Food for Thought: "Norms, Transparency, and User Control - Managing Risks for IT Products and Cloud Services"

"The world needs a way to better manage these risks. The answer lies in cybersecurity norms, vendor transparency, and user control," argues Scott Charney of Microsoft in our latest Monthly Mind column on the occasion of the MSC's Cyber Security Roundtable in New York on September 8.

Scott Charney is Corporate Vice President Trustworthy Computing at Microsoft (Photo: Microsoft).

Modern technology has transformed the way we live, creating new opportunities for social, political, and economic interaction. While this transformation started in the business and consumer worlds, it is also impacting governments. By embracing commercial-off-the-shelf products rather than the more expensive and less comprehensive custom-made options, governments have been able to make their services user-friendly and cost effective. This has in turn allowed them to communicate more effectively with their citizens, and enable entirely new scenarios that promote the public good, such as enabling research by making large government data sets available to the academic community.

Governments are not, however, ordinary customers: they also have heightened security concerns. With an increasing number of actors focused on building offensive cyber capabilities, governments are concerned about the security of the technology they use, particularly if it comes from potentially adversarial countries. They are particularly concerned that technology might have secret vulnerabilities, such as backdoors, designed to facilitate espionage or sabotage.

While such concerns are understandable, governments need to understand that information and communication technology (ICT) companies strive to meet the needs of a global market place across individual consumers, businesses, as well as governments in order to thrive. Business success in our sector requires building products that not only empower and delight customers, but also protect the security and privacy of enterprises and Internet users. Creating vulnerabilities to assist a particular government in its national security mission would irreparably harm a company’s reputation and constitute economic suicide.

In addition, ICT products and services are not produced in one single country. In fact, our supply chain is more often than not very complex: our products composed from parts developed and built all over the world, by international companies with international locations and an international workforce. In today’s globalized economy this has become an immutable fact and to the extent that governments are worried about supply chain integrity, it is important to remember that all countries share the same risks. Thus, the world needs a way to better manage these risks.

The answer lies in cybersecurity norms, vendor transparency, and user control. The Tallinn Manual Process, the work done within the Shanghai Security Cooperation Organization, as well as the United Nations Group of Governmental Experts on Cybersecurity have all advocated the creation of norms. Some proposals build on norms agreed for the physical world: for example, if attacks against civilians are not permitted, then attacks against critical infrastructures should also be prohibited. In that same vein, Microsoft has proposed that governments agree not to taint commercial, widely used products.

This is not to suggest that governments should blindly trust ICT; to the contrary, governments should ask providers to give them assurance about the processes they have in place. There are several ways to do this. First, governments could determine whether the vendor adheres to voluntary, international standards on security and privacy, such as ISO 27001 on secure operations, ISO 27018 on privacy, and ISO 27034 on secure development. Another option is for governments to require adherence to government specific certification regimes, such as Common Criteria or FedRAMP.

Second, governments should seek to understand the processes vendors have in place to build and operate their products and services. For example, Microsoft has developed a comprehensive set of guidelines that we implement internally for that purpose, including the Security Development Lifecycle and Operational Security Assurance. Moreover, Microsoft offers the Government Security Program, a program which offers public sector customers four unique benefits: remote access to online source code; information about threats and vulnerabilities; technical data; and Transparency Centers, where they can work interactively with our source code or learn more about our products and services.

Third, it is important to offer governments customized versions of products that inherently meet their national security needs. These versions may, for example, restrict remote access for maintenance purposes and/or limit the collection of telemetry, even if that telemetry is normally used to create greater value for customers. Vendors may also need to give them greater control over how certain features are implemented. For example, many governments are very prescriptive in their use of cryptography and Microsoft’s latest products allow them to use its own cryptographic algorithms through use of TPM 2.0.

For Microsoft, taking these steps becomes even more important as we develop “Windows as a Service” with Windows 10. This evolution ensures that public and private sector customers alike get the most up to date, secure and manageable Windows we offer at any point in time. We will build on our strong GSP track record and take additional steps to ensure governments can rely on the integrity of the software and services we create, help them protect their data, and offer them a level of configurability of our products and services that we have not offered in the past. Simply put, as technology changes, we will remain relentlessly focused on the security of information systems and, by being transparent, we will help our customers verify that our products and services are trustworthy.

Scott Charney is Corporate Vice President Trustworthy Computing at Microsoft. This piece was prepared on the occasion of the Munich Security Conference’s Cyber Security Roundtable on norms in cyberspace, co-hosted by Microsoft, in New York on September 8, 2015.

31 August 2015, by Scott Charney, Microsoft