Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

At Microsoft, establishing and sustaining trust with our customers is essential. If our customers can’t rely on us to protect their data—whether from crooks, mismanagement or excessive government intrusion—they will look elsewhere for a technology provider.

Government access to data is a hot topic. But it’s not new. In fact, our General Counsel, Brad Smith, has addressed the issue in a series of blog posts covering, among other topics, our efforts to protect customers and our support for reforming government surveillance.

On Tuesday at the RSA Security Conference in San Francisco, I gave a speech on the changing cybersecurity landscape and the respective roles of governments, users and the IT industry. I’d like to share some of my thoughts here.

[Read more...]

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

Last February, both the United States and the European Union announced major cybersecurity policy initiatives. In the U.S., the Executive Order on Improving Critical Infrastructure Cybersecurity put forward an industry-driven approach to developing a Cybersecurity Framework, and emphasized the role of incentives to encourage use of the Framework. In the EU, the European Commission proposed a draft Network and Information and Security (NIS) Directive that suggested a broader scope and a more regulatory approach than that in the Executive Order, including the mandatory disclosure of cybersecurity incidents. One year later, I wanted to offer observations about these initiatives, as both have advanced on their respective tracks.

[Read more...]

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

It has been an interesting time for those that care about cyber security. Last week, the European Union introduced its formative cybersecurity strategy and draft directive on network and information security to better protect critical systems from security incidents and breaches. Two days ago, the White House released an Executive Order entitled Improving Critical Infrastructure Cybersecurity to drive a concerted effort across departments, agencies and industry to improve the posture of the nation’s critical infrastructures against cyber-attacks. The White House also issued Presidential Policy Directive 21 on critical infrastructure security and resilience to augment existing policy and enhance existing capabilities, partnerships, and strategies. Yesterday, a bill was also introduced on the Cyber Intelligence Sharing and Protection Act (CISPA) which will continue the important dialogue on the exchange of cyber threat information to help manage cyber risks.

When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts. It is important to see these principles reflected in the Executive Order for three reasons.  First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it.  Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks.  Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.

[Read more...]

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

This week, the House Cyber Security Task Force, chaired by Rep. Thornberry, released its recommendations and report to help guide legislative action on cybersecurity. The Task Force recommendations represent another key milestone in our combined private and public sector efforts to address the cybersecurity challenges of the Information Age.

[Read more...]

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing, Microsoft

Cybersecurity and the overall health of the Internet has become a key concern for governments, enterprises and computer users.

As more people, computers and devices come online (there are approximately 2 billion people using the Internet today), cyber threats have grown more sophisticated and cybercriminals have successfully gathered sensitive data, disrupted critical operations or engaged in other illegal activity such as fraud. Governments around the world have expressed concern that the critical information infrastructures that support their countries could be targeted. In response, many countries have sought to improve critical information infrastructure policy, to build effective information sharing and collaboration capabilities that address threats and vulnerabilities, and to coordinate on responses to increasingly complex cyber incidents.