles to applying health models to the Internet; and work together to identify key policy, economic, social and technical milestones necessary to accelerate international progress toward a healthier and safer ecosystem. The EWI breakthrough group expects to publish initial recommendations later this year.
Microsoft is also participating in other breakthrough groups driving progress in other key cyber security areas such as:
· Measuring the Cybersecurity Problem
· Protecting Youth – Building a Global Culture of Digital Citizenship
· Entanglement of Protected Entities in Cyberspace
· Cyber Conflict Policy
· Worldwide Cyber Response Coordination
Also at EWI, I will discuss Cyber Supply Chain Risk Management. As we increasingly rely upon ICT systems for every aspect of daily life, there is increasing concern about the trustworthiness of these systems and whether they are subject to deliberate compromise by those vendors who create and maintain such products. Despite these growing concerns about cyber supply chain risk, there are no commonly agreed upon threat models for vendors and governments to use as a basis for managing such risks. Mindful that the risk cannot be eliminated, governments and industry must collaborate and define what constitutes an appropriate risk management model and create global, transparent supply chain standards for industry to follow.
It is evident that cyber security will remain a top priority for governments, policymakers and citizens around the world, especially as they continue to increase their reliance on information and communications technologies. While comprehensive cyber security legislation has not yet been enacted around the world, policy makers around the world are deepening their commitments to improve cyber security and reduce risk at the national level. For example, governments in the United States, Australia, Brazil, Canada, China, Germany, India, Poland and the United Kingdom have all launched initiatives, offices, and programs to protect cyberspace. In addition, the European Union, G8 and other multi-lateral organizations have driven efforts to expand and enhance international cyber security efforts.
Without international collaboration, the efforts around the world run the risk of developing solutions that are inefficient (since the Internet requires global solutions), inconsistent or, even worse, conflicting. I believe that long-term success depends on thoughtful and active public-private partnerships. With these partnerships, international policy makers and thought leaders can come together, share ideas, and build constructive engagement models that improve cyber security. As cyber security threats continue to evolve, Microsoft values this opportunity to work together with governments and industry around the world to create a safer and more trusted Internet.
I hope to continue this conversation and encourage readers to provide us with comments and feedback on this blog and the linked reference materials.
Additional Resources
Microsoft News Center feature story - "Microsoft Uses Global Cybersecurity Summit to Discuss Internet Security"
· Internet Health
· EastWest Institute Second Worldwide Cybersecurity Summit
Blog and Twitter
· Microsoft Security Blog
· @MSFTSecurity on Twitter
This week, the House Cyber Security Task Force, chaired by Rep. Thornberry, released its recommendations and report to help guide legislative action on cybersecurity. The Task Force recommendations represent another key milestone in our combined private and public sector efforts to address the cybersecurity challenges of the Information Age. The Task Force has recommended a general framework to use in addressing four issue areas within cybersecurity as follows:
1) Critical Infrastructure and Incentives
2) Information Sharing and Public-Private Partnerships
3) Updating Existing Cybersecurity Laws
4) Legal Authorities
I had the privilege to meet with the Task Force recently to discuss the cybersecurity challenges facing the United States. I would like to thank them for their thoughtfulness and diligence in listening to the many stakeholders’ input and articulating a clear and constructive set of recommendations to enhance cybersecurity and a framework for legislative action. At Microsoft, we work every day to improve the technologies, processes and procedures used to protect our customers, our assets and the entire computing ecosystem. Although our company, other IT companies, and the individuals, enterprises, and governments that rely on cyberspace have made demonstrable improvements in cybersecurity, these efforts are constantly challenged by an increasing number and sophistication of cyber attacks.
Microsoft focuses on a range of security issues that impact all our customers, small and large, and we believe the Task Force recommendations can help incent and drive security improvements more broadly across the ecosystem and can increase collaboration to more rapidly address threats and incidents. With those outcomes in mind, I was particularly encouraged to see that the Task Force recommendations consider the complex interplay of voluntary incentives, market forces and other measures to address the range of risks facing our infrastructure, and the need to ensure that companies who are doing the right things and actively managing risks in accordance with generally accepted standards and practices are protected from liability.
The Task Force recommendations regarding information sharing also reflect an understanding that we need to remove legal barriers and disincentives to enable sharing of timely and actionable threat information with parties who are best positioned to act and reduce risk. Microsoft looks forward to continuing to work with the Task Force, the committees of jurisdiction in the House and with members on both sides of the aisle to strengthen our cybersecurity.
In the last few years, I have met with members and staff in both chambers and from both parties to discuss cyber risks and how to maximize government action and industry expertise in addressing those risks. Thoughtful and informed proposals have been advanced in both the Senate and the House and from the Administration because these policy makers recognize the national security and economic implications of inaction. I would like to encourage continued bipartisan engagement and legislative action to better secure sensitive networks and the nation’s critical infrastructure, and broader, more national dialogue on how to secure the computing ecosystem.
It has been an interesting time for those that care about cyber security. Last week, the European Union introduced its formative cybersecurity strategy and draft directive on network and information security to better protect critical systems from security incidents and breaches. Two days ago, the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The White House also issued Presidential Policy Directive 21 on critical infrastructure security and resilience to augment existing policy and enhance existing capabilities, partnerships, and strategies. Yesterday, a bill was also introduced on the Cyber Intelligence Sharing and Protection Act (CISPA) which will continue the important dialogue on the exchange of cyber threat information to help manage cyber risks.
When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts. It is important to see these principles reflected in the Executive Order for three reasons. First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it. Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks. Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.
Even if based upon the right principles, we will still need collaborative and thoughtful implementation to help ensure that efficient and effective security goals are achieved. More specifically, the Executive Order highlights a consultative process for engaging with critical infrastructure owners and operators, including leveraging existing public-private partnerships and expanding the information sharing pilot program currently underway with defense contractors. It expands exchange programs that bring in private-sector subject matter experts into Federal service on a temporary basis to provide advice and guidance on managing cyber risks. It aims to provide flexibility to owners and operators of critical infrastructures to help provide a more dynamic ability to manage risk and respond to issues. Finally, it leverages voluntary, consensus-based standards and directs activities to explore the interplay and benefits that voluntary incentives and Federal procurement could produce before creating additional requirements.
As the Executive Order moves from release to implementation, it will remain important that government and industry work together to manage carefully the most significant risks to our most critical infrastructures. To that end, we must remain focused on the desired security outcomes and recognize that owners and operators of critical infrastructures must retain the flexibility to manage risks with agility, implementing practices and controls that are both practical and effective. Continued collaboration between the government and the private sector will be essential in ensuring the success of this Executive Order and, recognizing the global nature of the Internet, we must also work with others around the world to ensure that policies and practices that result from the Executive Order scale globally.
Even as the Executive Order is implemented, I expect that we will see numerous legislative efforts related to cyber security in the coming months. We look forward to working with the Administration and Congress in our efforts to enhance cyber security, protect privacy and ensure the continued innovation of information technology.
Last February, both the United States and the European Union announced major cybersecurity policy initiatives. In the U.S., the Executive Order on Improving Critical Infrastructure Cybersecurity put forward an industry-driven approach to developing a Cybersecurity Framework, and emphasized the role of incentives to encourage use of the Framework. In the EU, the European Commission proposed a draft Network and Information and Security (NIS) Directive that suggested a broader scope and a more regulatory approach than that in the Executive Order, including the mandatory disclosure of cybersecurity incidents. One year later, I wanted to offer observations about these initiatives, as both have advanced on their respective tracks.
With regard to the U.S. Executive Order, my hope was that implementation would follow the principles that I noted in my initial post about this topic: active collaboration and coordination with infrastructure owners and operators; a risk-based approach for enhancing cybersecurity; and the sharing of timely and actionable information to support risk management efforts. We’ve observed a real commitment to those principles in the development of the Cybersecurity Framework, which was released Wednesday by the U.S. National Institute of Standards and Technology (NIST).
NIST was proactive and drove a carefully structured process to engage a diverse group of stakeholders across the U.S. and internationally. NIST solicited public comment to help develop the Framework, receiving input from hundreds of stakeholders, and conducted regional workshops to engage stakeholders across the nation. The resulting Framework is based on sound risk management practices and should foster the exchange of technical information on cyber risks. For our part, Microsoft contributed to the NIST process and Framework by providing comments in response to NIST’s initial request for information and the request for comments on Preliminary Framework, and by participating in the regional workshops hosted by NIST. Additionally, we hosted an event at our Policy and Innovation Center in Washington, D.C. that brought together security and privacy professionals, helping to raise awareness about the Framework within the privacy community and fostering their engagement.
In the EU, deliberations about the NIS Directive are ongoing, and we are encouraged by the direction of several amendments accepted in the most recent draft. For example, by more narrowly defining critical infrastructure providers, the European Parliament has focused the Directive on what is truly critical to protect national security and public safety. It is also important to highlight progress on cybersecurity at the EU Member State level over the past year. Nearly half of the EU governments have committed to strengthening their cybersecurity efforts through a variety of initiatives, including work on national cybersecurity strategies; building cybersecurity capacity; and greater cooperation between countries, such as that occurring among the Benelux countries.
Looking ahead, cybersecurity efforts in the U.S. and EU face two key challenges. First, governments must strive to harmonize approaches to cybersecurity to enable economic advancement nationally, across the Atlantic and around the world. There are a number of forums where the governments, private sector stakeholders and civil society can come together to help harmonize approaches. Second, governments must continue to leverage industry experience and expertise as policy initiatives evolve and mature. In my post last year, I noted that government and industry must collaborate to manage the most significant risks to our most critical infrastructures. This statement remains true now, and it is ever-more urgent. We are encouraged by progress over the past year, and look forward to continued partnership with government and industry peers in the year ahead.
At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.
Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.
On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.
When I think about how governments relate to the Internet, it’s in the following four ways:
Users: Governments use the Internet extensively. They use it to communicate and store sensitive information, and as a result, they have a vested interest in Internet privacy and security.
Protectors: Governments protect the rights of Internet users -- protecting the security and privacy of their populations -- and the Internet itself.
Exploiters: Military espionage and other surreptitious activity reminds us that governments often have other interests that conflict with their role as protectors. These overlapping and conflicting roles have given rise to the thorny issue that underpins much of the current dialogue on cybersecurity: How should governments act when they have competing objectives?
Investigators: Governments may seek access to their citizens’ digital data, or data in other countries. This raises questions about the rules covering such access.
Cross-border questions add an additional layer of complexity. Governments investigating local citizens for committing a local crime against local people sometimes find that the evidence is in another country. In these circumstances, the question becomes - how can the legitimate law enforcement needs of countries be met, while also protecting the privacy of Internet users and respecting the laws of the country where the data is stored.
The ongoing surveillance disclosures have brought these issues into stark relief and provided stimuli for a robust debate. The situation is full of conundrums with no clear resolution. Consider these perspectives:
So where do we go from here? Everyone has a part to play, including governments, users and industry.
Governments need to conduct serious conversations about norms for acceptable action in cyberspace. Governments should enact reforms to ensure that all surveillance is narrowly tailored, governed by the rule of law, transparent, and subject to oversight. We believe this can best be accomplished by building an international framework to set norms for government behavior.
Users must help government and industry strike the right balance between conflicting priorities. They should also take basic steps to protect their devices and data, including the use of encryption tools.
Industry can help by continually updating and advancing technology options that enable greater data protection and by sharing information that promotes an informed public dialogue. It must be responsive to both customer and government concerns, encouraging transparency and promoting legal processes that help ensure appropriate oversight exists when customer data is sought.
Having led Microsoft’s Trustworthy Computing group for more than a decade, I can assure you that we fully embrace the mission to expand trust on the internet, in accordance with our guiding trust principles: security, privacy and transparency. Let me briefly expand on each of those.
Security: We begin with a focus on information assurance, continually building and enhancing security protections in our products and services. Microsoft has not and will not put “back doors” in our products and services, and we don’t weaken our products to enable government spying. Our security efforts are focused on defense, not offense.
To increase customer protections, we continue to advance security technology and innovation. For the last decade, we have implemented the Security Development Lifecycle and we have extended our secure design methodology to cloud services. We are increasing our use of data encryption across services like Outlook.com, Office 365, OneDrive and Windows Azure. We have previously announced that by the end of 2014, all content moving across our networks will be encrypted by default.
Privacy: Regarding requests for customer data from law enforcement or other governmental entities, Microsoft is firm in its commitment to protect customer data.
We will only provide data in response to lawful requests for specific accounts or identifiers. Where appropriate, we will refer law enforcement requests directly to the customer, rather than attempting to fulfill the requests ourselves. Additionally, we require governments to live within the limits the law imposes on them, and will fight data requests that lack a jurisdictional basis or demand the production of bulk data.
Transparency: We are committed to transparency and strongly support a more open discussion on current data access policies.
One example of our transparency is our Government Security Program (GSP), which enables government customers to review our source code, in order to reassure them of its integrity. We recently announced plans to expand this access by opening several international Transparency Centers.
Microsoft also publishes a Law Enforcement Requests Report twice a year which details the number of law enforcement requests we receive (notably, only a tiny fraction of accounts are affected by government requests for data). Additionally, following a lawsuit filed by Microsoft and other large technology companies, the U.S. government agreed to let companies disclose figures on the national security orders received under the Foreign Intelligence Surveillance Act.
Wherever society nets out on this important debate on the appropriate degree of government involvement in the Internet, it’s vital that industry remains principled in its approach to security, privacy and transparency.
We believe it is time for an international convention on privacy and government access to data, and have joined with others across the industry to recommend clear principles for government surveillance reform at ReformGovernmentSurveillance.com.
Microsoft will continue to push for policy and technical progress to restore public trust in technology, supporting increased transparency, sensible limits on data access and appropriate oversight. We will also push for greater coordination among governments. We believe that these steps are necessary to help restore the trust that is critical to the future growth of global IT systems, and that these steps can be achieved without undermining important public safety and national security concerns.