Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.  

Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.

On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.

When I think about how governments relate to the Internet, it’s in the following four ways:

Users: Governments use the Internet extensively.  They use it to communicate and store sensitive information, and as a result, they have a vested interest in Internet privacy and security.

Protectors: Governments protect the rights of Internet users -- protecting the security and privacy of their populations -- and the Internet itself.

Exploiters: Military espionage and other surreptitious activity reminds us that governments often have other interests that conflict with their role as protectors. These overlapping and conflicting roles have given rise to the thorny issue that underpins much of the current dialogue on cybersecurity: How should governments act when they have competing objectives?

Investigators: Governments may seek access to their citizens’ digital data, or data in other countries. This raises questions about the rules covering such access.

Cross-border questions add an additional layer of complexity. Governments investigating local citizens for committing a local crime against local people sometimes find that the evidence is in another country.  In these circumstances, the question becomes - how can the legitimate law enforcement needs of countries be met, while also protecting the privacy of Internet users and respecting the laws of the country where the data is stored.

The ongoing surveillance disclosures have brought these issues into stark relief and provided stimuli for a robust debate. The situation is full of conundrums with no clear resolution. Consider these perspectives:

• Governments want to both secure the Internet and exploit it. 

• Users want to embrace the cloud, preserve their privacy, and be protected from criminal activity, including terrorism. 

• Industry wants to protect the security and privacy of users, and support efforts to protect public safety and national security.

So where do we go from here? Everyone has a part to play, including governments, users and industry.

Governments need to conduct serious conversations about norms for acceptable action in cyberspace. Governments should enact reforms to ensure that all surveillance is narrowly tailored, governed by the rule of law, transparent, and subject to oversight. We believe this can best be accomplished by building an international framework to set norms for government behavior.

Users must help government and industry strike the right balance between conflicting priorities. They should also take basic steps to protect their devices and data, including the use of encryption tools. 

Industry can help by continually updating and advancing technology options that enable greater data protection and by sharing information that promotes an informed public dialogue. It must be responsive to both customer and government concerns, encouraging transparency and promoting legal processes that help ensure appropriate oversight exists when customer data is sought. 

Having led Microsoft’s Trustworthy Computing group for more than a decade, I can assure you that we fully embrace the mission to expand trust on the internet, in accordance with our guiding trust principles: security, privacy and transparency. Let me briefly expand on each of those.

Security: We begin with a focus on information assurance, continually building and enhancing security protections in our products and services. Microsoft has not and will not put “back doors” in our products and services, and we don’t weaken our products to enable government spying. Our security efforts are focused on defense, not offense.

To increase customer protections, we continue to advance security technology and innovation. For the last decade, we have implemented the Security Development Lifecycle and we have extended our secure design methodology to cloud services. We are increasing our use of data encryption across services like Outlook.com, Office 365, OneDrive and Windows Azure. We have previously announced that by the end of 2014, all content moving across our networks will be encrypted by default.

Privacy: Regarding requests for customer data from law enforcement or other governmental entities, Microsoft is firm in its commitment to protect customer data.

We will only provide data in response to lawful requests for specific accounts or identifiers. Where appropriate, we will refer law enforcement requests directly to the customer, rather than attempting to fulfill the requests ourselves.  Additionally, we require governments to live within the limits the law imposes on them, and will fight data requests that lack a jurisdictional basis or demand the production of bulk data. 

Transparency: We are committed to transparency and strongly support a more open discussion on current data access policies.

One example of our transparency is our Government Security Program (GSP), which enables government customers to review our source code, in order to reassure them of its integrity. We recently announced plans to expand this access by opening several international Transparency Centers.

Microsoft also publishes a Law Enforcement Requests Report twice a year which details the number of law enforcement requests we receive (notably, only a tiny fraction of accounts are affected by government requests for data). Additionally, following a lawsuit filed by Microsoft and other large technology companies, the U.S. government agreed to let companies disclose figures on the national security orders received under the Foreign Intelligence Surveillance Act.

Wherever society nets out on this important debate on the appropriate degree of government involvement in the Internet, it’s vital that industry remains principled in its approach to security, privacy and transparency. 

We believe it is time for an international convention on privacy and government access to data, and have joined with others across the industry to recommend clear principles for government surveillance reform at ReformGovernmentSurveillance.com.

Microsoft will continue to push for policy and technical progress to restore public trust in technology, supporting increased transparency, sensible limits on data access and appropriate oversight. We will also push for greater coordination among governments. We believe that these steps are necessary to help restore the trust that is critical to the future growth of global IT systems, and that these steps can be achieved without undermining important public safety and national security concerns.

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

Last February, both the United States and the European Union announced major cybersecurity policy initiatives. In the U.S., the Executive Order on Improving Critical Infrastructure Cybersecurity put forward an industry-driven approach to developing a Cybersecurity Framework, and emphasized the role of incentives to encourage use of the Framework. In the EU, the European Commission proposed a draft Network and Information and Security (NIS) Directive that suggested a broader scope and a more regulatory approach than that in the Executive Order, including the mandatory disclosure of cybersecurity incidents. One year later, I wanted to offer observations about these initiatives, as both have advanced on their respective tracks.

With regard to the U.S. Executive Order, my hope was that implementation would follow the principles that I noted in my initial post about this topic: active collaboration and coordination with infrastructure owners and operators; a risk-based approach for enhancing cybersecurity; and the sharing of timely and actionable information to support risk management efforts. We’ve observed a real commitment to those principles in the development of the Cybersecurity Framework, which was released Wednesday by the U.S. National Institute of Standards and Technology (NIST).

NIST was proactive and drove a carefully structured process to engage a diverse group of stakeholders across the U.S. and internationally. NIST solicited public comment to help develop the Framework, receiving input from hundreds of stakeholders, and conducted regional workshops to engage stakeholders across the nation. The resulting Framework is based on sound risk management practices and should foster the exchange of technical information on cyber risks. For our part, Microsoft contributed to the NIST process and Framework by providing comments in response to NIST’s initial request for information and the request for comments on Preliminary Framework, and by participating in the regional workshops hosted by NIST. Additionally, we hosted an event at our Policy and Innovation Center in Washington, D.C. that brought together security and privacy professionals, helping to raise awareness about the Framework within the privacy community and fostering their engagement.

In the EU, deliberations about the NIS Directive are ongoing, and we are encouraged by the direction of several amendments accepted in the most recent draft. For example, by more narrowly defining critical infrastructure providers, the European Parliament has focused the Directive on what is truly critical to protect national security and public safety. It is also important to highlight progress on cybersecurity at the EU Member State level over the past year. Nearly half of the EU governments have committed to strengthening their cybersecurity efforts through a variety of initiatives, including work on national cybersecurity strategies; building cybersecurity capacity; and greater cooperation between countries, such as that occurring among the Benelux countries.

Looking ahead, cybersecurity efforts in the U.S. and EU face two key challenges. First, governments must strive to harmonize approaches to cybersecurity to enable economic advancement nationally, across the Atlantic and around the world. There are a number of forums where the governments, private sector stakeholders and civil society can come together to help harmonize approaches. Second, governments must continue to leverage industry experience and expertise as policy initiatives evolve and mature. In my post last year, I noted that government and industry must collaborate to manage the most significant risks to our most critical infrastructures. This statement remains true now, and it is ever-more urgent. We are encouraged by progress over the past year, and look forward to continued partnership with government and industry peers in the year ahead.

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

It has been an interesting time for those that care about cyber security. Last week, the European Union introduced its formative cybersecurity strategy and draft directive on network and information security to better protect critical systems from security incidents and breaches. Two days ago, the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The White House also issued Presidential Policy Directive 21 on critical infrastructure security and resilience to augment existing policy and enhance existing capabilities, partnerships, and strategies. Yesterday, a bill was also introduced on the Cyber Intelligence Sharing and Protection Act (CISPA) which will continue the important dialogue on the exchange of cyber threat information to help manage cyber risks.

When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts. It is important to see these principles reflected in the Executive Order for three reasons.  First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it.  Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks.  Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.

Even if based upon the right principles, we will still need collaborative and thoughtful implementation to help ensure that efficient and effective security goals are achieved.  More specifically, the Executive Order highlights a consultative process for engaging with critical infrastructure owners and operators, including leveraging existing public-private partnerships and expanding the information sharing pilot program currently underway with defense contractors. It expands exchange programs that bring in private-sector subject matter experts into Federal service on a temporary basis to provide advice and guidance on managing cyber risks. It aims to provide flexibility to owners and operators of critical infrastructures to help provide a more dynamic ability to manage risk and respond to issues.   Finally, it leverages voluntary, consensus-based standards and directs activities to explore the interplay and benefits that voluntary incentives and Federal procurement could produce before creating additional requirements.

As the Executive Order moves from release to implementation, it will remain important that government and industry work together to manage carefully the most significant risks to our most critical infrastructures.  To that end, we must remain focused on the desired security outcomes and recognize that owners and operators of critical infrastructures must retain the flexibility to manage risks with agility, implementing practices and controls that are both practical and effective.  Continued collaboration between the government and the private sector will be essential in ensuring the success of this Executive Order and, recognizing the global nature of the Internet, we must also work with others around the world to ensure that policies and practices that result from the Executive Order scale globally.

Even as the Executive Order is implemented, I expect that we will see numerous legislative efforts related to cyber security in the coming months. We look forward to working with the Administration and Congress in our efforts to enhance cyber security, protect privacy and ensure the continued innovation of information technology.

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

This week, the House Cyber Security Task Force, chaired by Rep. Thornberry, released its recommendations and report to help guide legislative action on cybersecurity. The Task Force recommendations represent another key milestone in our combined private and public sector efforts to address the cybersecurity challenges of the Information Age. The Task Force has recommended a general framework to use in addressing four issue areas within cybersecurity as follows:

1) Critical Infrastructure and Incentives

2) Information Sharing and Public-Private Partnerships

3) Updating Existing Cybersecurity Laws

4) Legal Authorities

I had the privilege to meet with the Task Force recently to discuss the cybersecurity challenges facing the United States. I would like to thank them for their thoughtfulness and diligence in listening to the many stakeholders’ input and articulating a clear and constructive set of recommendations to enhance cybersecurity and a framework for legislative action. At Microsoft, we work every day to improve the technologies, processes and procedures used to protect our customers, our assets and the entire computing ecosystem. Although our company, other IT companies, and the individuals, enterprises, and governments that rely on cyberspace have made demonstrable improvements in cybersecurity, these efforts are constantly challenged by an increasing number and sophistication of cyber attacks.

Microsoft focuses on a range of security issues that impact all our customers, small and large, and we believe the Task Force recommendations can help incent and drive security improvements more broadly across the ecosystem and can increase collaboration to more rapidly address threats and incidents. With those outcomes in mind, I was particularly encouraged to see that the Task Force recommendations consider the complex interplay of voluntary incentives, market forces and other measures to address the range of risks facing our infrastructure, and the need to ensure that companies who are doing the right things and actively managing risks in accordance with generally accepted standards and practices are protected from liability.

The Task Force recommendations regarding information sharing also reflect an understanding that we need to remove legal barriers and disincentives to enable sharing of timely and actionable threat information with parties who are best positioned to act and reduce risk. Microsoft looks forward to continuing to work with the Task Force, the committees of jurisdiction in the House and with members on both sides of the aisle to strengthen our cybersecurity.

In the last few years, I have met with members and staff in both chambers and from both parties to discuss cyber risks and how to maximize government action and industry expertise in addressing those risks. Thoughtful and informed proposals have been advanced in both the Senate and the House and from the Administration because these policy makers recognize the national security and economic implications of inaction. I would like to encourage continued bipartisan engagement and legislative action to better secure sensitive networks and the nation’s critical infrastructure, and broader, more national dialogue on how to secure the computing ecosystem.

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

Cybersecurity and the overall health of the Internet has become a key concern for governments, enterprises and computer users.

As more people, computers and devices come online (there are approximately 2 billion people using the Internet today), cyber threats have grown more sophisticated and cybercriminals have successfully gathered sensitive data, disrupted critical operations or engaged in other illegal activity such as fraud. Governments around the world have expressed concern that the critical information infrastructures that support their countries could be targeted. In response, many countries have sought to improve critical information infrastructure policy, to build effective information sharing and collaboration capabilities that address threats and vulnerabilities, and to coordinate on responses to increasingly complex cyber incidents. 

A year ago, I shared a Rethinking Cyber Threats white paper and recommended a framework for progress within four categories of threat. Since that time, we have witnessed several high profile security and privacy breaches that reinforced the need to develop independent strategic approaches for cybercrime, industrial and military espionage and future cyber conflict. Since that time, and recognizing that we need scalable solutions that work throughout the IT ecosystem, I proposed and continue to evangelize the need for global public-private partnership to ensure a healthy IT environment for Internet citizens around the world.

Today and tomorrow, at the 2^nd EastWest Institute Cybersecurity Summit in London, the concept of applying public health models to the Internet will grow beyond the proposal stage in the form of a breakthrough group entitled Collective Action to Improve Global Internet Health. In the session, cyber security policy leaders and security strategists from governments and leading global technology companies will examine the current state of the Internet ecosystem, and collaborate on ways to improve consumer device health and help reduce security risks for all computer users, from individuals, to enterprises (including those managing critical infrastructures), to governments.

More specifically, the group will review the state of current efforts; diagnose major obstacles to applying health models to the Internet; and work together to identify key policy, economic, social and technical milestones necessary to accelerate international progress toward a healthier and safer ecosystem. The EWI breakthrough group expects to publish initial recommendations later this year.

Microsoft is also participating in other breakthrough groups driving progress in other key cyber security areas such as:

· Measuring the Cybersecurity Problem

· Protecting Youth – Building a Global Culture of Digital Citizenship

· Entanglement of Protected Entities in Cyberspace

· Cyber Conflict Policy

· Worldwide Cyber Response Coordination

Also at EWI, I will discuss Cyber Supply Chain Risk Management. As we increasingly rely upon ICT systems for every aspect of daily life, there is increasing concern about the trustworthiness of these systems and whether they are subject to deliberate compromise by those vendors who create and maintain such products. Despite these growing concerns about cyber supply chain risk, there are no commonly agreed upon threat models for vendors and governments to use as a basis for managing such risks. Mindful that the risk cannot be eliminated, governments and industry must collaborate and define what constitutes an appropriate risk management model and create global, transparent supply chain standards for industry to follow.

It is evident that cyber security will remain a top priority for governments, policymakers and citizens around the world, especially as they continue to increase their reliance on information and communications technologies. While comprehensive cyber security legislation has not yet been enacted around the world, policy makers around the world are deepening their commitments to improve cyber security and reduce risk at the national level. For example, governments in the United States, Australia, Brazil, Canada, China, Germany, India, Poland and the United Kingdom have all launched initiatives, offices, and programs to protect cyberspace. In addition, the European Union, G8 and other multi-lateral organizations have driven efforts to expand and enhance international cyber security efforts.

Without international collaboration, the efforts around the world run the risk of developing solutions that are inefficient (since the Internet requires global solutions), inconsistent or, even worse, conflicting. I believe that long-term success depends on thoughtful and active public-private partnerships. With these partnerships, international policy makers and thought leaders can come together, share ideas, and build constructive engagement models that improve cyber security. As cyber security threats continue to evolve, Microsoft values this opportunity to work together with governments and industry around the world to create a safer and more trusted Internet.

I hope to continue this conversation and encourage readers to provide us with comments and feedback on this blog and the linked reference materials.

Additional Resources

Microsoft News Center feature story - "Microsoft Uses Global Cybersecurity Summit to Discuss Internet Security"

· Internet Health

· EastWest Institute Second Worldwide Cybersecurity Summit

Blog and Twitter

· Microsoft Security Blog

· @MSFTSecurity on Twitter