Thankyoufor the opportunity to talktoyoutoday.My name is Hans Bos and I am the National Technology Officerfor Microsoft in The Netherlands. The National Technology Officers at Microsoft strategicallyconnect the opportunitiesofferedby new andadvancedtechnologytochallengesin society, andalso more operationally in using new andadvancedproductsand services at anorganizational level. Last week mycollegueMattThomlinson, fromourTrustworthy Computing initiative, participated in the Budapest Conference on Cyberspace 2012 and also spoke at the Atlantic Council’s evening event entitled “Toward a Secure Cyber-Future: Building a Public-Private Partnership for Cybersecurity Norms.”. During both events, Microsoft stressed the importance of public-private partnership at the international level and the need to ensure that the private sector had a voice in the key discussions occurring around confidence-building measures and cybersecurity norms.And Adrianne Hall, also from the Microsoft Trustworthy Computing group spoke at the RSA Europe conference last week. Adrienne talked to some pragmatic next steps in security:Stay informedEmbrace standards, best practices and transparencyWeigh the risks and rewards in the context of your org and biz requirementsTomorrow The Netherlands retired four star general Dick Berlijn is talking to the conference on Cybersecurity in Amsterdam. And if an interview in the leading Dutch Newspaper this weekend with this well known general is titled “War against Hackers”, I think it’s all proff we may be on to a pattern of increased attention to the subject of cybersecurity. Personally, I feel a bit uncomfortable today, as usually I talk to an audience that often needs some convincing of a cyber threat to vital infrastructures. I am sure that the standard talk on “the urgency and need for cybersecurity” is not appropriate for you as an audience.And as a National Technology Officer, I work to the national agenda of The Netherlands, the effects of our policies, products, services and strategies on the national level rather than the global or the scale of the EU.
Rather, what I want to point out today, instead of repeating or justemphasizing the broad commitment of Microsoft to cybersecurity. I want toaddsomeaspects of a national level. The national level, in the sense of The Netherlands, but also in the sense of a Microsoft The Netherlands, as what we call a ‘subsidiary’ of the Microsoft corporate business. Tothatpurpose, I want to share a bit of context toyour host country of today.For example last week it was announcedby the ITUthat The Netherlands is again in the top 10 of the ICT Developmentindex. In factwe’re at place 6, up 1 from 7 last year. The Netherlands is #11 on the World Econmic Forum Networked Readiness, and #5 forall up Global Competitiveness.Tothoseactive in the ICT industry in The Netherlands, thisdidnotcome as a surprise. For years we have workedin the relative comfort of knowingthat the distributionand access to the digital infrastructure is at the top of the class. For citizens, for the public sector and private sector. This has been repeatedlyvisible in the reportsbyournational bureau of statistics, the CBS.
In their 2012 report on the 2011 data, the bureau forstatisticsstatedthat 94% of the households in The Netherlands have access to the internet. Andforexample close to 80% of the internet users in The Netherlands are buying digital or physicalgoods via the internet.This high level of availability of the basic needsto ‘get online’, access to a computer and availability internet, is notalwaysimmediatlyvisible in the “real” or “physical” world. Ratherit is taken forgrantedandoften in conversations even comparedtoutility services and even a ‘basic need’. Unless, as occured last week andthis weekend, an incident happens or at least, anannouncement of a possiblethreatto the stability of service. Andthisannouncementmakes the eighto’clocknews. Last week it was made toappear as if the well knowngroup ‘Anonymous’ made crediblethreatsto part of the internet services available in The Netherlands. The causefor the attack was claimedtobe the judician actions against the Pirate Bay, and the targets includedISP’s, government websites, and anti-Piracy agencies. IncludingISP’sthat in fact are opposing the outcome, the legal actions, and the imposedrequirementsforISPsfollowing of the Pirate Bay case. It turned out thatthisthreat was notquite real, but the action of a loneyoungindividualunaware of the impact of his actions.
The level of attention thisnewsreceived, is, well, relatedto the level of adoptionanddependency of – ifyouwill – consumer digital services. For exampleTelebanking,checkingyour account, transfer money, make payments, is a service that has wide spread use in The Netherlands andacrossallagegroups. As stated, in the Netherlands, we’ve been at the top of virtuallyall ICT listsfor the last years. Whether on adoption in private sector, adoption in public sector, the availability of ICT tocitizens. The Netherlands wereoftenearlyto accept the potential of digital technology, quickto design anddevelop services andimplementations, andwith the wide availability of a bandwidthand computers, utlimatelyalso a high adoption of these digital services. Discussionswere abundant aboutmoving more government services to internet, more control infrastructuresto the internet, more online databases, more open data, more, more, more …We consideredourselvesefficientandeffective in the adoption of ICT.
But what we maynotalways have realised is howthiswide adoption of services also made usvulnerable.Sure, experts were busy putting cyber security on the agenda. But thereweremany meetings in whichparticipantsexpressedtheir view that the security business and experts were “overselling” andusingFear, UncertaintyandDoubt as a strategy. Tobehonest, maybesomewhatsimilartosome of the currentreactionsto the privacy debate, ouside of the circle of experts and stakeholders. Scott Charney, the Corporate Vice President to the Trustworthy Computing groupprobably had his concerns aboutthis ‘unawareness’ of vulnerabilityalreadyyearsago. He stated “It’s not just that software runs the power grid, the global financial system, and the armed forces around the world, but that the fabric of society is connected through email, browsing, social networking, search, and web applications.” Suggesting that software, digitization, information flows have become completely interconnected. Many interdependencies have arisen. And in most ways this is a very positive development. In other ways, and what had been obvious to experts in the field, this is a risk.
A risk thatbecameacutelyvisibleon the morningof August 29 2011.ThatdayCert-Bund, the CERT of Germany, calledGovCERT, the government CERT for The Netherlands. Cert-BundnotifiedGovCERTthatit had information thatDiginotar, a leadingCertificateAuthority in The Netherlands, had been issueingfraudulentcertificatesfor well known public websites.Thistriggered a period of intense cooperation. Cooperation between public and private sector. It was a periodwerepreviouslydesignedcrisis management processesandinstitutionswereput to the test. Were important decisionwere made on facts, authority, but also on trust, andoftenwithinvery short periods of time. At the time I had the professional opportunity tojoin the effort toaddressandmitigate the incident, first hand at the National Crisis Center in The Netherlands. The incident calledforaninventoryandinvestigationinto the use of digital certificatesissuedbyDigiNotar as thisCertificateAuthority was alsousedby the Dutch governmentforits services to the public, but alsofor server to server, andautomatedprocesses. After the scale of impact becameclear on the night of Friday September 2nd, most of the affectedprocesseswerequicklyidentifiedby the governmentduringthatfollowing the weekend. Howeversomedependenciesonlyturnedup afterseveraldays. The end view was that the incident in its worst-case could have severelyimpactedsociety andeconomy in The Netherlands. Andnotsomuchfor the risk tocitizen / governmentcommunication, but more sofor the server to server communication.The domains thegovernmentidentifiedwheredisruptionswouldcause the most impactincludedProcesses in the chain of justicefromofficers in the field, to court ordersProcesses in public sector including access tokey base administrationsandall public e-servicesThe welfare system forpaymentsandverificationsIn answertoquestionsfrom the media, the minister recommendedthat “users who wanted to be certain of secure communication with the government to use pen and paper”. I amnotlookingto singleout anindividualstatement. Ratheritis a testimonyto the stress of the moment, and even more so of the general thinking aboutICT, the digitization of the economyand society. Notenoughpeople had realizedthat over the years, the top position on most of the international ICT statistics, had itsconsequences. Andnotallconsequenceshad been readilyvisible. The Netherlands compileditsexisting programs, initiatives, itplannedinitiativesandstrategies, and we are nowquiteproud of our public and private cooporative model of the National Cyber Security Center.
At Microsoft, maybe we experienced something similar in 2002. We experienced a wake up call. A Wake up call that was subsequently documented in a memo from Bill Gates. It addressed the need for ‘trustworthy computing’ at Microsoft, but maybe more importantly, in the whole industry. We increasingly realized that there were consequences to the success of ICT, to the adoption of digital technology and the internet. One of the key actions was that people should feel justified in ‘trusting’ the use of their computing. The Trustworthy Computing group was founded and recently celebrated its 10 years of existence. The TwC does not make or sell products. Their role is to influence and do security, privacy and reliability work both inside and outside the company. A few progress points to highlight are: The Security Development Lifecycle, a process for baking security in to code, an approach that more and more companies are adopting and adapting to meet their own specific needsExpansion of global capability for malware detectionThe Security Intelligence Report, published last week in its 13th edition.Founding member of the Cloud Security AllianceThe expansion of our security response center to encompass cloud services so that customers receive up to date information on any threats at playAnd we’ve seen challenges such as the rise of hactivism which has contributed to cybersecurity increasingly being a political and broader societal concern.Whathas remained constant over the years is the evolution, sophistication and the pervasiveness of cyber attacks in our daily professional and personal lives. Solutions will require action on many fronts.
Organizations are taking action for themselves. For example, Microsoft with one of the worlds largest infrastructures and IT deployments.Microsoft protects our 190,000 end users and 8 global datacenters for our own IT use, with a focus on business enablement, risk management, and operational and technical excellence using the same security fundamentals and technology innovations that we deliver to our customers in our platforms, solutions, and services.Talk Track:MSIT (CISO) – At Microsoft, the CISO reports to the CIO.We look at security by 4 domains/areas: Risk Management, Business Enablement, Technical Excellence, Operational Excellence.Most security organizations are mature and skilled in Technical Excellence and Operational Excellence. Where we need to grow and mature is in Risk Management and Business Enablement. Risk Management -- we need to be able to make informed risk-based decisions. Business Enablement -- The IT department needs to invest in raising the bar on IT controls and employee empowerment. It’s a balancing act, and the safety net is called risk and compliance. This balance is no different than what we’ve dealt with as IT for years. The difference between now and 10 years ago, employees are more educated and driven, and the products are simpler.” Security needs to support the Business – Instead of saying “no”, but “how”.Items within each square are our current priorities for the year.To the right is the MSIT environment. This slide depicts the size and scale of the business we support and how it relates back to our security areas we have outlined as part of the CISO Agenda.We are quite transparent about our actions, and many documents and testimonials are available from Microsoft’s own IT department. And it is not only our own digital security that we are concerned about, and protecting. For example I am sure you are well aware of the actions taken by our Digital Crime Unit in fighting botnets.
And you may also be aware of our Security Intelligence Reports. Published last week in its 13th edition. It includes Worldwide + Regional Threat Assessment,Guidancefor mitigating, and Risk indicators.The report provides insight into thecurrent threat landscape – - intelligence that you can use to defend your organisation and the crown jewels of our digital economy - data. Edition 13 covers the first half of this year and contains detailed analysis of threat trends, and mitigations to cope with them, both globally and in detail across 105 regions.
We looked at exploits in the latest Security Incident Report to see what trends we saw. Often exploits reflect the focus or research areas of those developing malware. For years, the OS was the focus. Then, we started to see the focus move up the stack to applications. So, the question we asked – are we seeing that focus now move to the web technologies?The answer clearly was “yes.’Looking at exploits, we found that the Top Exploits were dominated by HTML and Java exploits. In terms of prevalence of actual exploits detected in the period, HTML and Java exploits were detected 6X as often as OS exploits. 7 of the top 10 exploit families were Java or HTML exploits.So, with these indicators, the data and trends indicate that the malware ecosystem is focusing increasingly on web-related technologies, the very technologies used to implement or consume many cloud services, the technology also used in many smart networked environments.Recently we also published our findings on infections that make it very early into a supply chain. The attacker ecosystem has not only moved up in the technology stack.
The learnings from 10 years of trustworthy Computing, international cooperation, our partners, and more, we have worked into a Reference Architecture for Smart Energy. Electricity is considered a critical component of modern society because its failure or outage quickly affects commerce, transportation, and even basic survival. Security considerations are of utmost concern for the transformation of the current utility network to a Smart Energy Ecosystem because of the mission critical nature of the grid and generation infrastructure. Regulatory authorities and the industries themselves have intensified their focus on security due to the increased complexity of computing environments and the growing sophistication of attacks that seem to occur almost daily. Concerns have been heightened due to several high profile events demonstrating system breach and, in some cases, improper and unauthorized operation of control systems. As might be expected due to the importance of utilities to functioning economies and even the very social fabric enabling human life, national governments consider their country’s energy assets as critical infrastructure that must be guarded like their very lands and resources. As such, they are taking bold, significant steps to ensure that utilities amplify their attention to security. National regulatory initiatives require concerted attention to the following three types of security:Physical securityOperational SecurityCyber securityIn the past, the utility’s control of field equipment was channeled through closed, proprietary communication infrastructures. While secure, the closed system may have served to shut out innovative opportunities that would improve operating efficiencies. The smart grid movement could be described as working to change that. Now, utilities are using open and standards-based infrastructures to control their devices. While openness and interconnection offer great benefit to businesses and users alike, they also enable those who would seek to disrupt their operation, for whatever reason, with even greater opportunity to access networks and devices.Open systems enable a greater data-driven understanding of what is occurring on an energy infrastructure. Each new innovation has come with a bolt-on, add-on type of security measure. That may be a bit like building a house of glass – the views are great from the inside but everyone on the outside might also endeavor to take a look. An option is to mount blinds, a superficial barrier detracting from the original design and deflecting only glancing attacks. The implementation of security measures must be considered holistically across the entire system and throughout that system’s entire lifecycle, from inception through adaptation/implementation and even to disablement. Microsoft continues to work with partners to reduce utility industry specific vulnerabilities.
Based on thisstrategy of workingcooporativelywithindustry, partners andgovernments, but also more thanthat, using on ouractualexperienceshere in The Netherlands, Microsoft presents a evolutionary curve for cyber security policy and partnership. In this curve Public-Private partnership models are recommendedfor Risk andResiliencyat the national level. Andforgovernance, norms (standards), andharmonization at the international level.
I thank you for you attention. And am available for you questions via email tohans.bos@Microsoft.comThank you.
2012-10-15 On Trustworthy Computing inthe context of Energy