Chief Security Officer, Microsoft Federal
Organizations of all types today face a daily and growing assault from nation states, lone actors and organized crime. The effects of a cyber-attack can be as far-reaching, troublesome and significant as physical attacks, and can make or break organizations that are not sufficiently prepared. The question is, how can an organization embed cyber security into its suite of core business functions?
Tom Ridge, the first secretary of the U.S. Department of Homeland Security and one of the world’s most prominent security experts, shared his assessment of the current cyber security landscape at this week’s 2014 Microsoft Federal Executive Forum, an annual event hosted by Microsoft for its federal government community customers.
“Global security in the 21st century is an unending mission,” Ridge said. “It is a network world, what isn’t affected by the Internet today?”
Ridge believes the epicenter of data-security operations is to manage risks and ensure resilience.
“Hackers today are better organized, certainly better financed and more driven,” said Ridge. Therefore, federal organizations need to plan ahead, predict threats and be quick to respond.
According to Ridge, who served six terms in congress and also served as Governor of Pennsylvania, one of the largest burdens of our nation’s digital security is democracy itself. Our nation’s congressional system was designed to carefully deliberate the best course of action, and each of our representatives wants to do the right thing for the American people. However, the landscape of technology and cyber security issues changes so rapidly that it inherently conflicts with the much slower political process.
“You can debate all these other issues for years, but the digital security landscape changes every day,” Ridge said. Ridge believes giving CIOs more power to react and be agile would greatly improve our nation’s cyber security.
The attempt to create trusted or secure computer systems is as old as computer systems themselves. While there have been some successes, noted Ridge, a completely impenetrable system remains elusive. It’s a classic arms race, in which something that remains static is never secure. A beneficial partnership, however, can be one where government agencies and the technology industry together build systems that have the ability to rapidly change and adapt to threats.
Following Governor Ridge’s assessment of the landscape, David Aucsmith, senior director of Microsoft’s Institute for Advanced Technology in Governments, challenged the audience to operate under a consistent set of best practices. First, Aucsmith noted that the evolution of systems is critical. Systems need to be able to defend themselves, they have to be able to adapt and collect information, and they need to be able to respond accordingly. Agility equals survivability in cyber defense.
Secondly, systems being built from the ground up need to be integrated. Defense is only as effective as your understanding allows it to be. Using Microsoft as an example, products such as Bing, Forefront Security, Outlook.com, Windows Defender, SmartSceen and Microsoft Phishing Filter all act as sensors that enable Microsoft to get data from relevant global points of view: client, server, mail and Internet threats. You have to know your adversary to adapt and change correctly, and you cannot do that without collecting data across multiple touch points.
Third, CIOs have to be ready to patch and upgrade their software. Organizations cannot run old software because the lack of support cripples any ability to respond to attacks. It’s just a fact that newer versions of software are more secure than those that are 15 years old. It also remains true, however, that the push system we have built to ensure patches get applied has worked incredibly well. Patches need to be deployed quickly; there is a five-day average between patch to weapon deployment. That lead time, in many cases, is more than enough time for hackers to find an exploit. Patches are one of the most important tools we have to counter our adversaries, and keep them outside of the decision cycle.
As Aucsmith emphasized, at the end of the day, there’s no such thing as perfect software. Technologies are changing, people are changing, and processes are changing. Moving quickly to 64-bit architectures offers greatly improved security features, a “start over” code base, and makes it more difficult for hackers to write exploit code. Engineering a combination of quality with continuous responses is a responsible and effective strategy.
Both Ridge and Aucsmith emphasized with the government audience that cyber terrorism and cybercrime have been professionalized over the last decade. According to the 2013 Norton Report, Cybercrime costs consumers $113 billion a year. The disintermediation of cyberspace (which essentially has taken most middle layers out of the situations) has altered Internet business and created profound and unanticipated effects, namely enabling personal crimes at a large scale. Law enforcement, governments and militaries cannot fully protect individuals and businesses from cybercrime and information theft – they can simply investigate, prosecute and retaliate. Technology vendors, governments, businesses and consumers must work together to innovate, develop and deploy effective security solutions in response to growing dangers.
Ever since Bill Gates introduced the idea of Trustworthy Computing, Microsoft has been committed to supporting partnerships that help to anticipate, identify and pinpoint the sources of critical infrastructure threats. More than 12 years into the Trustworthy Computing initiative, our commitment has not changed. We remain laser-focused on initiating change that will improve the security and resiliency of critical infrastructures.
Make no mistake, there are many challenges ahead in a world of devices and cloud computing. The elements of Trustworthy Computing – security, privacy and reliability – must evolve to remain strong. Everyone at Microsoft and the entire computing ecosystem has a role to play.