1

Cybersecurity: Cornerstone of a Safe, Connected Society

Tyson Storch*

Trustworthy Computing

Microsoft Corporation

March 9, 2012

* This paper benefited from several reviewers who provided substantive comments and helped to shape this paper.

Please see Appendix B for a list of contributors.

2

Contents

Part I: Introduction ................................................................................................................................... 3

Part II: What is Cybersecurity? .............................................................................................................. 3

Part III: Microsoft’s Approach ............................................................................................................... 5

A. Understanding the Threat Landscape .......................................................................................... 6

1. Cyber Attack - Motivations........................................................................................................ 6

2. Cyber Attack - Basic Avenues ................................................................................................... 7

B. Microsoft’s Risk Management Approach .................................................................................... 7

1. Enhancing Secure Product Development to Address Product Vulnerabilities ................... 8

2. Enhancing Security for the Supply Chain ................................................................................ 8

3. Enhancing Operational Security ............................................................................................. 10

4. Enhancing Security against Social Engineering .................................................................... 11

Part IV: Emerging National Approaches to Cybersecurity ........................................................... 12

Part V: Collaborative Approaches for Advancing a More Secure Cyberspace ......................... 13

A. Coordinated National Cybersecurity Strategy .......................................................................... 13

B. Flexible and Agile Risk Management ........................................................................................ 14

C. Innovative Information Sharing .................................................................................................. 15

D. International Implications ............................................................................................................. 16

Part VI: Conclusion. ................................................................................................................................ 17

3

Part I: Introduction

Cybersecurity is the cornerstone of a networked world. Over the next few years, the world will

see an unprecedented growth in Internet users, devices and data which will create vast

opportunities and equally daunting challenges. For government policymakers, who are the main

focus of this paper, such challenges include protecting public health and safety, economic

security, and national defense, all of which are core to managing a modern nation.

Microsoft’s experience in managing cybersecurity risks for more than one billion customers has

given us insight and perspective into current and future challenges. As Microsoft marks a ten-

year milestone of Trustworthy Computing, our commitment to greater security, privacy and

reliability continues to emphasize partnerships with governments, enterprises and citizens.

Working together, in a more connected society, we can build a safer, more trusted computing

experience.

This paper 1) discusses Trustworthy Computing’s approach to cybersecurity, 2) makes

observations on emerging national approaches and 3) provides recommendations to

government policymakers on approaches to consider when developing policies and practices to

address key cybersecurity concerns. Central to the success of these efforts will be coordinated

national cybersecurity strategies, flexible and agile risk management, and information sharing in

a global context.

Part II: What is Cybersecurity?

Cybersecurity encompasses many different concepts, from information security to operational

security to computer system security. Cybersecurity also means different things to different

audiences. For individual citizens, it is about feeling safe, and protecting their personal data and

privacy. For enterprises, cybersecurity is about ensuring the availability of critical business

functions and the protection of confidential data by maintaining operational and information

security. For governments, it is about protecting citizens, enterprises, critical infrastructure, and

government computer systems from attack or compromise. While definitions vary, cybersecurity

essentially represents the collective activities and resources that enable citizens, enterprises and

governments to meet their computing objectives in a secure, private, and reliable manner.

4

For government policymakers, such objectives include protecting public health and safety,

economic security and national defense, which are core to managing a modern nation. Today,

Information and Communications Technology (ICT) are essential underpinnings of modern

society and how governments manage public services, economic growth and national security.

For example, in the European Union, the ICT sector is directly responsible for five percent of

gross domestic product.1 Perhaps more important, is ICT’s impact on other sectors, which

accounts for seventy five percent of the overall economic impact of the Internet.2 ICT can help

fulfill key government objectives, such as economic stability, safety, freedom, social stability,

public safety, and education, all of which can lead to improving a nation’s overall well-being and

quality of life for its citizenry.

At the same time, ICT dependence carries with it an evolving set of risks. A wide range of actors

- from nation-states to highly sophisticated and well-funded criminal organizations to loosely

affiliated groups of “hacktivists” - are focusing their energies on exploiting and attacking an

increasingly networked environment. These raise new challenges for policymakers, including the

ability for attackers to strike from afar and to do so anonymously and at the speed of light (a

keystroke takes one hundred fifty milliseconds to travel around the world); a proliferation of

mobile devices, which may lag behind traditional personal computers, and less portable devices

in terms of security; and an increase in the number of worldwide Internet users, who through

their own practices, can create new points of vulnerability.

Given these dynamics, cybersecurity will continue to be a necessary cornerstone for the ICT

sector overall to maintain its role as an engine of innovation, growth, jobs and social

development. As cyberspace continues to evolve, and as ICT influence on every sector of the

economy continues to grow, so too must cybersecurity as new environments and threats

emerge. Indeed, because threats and technologies have the potential to evolve much faster

than the regulatory processes, government and industry must work together to develop

appropriate frameworks that will allow cybersecurity solutions to keep pace with the dynamic

threat environment, while also enabling innovation. One important way to keep pace with the

changing threat environment is to ensure that government and industry are focused on

outcome-based results, in addition to the process to deliver them. In short, it is about

advancing risk-based security rather than “check-the-box” compliance.

1 See the European Commission Communication: A Digital Agenda for Europe COM (2010) 245 2 See the McKinsey Global Institute’s report: Internet matters: The Net’s sweeping impact on growth, jobs and prosperity (2011)

5

Part III: Microsoft’s Approach

We recommend policymakers consider Microsoft practices, discussed in this Part III, as they

develop their own policies and practices for their citizens. As Microsoft recently marked a ten-

year milestone of Trustworthy Computing, we recognize that our commitment to greater

security, privacy and reliability3 in our products and services is more important than ever. Our

experience in managing cybersecurity risks has given us perspective and insight into current and

future challenges that government policymakers face as they work to build strategies, plans, and

regulations related to cybersecurity. For example, we have developed methodologies and tools

such as the Security Development Lifecycle (SDL), which helps reduce vulnerabilities in our

products, and defensive capabilities, like those developed by the Microsoft Security Response

Center, which help ensure we can respond efficiently when new vulnerabilities or attack vectors

are identified. These efforts have had measureable, positive impact on the security profile of our

products and services. Microsoft works across the security industry and IT ecosystem. We

collaborate with policymakers, technical and business leaders, standards bodies and advocacy

groups, such as SAFECode,4 to champion security innovation and improve computing

experiences for everyone.

What follows below is a brief overview of Microsoft’s risk management approach, including

understanding the evolving threat landscape and applying this knowledge to help reduce the

attack surface of our products and services. While risk may never be completely eliminated, it

can be managed (e.g., accepted, transferred or mitigated). Even though risk management may

not be new to governments, cybersecurity presents significantly different challenges and many

of our experiences and practices can benefit governments, enterprises and citizens as they seek

to better understand and manage their respective cybersecurity risk.

3 While this paper does not specifically address privacy or reliability, they are also core Trustworthy Computing pillars. For more

information on privacy and reliability see Trustworthy Computing site. 4 See Software Assurance For Excellence in Code at www.safecode.org.

6

A. Understanding the Threat Landscape

As governments work to advance their national security goals through effective cybersecurity,

understanding key motivations and avenues of attack is essential to effectively and efficiently

applying resources to realizing those goals and minimizing risk.

1. Cyber Attack - Motivations

In his white paper Rethinking the Cyber Threat - A Framework and Path Forward, Scott Charney5

outlines motivations for cyber attacks into four main categories:

Cybercrime captures the largest numbers of actors (from juveniles to repeat offenders) and

the largest number of motives and actions (from committing complex fraud to significantly

damaging an IT system in a non-warfare context).

Economic espionage involves penetrating companies and other organizations to steal

intellectual property, trade secrets, or other high-value data. Economic espionage appears

to be practiced by bad actors working on their own, as well as government-sponsored actors

working on behalf of countries who support domestic industries by stealing the intellectual

property created in other nations (or fail to act when a domestic company steals information

from its foreign competitors). In this category, governments clearly have philosophical

differences about what constitutes acceptable behavior. For example, many countries believe

that businesses should compete on a level playing field, and that legal systems should

protect the right of those who develop new ideas to monetize them. Another area of

philosophical dispute, and one that is even more challenging than economic espionage,

relates to freedom of speech.

Military espionage relates to the allegations that a national government intrudes and

exfiltrates data from another national government, e.g., from government agencies and/or

the military industrial base. Without diminishing the seriousness of these allegations, it is

important to recognize that military espionage has been occurring from time immemorial,

and that some victims of military espionage may be engaged in such espionage activities

themselves.

Cyber warfare is a particularly difficult area because the Internet is a shared and integrated

domain. In the physical world, it is easier to separate military from civilian targets. The

Internet does not permit such clean demarcations.

No matter the motivation, cyber attacks present significant challenges because the Internet

permits a potentially anonymous and untraceable individual with virtually no resources to

5 Scott Charney is Corporate Vice President, Trustworthy Computing, at Microsoft.

7

threaten key operations of a national government or enterprise, putting citizen safety and

economic security at risk.

2. Cyber Attack − Basic Avenues

In addition to motive, it is important for government policymakers to understand four potential

avenues that bad actors could use for attacks:6

Product Vulnerabilities. The first area attackers may focus on is vulnerabilities that are

introduced while the product is being made. As ICT products are increasingly complex and

made by humans, they will never be perfect. Attackers can attempt to exploit vulnerabilities

in hardware and software, including the operating system, applications, and services.

Supply Chain, Including Product Integration and Delivery. The second area attackers

might target is to introduce vulnerabilities into the product or service that is received by the

customer. We commonly refer to these as supply chain issues, and they include attacks on

product suppliers and subcontractors, malicious insiders, and non-genuine products that

could be tampered with in transit or during deployment to the customer.

Operational Security. Once the product is produced and safely delivered to a customer’s

hands, an attacker looks at how it is deployed and the policies that are being used, searching

for weak spots in an organization’s operational security. Potential weak spots may be found

in a company’s failure to enforce least-privilege policies on the network, failure to require

strong passwords, application of software updates and security patches in a timely fashion

or a lax hiring process.

Social Engineering. As security improves in products and services, we see social engineering

becoming the attack route of choice. Cyber attackers are getting more adept at creating

plausible e-mails that deliver malicious code. For example, some pose as IT staff and ask for

passwords. Once viewed as only a component of operational security, defending against

social engineering and the emergent engineering efforts to mitigate it are now recognized

by Microsoft as a distinct domain.

B. Microsoft’s Risk Management Approach

In response to the cyber attack avenues outlined above, Microsoft manages risks through an

ongoing effort to enhance secure product development, supply chain security risk management

practices, and operational security, as well as understanding social engineering. Building on

various internal risk management programs and methods, including maturity models, risk

profiling and assessment tools, Microsoft seeks to continually improve the efficiency and

effectiveness of its risk management approaches. Microsoft shares those practices with industry

and policymakers as appropriate.

6 Matt Thomlinson, General Manager, Trustworthy Computing Microsoft, spoke of the four areas attackers can focus on. See keynote

address presented at North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011.

8

1. Enhancing Secure Product Development to Address Product Vulnerabilities

From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce

vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during

development and has proven its ability to increase the security of software. We have made the

SDL process and many of our tools available for others, downloadable at

http://microsoft.com/SDL.7

The SDL has delivered results by reducing product vulnerabilities and raising the costs of an

attack. Indeed, we see attackers moving away from Microsoft products as they get harder to

attack. In the August 2011 edition of the IT Threat Evolution report,8 none of the top 10 software

vulnerabilities involved Microsoft products. Many governments and enterprises are now

applying the SDL to their in-house software and services development efforts.9

We also invest in mitigations so that if an attacker discovers a software vulnerability, it is much

more difficult for an attacker to use. These mitigations, such as Address Space Layout

Randomization,10 included in Windows Vista and later product versions, are built in and most are

enabled within the operating system by default. While one may not notice them when using a

computer, they help to limit the attack surface.

Finally, it is important to apply software updates to quickly respond to issues and decrease the

likelihood of attacks against known vulnerabilities. Microsoft works hard to make these updates

timely, easy to install and reliable.

2. Enhancing Security for the Supply Chain

Taking efforts to secure Microsoft’s supply chain is a part of our approach to risk management,

and should be a standard practice for governments as well. The amazing global transformation

of the last few decades is the product of global free trade and ICT innovation. However,

governments worldwide have begun to express concerns about the threat to their ICT systems

from the global supply chain for ICT products. These concerns are based on the risk that an

adversary might tamper with products during their development, manufacture, production or

7 For a selected list of Microsoft resources, see Appendix A. 8

See “IT Threat Evolution: Q2 2011,” Kaspersky Labs, August 11, 2011. 9 See “Defense Information Systems Agency Application Security and Development Security Technical Implementation Guide (STIG)

(version 2, REL. 1) (24 JUL 2008); See also Microsoft Whitepaper, “MidAmerican Energy Holdings Company uses Microsoft SDL to

make its Software More Secure,“ March 2011. 10 For a general definition of ASLR, see https://secure.wikimedia.org/wikipedia/en/wiki/Address_space_layout_randomization

9

delivery. In response to these concerns, some governments have begun to develop policies and

requirements intended to mitigate these supply chain risks.

Microsoft understands these concerns. In a world of diverse and competing economic, political,

and military interests, no country wants to be dependent on products and services that may be

tainted by an adversary.

For both governments and vendors who support them, like Microsoft, the challenge of

managing supply chain risk is also compounded by complexities inherent in the supply chains

themselves. The supply chains that support the delivery of information and communications

products and services consist of globally-distributed and dynamic collections of people,

processes and technologies that encompass numerous hardware and software components. The

risks, therefore, are not subject to easy quantification and remediation; it is difficult to know

whether a process, hardware component, or a complex piece of software has been subject to

malicious manipulation or modification because available testing capabilities cannot provide

satisfactory answers to that question.

In 2011, Microsoft published two white papers on cyber supply chain risk management. The first

white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and

Trust, presents a set of key principles to enable governments and vendors to manage supply

chain policies more effectively. The second paper, Toward a Trusted Supply Chain: A Risk-Based

Approach to Managing Software Integrity, provides a framework for the pragmatic creation and

assessment of Software Integrity risk management practices in the product development

process and online services operations.

While some countries are taking steps to reduce dependencies on foreign products and,

arguably, to support domestic innovation, Microsoft believes national policies codifying

preferences for domestic suppliers create trade barriers, undermine foreign investment, and

deprive domestic industry of the benefits of technological innovations from elsewhere in the

world. The question becomes, therefore, “how do countries protect national security interests

without inappropriately undermining the value produced by a global supply chain?” The answer

to that question requires understanding the elements of the trust problem and formulating a

meaningful and workable framework for addressing supply chain risks.

We recommend that when developing a national risk management approach for supply chain

issues, governments consider four guiding principles for their supply chain efforts: (1) that they

10

are risk-based, utilizing collaboratively developed standards; (2) transparent; (3) flexible; and (4)

reciprocal.11

3. Enhancing Operational Security

Strong operational security and use of best practices are essential elements of any risk

management approach, and critical components for any government to consider. As noted

above, attackers often focus on finding deployment issues such as unpatched or misconfigured

computers and weak passwords. Computers that unintentionally connect a corporate or

government network to the Internet, or run unapproved file-sharing software that makes

internal documents publicly available are another favorite method of attack. Operational security

risks can be managed by the use of best practices, including enforcing strong security policies,

aggressively updating software, monitoring your network for threats, employing defense-in-

depth and ensuring your enterprise has incident response procedures.

Microsoft’s patch management system, with its automated releases for the second Tuesday of

each month, was designed to enhance operational security, by having standard, predictable

releases of software patches on a monthly basis. Additionally, it highlights whether the updates

are of critical or moderate concern and provides prescriptive guidance for our customers on

when to deploy them.

The importance of solid operational security measures, such as staying current with security

updates is a critical component of any government’s risk management practice. We tracked the

exploitation of Microsoft Office vulnerabilities in Volume 8 of our Security Intelligence Report

(SIR). It showed the effectiveness of staying up-to-date on new software versions, with the

finding: “If the Office 2003 RTM users in the sample had installed SP3 and no other security

updates, they would have been protected against 96 percent of observed attacks; likewise,

Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.”

Operational security can be enhanced by the use of best practices, including the following:

Architect for Containment. In the modern threat landscape that includes persistent and

determined adversaries, attackers will attempt to penetrate a computer system stealthily and

then leverage the fact that a hard perimeter, once defeated, reveals a soft interior that can

be navigated easily for long periods of time12. This being the case, the security strategy

deployed for blunting threats through prevention and response, now needs to extend to

11 See Microsoft Whitepaper, Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust, by Scott

Charney and Eric T. Werner, July 2011, p. 9. 12 See Microsoft Whitepaper, Trustworthy Computing Next, by Scott Charney, February 2012

11

containment (e.g., network segmentation, limiting user access to least privilege) to ensure

that, if part of a network is compromised, the adversary is well contained.

Employ defense-in-depth. Network defenses should be deep, integrating multiple,

overlapping, and mutually supportive defensive systems. Defense systems should include

firewalls, gateway antivirus protection, intrusion detection, intrusion protection systems, and

Web security gateway solutions.

Aggressively update. An aggressive security update program is essential. Operating

systems, applications, and browser plug-ins should be updated whenever new code is

released. Automated security update deployment should be used whenever possible to

maintain up-to-date protection across the organization. Additionally, security

countermeasures, including virus definitions and intrusion prevention must be updated

continually.

Monitor for threats. Proactively monitor infrastructure for network intrusions, malicious

code propagation attempts, suspicious traffic patterns, attempts to connect to known

malicious or suspicious hosts, and attempts to spoof trusted web sites. It is also important to

remain constantly aware of new vulnerability threats and adhere to remediation guidance.

Ensure proper incident response procedures. Proper incident response should be an

integral part of an overall security policy and risk mitigation strategy. This should involve

proactively creating incident response plans, and assembling an incident response team.

While the section above recommends practices that are important for core operations, they may

not protect users from themselves. Governments and enterprises will need to work together

create practices for effectively educating users about the dangers of social engineering, as well

as identifying best practices for making products more robust against social engineering

techniques.

4. Enhancing Security against Social Engineering

Sometimes users make poor choices that compromise the security of their devices and data;

when these are directed by an attacker, we call that social engineering. Social engineering

attacks can be difficult to protect against, because it is hard to protect against the legitimate

actions of a misguided user.

Education is a key part of defense. Organizations should raise awareness of these threats and

provide training to help spot and prevent social engineering. For example, users should be

suspicious of communications from unknown parties, particularly those that include

attachments, as well as URLs served on social media sites that promise rewards or other unusual

opportunities. Web browser URL reputation solutions, such as Internet Explorer’s SmartScreen,

12

can help by blocking known malicious sites or downloads. Organizations can also protect users

from their own actions by instituting best practices such as:

Using encryption. Encryption should be used to protect sensitive data, including drive

encryption like Windows BitLocker to secure data should a computer be stolen or simply

lost.

Enforcing an effective password policy. Ensure passwords or passphrases are at least eight

to ten characters long and include a mixture of letters and numbers. Users should be

encouraged to avoid re-using the same passwords on multiple web sites, and sharing

passwords with others. Passwords should be changed at least every ninety days.

Applying least privilege accounts and software restriction policies as appropriate.

Microsoft continues to invest in research, innovation and development designed to reduce

product vulnerabilities, improve supply chain risk management, enhance operational security

and advance security related to social engineering attacks. As discussed below, nations are

striving to improve cybersecurity and recognize its importance to their critical objectives, such as

promoting economic and national security as well as citizen safety and innovation.

Part IV: Emerging National Approaches to Cybersecurity

In order to meet its national objectives, it is critical for a government to develop cybersecurity

capabilities as part of its national security plan. This can help spur other benefits, too. For

example, government leadership and policies that develop capabilities to enhance cybersecurity

can help improve citizen safety, develop a skilled workforce capable of protecting critical

infrastructure, improve commerce and investment as a result of greater confidence in the

security of the underlying infrastructure, and ultimately create new jobs and communities that

contribute to improved quality of life.

In recognition of the benefits for secure ICT, some governments have begun to build a series of

complementary plans and programs to address these requirements. According to the

International Critical Information Infrastructure Protection Handbook, over twenty nations have

developed critical information infrastructure protection policies.13 The United Nations Institute

for Disarmament Research (UNIDIR) notes that thirty-three states have developed cyber

strategies related to defense.14 The Organization for Economic Cooperation and Development

13 International CIIP Handbook 2008/2009, Andreas Wenger, Victor Mauer, and Myriam Dunn Caveltry, Center for Security Studies,

ETH Zurich 14 United Nations Institute for Disarmament Research (UNIDIR), Cybersecurity and Cyberwarfare, Preliminary Assessment of National

Doctrine and Organization, p.3 (2011)

13

has also been tracking the emergence of national identities tied to increasing cybersecurity and

recently published a report highlighting findings from eighteen countries that either have or

plan to develop a national strategy for identity management.15 Looking across the emerging

landscape of government strategies we find common elements, including:

Identity and Access;

Software and Systems Assurance – including supply chain risk management;

Compliance and Monitoring;

Data Protection;

Resiliency and Risk Management; and

Response.

In addition to these elements, many governments are also looking to use cloud services because

they increase innovation and reduce costs in delivering services, and are asking how to

incorporate cloud services into a national cyber security strategy. Not surprisingly, governments

are concerned about security and sovereignty issues related to the cloud. Governments are

working with the private sector to identify and manage these risks, including efforts like the

Cloud Security Alliance, which seeks to promote the use of best practices for providing security

assurance within cloud computing and to provide education on the uses of cloud computing to

help secure all other forms of computing.

Part V: Collaborative Approaches for Advancing a More Secure

Cyberspace

There are four key factors that a government should consider carefully to improve its

cybersecurity profile in the near-term and promote innovation and leadership in the long-term.

These include a national, coordinated cybersecurity strategy; a flexible and agile cybersecurity

risk management approach; appropriate information sharing capabilities; and international

implications (i.e., reciprocity) of any resulting policies or practices.

A. Coordinated National Cybersecurity Strategy

Governments must have a clear, coordinated and actionable cybersecurity strategy designed to

ensure national security, economic security, and public safety, and to ensure delivery of critical

services to its citizens. Importantly, each government must ensure that its cyber policies are

15 Organization for Economic Cooperation and Development, OECD (2011), “National Strategies and Policies for Digital Identity

Management in OECD Countries”, OECD Digital Economy Papers, No. 177, OECD Publishing, p. 4.

http://dx.doi.org/10.1787/5kgdzvn5rfs2-en

14

technology neutral and do not stifle innovation. Technology neutral policies do not promote,

require, or otherwise advance a particular technology product or set of products to the

exclusion of others; rather they identify desired outcomes and allow the marketplace to find the

most innovative way to achieve those outcomes. In addition, governments must integrate and

harmonize their cyber policies, recognizing that actions each government takes will have

ramifications beyond its individual borders. Policymakers must be mindful of the global import

of their actions and ensure that competing interests are balanced appropriately.

B. Flexible and Agile Risk Management

Any framework designed to manage cybersecurity risk must be flexible enough to permit future

improvements to security − an important point since cyber threats evolve over time.

Governments, enterprises, and citizens depend on the information infrastructure and the data

that IT systems contain, and there are often no alternative physical means to perform core

functions. Yet, as discussed above, the information infrastructure faces a myriad of ever-

changing cyber threats. Risk management is the appropriate approach to improve the security

of the ICT systems on which we all depend. There are simply not enough resources or time to

address all the risks we face.

While risk management is a well understood discipline, managing cyber risks is particularly

difficult, especially in government environments. This is because cyber risks are complex; the

infrastructure and information systems are varied and distributed; it can be difficult to quantify

risks and the value of potential mitigations; and it is important that we not hinder innovation

and agility. Therefore, while governments and enterprises must continue to anchor approaches

to securing the information infrastructure in risk management, they must also evolve how that

discipline is applied to better address the unique nature of cyber risks. When doing so, it is

important to note that government and industry should strive to ensure that their approach is

appropriately scoped to address pressing national security and public safety concerns, and

remain sufficiently flexible and agile to enable organizations to manage risk in a dynamic cyber

threat environment.

In managing cyber risk for information infrastructure, government must balance dual, and often

interrelated, roles. First, as a public policy entity, the government is responsible for protecting

public safety, as well as economic and national security, and must consider which infrastructures

support those missions. National governments are also a large and widely distributed enterprise,

with countless globally distributed customers (e.g., citizens who want to connect with their

government), partners, operations, networks, and resources. Although distinct, the policy and

enterprise roles are not entirely separate, as each affects and informs the other. Government

15

and industry must be particularly careful when delineating the elements of the information

infrastructure that are truly critical to national security and public safety.

We recommend that governments work to ensure that the highest priority risks are addressed.

Microsoft believes each risk should be assessed to determine its severity, the consequences of a

successful exploit should be understood, and the likelihood of harm should be evaluated.

Appropriately identifying the systems and assets that should be addressed as priorities, as well

as the risks to be addressed, will enable both government and private sector leaders to better

secure the nation’s critical information infrastructure. Similarly, governments must create a risk

management framework that enables the necessary agility to respond to rapidly changing cyber

threats.16

It is important to understand that risk has historically been managed by focusing on “verticals”

(e.g., banking, health care), but information technology runs horizontally underneath all verticals.

A risk management model should (1) recognize this horizontal layer (that is, IT risks need to be

managed in common ways), but also (2) appreciate that verticals have unique requirements.

We therefore recommend a hybrid model that includes:

A centrally managed horizontal security function to provide a foundation of broad policy,

security outcomes, and standards; and

Vertical security functions resident in individual organizations to enable them to manage

their unique risks with agility.

This combination of horizontal and vertical functions ensures that minimum security goals and

standards are set, yet provides organizations with flexibility to manage the unique risks

associated with their operating environments.

C. Information Sharing

Successful risk management depends on effective information sharing. Information sharing

succeeds when it is targeted at solving specific problems and challenges. Information sharing

itself is not an objective but rather a tool, and sharing for sharing’s sake is not helpful. Threats

and risks are not best managed by sharing all information with all parties, but rather by sharing

the right information with the right parties (that is, parties who are positioned to take

meaningful action). Targeted information sharing also better protects sensitive information

16 See “Written Testimony of Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft Corporation Before the

Senate Committee on Homeland Security and Governmental Affairs Hearing on “Securing America’s Future: The Cyber-Security Act

of 2012,” February 16, 2012, p. 4.

16

(whether in the hands of the government or private sector), helps protect privacy, and actually

permits more meaningful sharing of data.

Microsoft recommends that governments, working with industry, create two complementary

information sharing capabilities: one focused on the most significant threats to a government’s

national security and public safety and another designed to enable greater automated

management of IT security compliance across the government’s enterprise.17

For example a government could, in part, promote effective information sharing capabilities by:

Exchanging technical data with rules and mechanisms that require both sides to protect

sensitive data;

Analyzing the risks holistically and developing strategies to manage those risks; and

Developing cyber threat and risk analytics as a shared discipline.

For any such governmental organization to achieve success, it needs to have the right legal

environment, including legal protections, for such information sharing and action, and it must

itself share sensitive and actionable information with the private sector.

D. International Implications

As cybersecurity becomes an increasingly important fundament of an interconnected world,

governments must remember that domestic cybersecurity policies now have international

implications. While it is important that governments appropriately develop policies and

regulations to address Identity and Access, Software and Systems Assurance, Compliance and

Monitoring, Data Protection, Resiliency, Risk Management, and Response – all core cybersecurity

efforts – governments must also be aware that such policies are not created in a vacuum.

Regulations and requirements that are designed to protect a government, its enterprises and

citizens could in fact become an impediment to the government’s long term goals related to

innovation, economic development, as well as increased security itself. Just as trade

relationships are based upon the idea that opening markets in reciprocal ways can create

trading opportunities between participating countries, it must be recognized that creating

cybersecurity requirements that block market access may lead to similar “reciprocal” behaviors,

potentially fragmenting the Internet and denying people everywhere the benefit of the highly

innovative low-cost products that only a global supply chain can produce. As such,

governments should examine the potential implications of those policies in or to understand

potential issues related to reciprocity.

17 Ibid., p. 7

17

Part VI: Conclusion Over the next few years, the world will see an unprecedented growth in Internet users, devices

and data, which will create vast opportunities and equally daunting challenges. Cybersecurity is

the cornerstone of a networked world. Only through collaboration and appropriately evolving

practices like secure product development, supply chain security and operational security, can

we create more effective cybersecurity policies and practices. Such policies and practices will

help protect public health and safety, increase economic innovation, solidify national defense,

and secure the promise of our collective future. Working together, in a more connected society,

we can help ensure a safer, more trusted computing experience.

18

Appendix A

Selected Microsoft Security Resources

Since 2002, Microsoft has developed a rich set of resources that it shares openly with others

across the IT ecosystem to enhance the security of cyberspace. The following list provides more

information on some of the resources included in this white paper:

Security Development Lifecycle. The SDL is a software development security assurance

process consisting of security practices grouped by seven phases: training, requirements,

design, implementation, verification, release, and response. Experience at Microsoft has

shown security practices executed in chronological order helped result in greater security

gains and cost benefits than from ad hoc implementation. The SDL process is not specific to

Microsoft or the Windows platform and can be applied to different operating systems,

platforms, development methodologies, and to projects of any size. Microsoft makes the

SDL available to everyone.

Microsoft Security Engineering Center. The MSEC helps to protect Microsoft customers by

delivering inherently more secure products and services, through the Microsoft Security

Development Lifecycle (SDL), comprehensive security assurance in software development

and state-of-the-art security science. MSEC addresses software security via three main

areas—Process, People, and Technology.

Microsoft Security Response Center. The MSRC identifies, monitors, resolves, and

responds to security incidents and Microsoft software security vulnerabilities, twenty four

hours a day, with a commitment is to prevent worldwide incidents and create a safer, more

trusted Internet. The center manages a company-wide security update release process and

serves as the single point of coordination and communications. MSRC is tapped into a

worldwide network of security researchers and partners and closely monitors security news

lists and public forums.

Microsoft Active Protections Program. With the vast majority of attacks targeting the

browser and application spaces rather than the operating system, communication and

collaboration among vendors is critical to improving the security landscape. Microsoft

works closely with both competitors and partners to address vulnerabilities. The Microsoft

Active Protections Program (MAPP) gives partners vulnerability information early so they

can build enhanced software protections for customers.

The Microsoft Vulnerability Research Program helps secure software running on the

Windows platform by finding vulnerabilities in third-party software, communicating them

to the affected vendors, and helping those vendors implement security functionality built

into the Windows platform.

Appendix B – List of Contributors

19

In addition to the materials cited in the footnotes, this paper benefited from several

contributors, including substantive comments from Paul Nicholas, Eric Werner, Cristin Goodwin,

Angela McKay, Aaron Kleiner, Andrew Cushman, and Lori Woehler. Special thanks to all of you

for taking the time to review and provide feedback.

Cybersecurity: The Cornerstone of a Safe, Connected Nation

© 2012 Microsoft Corp. All rights reserved.

This document is provided "as-is." Information and views expressed in this document, including URL and other

Internet Web site references, may change without notice. You bear the risk of using it. This document does not

provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this

document for your internal, reference purposes. Licensed under Creative Commons Attribution-Non Commercial-

Share Alike 3.0 Unported