Cybersecurity: Cornerstone of a Safe, Connected
Society
Tyson Storch*
Trustworthy Computing
Microsoft Corporation
March 9, 2012
* This paper benefited from several reviewers who provided substantive comments and helped to shape this paper.
Please see Appendix B for a list of contributors.
1
Contents
Part I: Introduction................................................................................................................................... 3
Part II: What is Cybersecurity? .............................................................................................................. 3
Part III: Microsoft’s Approach ............................................................................................................... 5
A.
Understanding the Threat Landscape .......................................................................................... 6
1.
Cyber Attack - Motivations........................................................................................................ 6
2.
Cyber Attack - Basic Avenues ................................................................................................... 7
B.
Microsoft’s Risk Management Approach .................................................................................... 7
1.
Enhancing Secure Product Development to Address Product Vulnerabilities ................... 8
2.
Enhancing Security for the Supply Chain ................................................................................ 8
3.
Enhancing Operational Security ............................................................................................. 10
4.
Enhancing Security against Social Engineering .................................................................... 11
Part IV: Emerging National Approaches to Cybersecurity ........................................................... 12
Part V: Collaborative Approaches for Advancing a More Secure Cyberspace......................... 13
A.
Coordinated National Cybersecurity Strategy .......................................................................... 13
B.
Flexible and Agile Risk Management ........................................................................................ 14
C.
Innovative Information Sharing .................................................................................................. 15
D. International Implications ............................................................................................................. 16
Part VI: Conclusion. ................................................................................................................................ 17
2
Part I: Introduction
Cybersecurity is the cornerstone of a networked world. Over the next few years, the world will
see an unprecedented growth in Internet users, devices and data which will create vast
opportunities and equally daunting challenges. For government policymakers, who are the main
focus of this paper, such challenges include protecting public health and safety, economic
security, and national defense, all of which are core to managing a modern nation.
Microsoft’s experience in managing cybersecurity risks for more than one billion customers has
given us insight and perspective into current and future challenges. As Microsoft marks a tenyear milestone of Trustworthy Computing, our commitment to greater security, privacy and
reliability continues to emphasize partnerships with governments, enterprises and citizens.
Working together, in a more connected society, we can build a safer, more trusted computing
experience.
This paper 1) discusses Trustworthy Computing’s approach to cybersecurity, 2) makes
observations on emerging national approaches and 3) provides recommendations to
government policymakers on approaches to consider when developing policies and practices to
address key cybersecurity concerns. Central to the success of these efforts will be coordinated
national cybersecurity strategies, flexible and agile risk management, and information sharing in
a global context.
Part II: What is Cybersecurity?
Cybersecurity encompasses many different concepts, from information security to operational
security to computer system security. Cybersecurity also means different things to different
audiences. For individual citizens, it is about feeling safe, and protecting their personal data and
privacy. For enterprises, cybersecurity is about ensuring the availability of critical business
functions and the protection of confidential data by maintaining operational and information
security. For governments, it is about protecting citizens, enterprises, critical infrastructure, and
government computer systems from attack or compromise. While definitions vary, cybersecurity
essentially represents the collective activities and resources that enable citizens, enterprises and
governments to meet their computing objectives in a secure, private, and reliable manner.
3
For government policymakers, such objectives include protecting public health and safety,
economic security and national defense, which are core to managing a modern nation. Today,
Information and Communications Technology (ICT) are essential underpinnings of modern
society and how governments manage public services, economic growth and national security.
For example, in the European Union, the ICT sector is directly responsible for five percent of
gross domestic product.1 Perhaps more important, is ICT’s impact on other sectors, which
accounts for seventy five percent of the overall economic impact of the Internet.2 ICT can help
fulfill key government objectives, such as economic stability, safety, freedom, social stability,
public safety, and education, all of which can lead to improving a nation’s overall well-being and
quality of life for its citizenry.
At the same time, ICT dependence carries with it an evolving set of risks. A wide range of actors
- from nation-states to highly sophisticated and well-funded criminal organizations to loosely
affiliated groups of “hacktivists” - are focusing their energies on exploiting and attacking an
increasingly networked environment. These raise new challenges for policymakers, including the
ability for attackers to strike from afar and to do so anonymously and at the speed of light (a
keystroke takes one hundred fifty milliseconds to travel around the world); a proliferation of
mobile devices, which may lag behind traditional personal computers, and less portable devices
in terms of security; and an increase in the number of worldwide Internet users, who through
their own practices, can create new points of vulnerability.
Given these dynamics, cybersecurity will continue to be a necessary cornerstone for the ICT
sector overall to maintain its role as an engine of innovation, growth, jobs and social
development. As cyberspace continues to evolve, and as ICT influence on every sector of the
economy continues to grow, so too must cybersecurity as new environments and threats
emerge. Indeed, because threats and technologies have the potential to evolve much faster
than the regulatory processes, government and industry must work together to develop
appropriate frameworks that will allow cybersecurity solutions to keep pace with the dynamic
threat environment, while also enabling innovation. One important way to keep pace with the
changing threat environment is to ensure that government and industry are focused on
outcome-based results, in addition to the process to deliver them. In short, it is about
advancing risk-based security rather than “check-the-box” compliance.
1
2
See the European Commission Communication: A Digital Agenda for Europe COM (2010) 245
See the McKinsey Global Institute’s report: Internet matters: The Net’s sweeping impact on growth, jobs and prosperity (2011)
4
Part III: Microsoft’s Approach
We recommend policymakers consider Microsoft practices, discussed in this Part III, as they
develop their own policies and practices for their citizens. As Microsoft recently marked a tenyear milestone of Trustworthy Computing, we recognize that our commitment to greater
security, privacy and reliability3 in our products and services is more important than ever. Our
experience in managing cybersecurity risks has given us perspective and insight into current and
future challenges that government policymakers face as they work to build strategies, plans, and
regulations related to cybersecurity. For example, we have developed methodologies and tools
such as the Security Development Lifecycle (SDL), which helps reduce vulnerabilities in our
products, and defensive capabilities, like those developed by the Microsoft Security Response
Center, which help ensure we can respond efficiently when new vulnerabilities or attack vectors
are identified. These efforts have had measureable, positive impact on the security profile of our
products and services. Microsoft works across the security industry and IT ecosystem. We
collaborate with policymakers, technical and business leaders, standards bodies and advocacy
groups, such as SAFECode,4 to champion security innovation and improve computing
experiences for everyone.
What follows below is a brief overview of Microsoft’s risk management approach, including
understanding the evolving threat landscape and applying this knowledge to help reduce the
attack surface of our products and services. While risk may never be completely eliminated, it
can be managed (e.g., accepted, transferred or mitigated). Even though risk management may
not be new to governments, cybersecurity presents significantly different challenges and many
of our experiences and practices can benefit governments, enterprises and citizens as they seek
to better understand and manage their respective cybersecurity risk.
3
While this paper does not specifically address privacy or reliability, they are also core Trustworthy Computing pillars. For more
information on privacy and reliability see Trustworthy Computing site.
4
See Software Assurance For Excellence in Code at www.safecode.org.
5
A. Understanding the Threat Landscape
As governments work to advance their national security goals through effective cybersecurity,
understanding key motivations and avenues of attack is essential to effectively and efficiently
applying resources to realizing those goals and minimizing risk.
1. Cyber Attack - Motivations
In his white paper Rethinking the Cyber Threat - A Framework and Path Forward, Scott Charney5
outlines motivations for cyber attacks into four main categories:




Cybercrime captures the largest numbers of actors (from juveniles to repeat offenders) and
the largest number of motives and actions (from committing complex fraud to significantly
damaging an IT system in a non-warfare context).
Economic espionage involves penetrating companies and other organizations to steal
intellectual property, trade secrets, or other high-value data. Economic espionage appears
to be practiced by bad actors working on their own, as well as government-sponsored actors
working on behalf of countries who support domestic industries by stealing the intellectual
property created in other nations (or fail to act when a domestic company steals information
from its foreign competitors). In this category, governments clearly have philosophical
differences about what constitutes acceptable behavior. For example, many countries believe
that businesses should compete on a level playing field, and that legal systems should
protect the right of those who develop new ideas to monetize them. Another area of
philosophical dispute, and one that is even more challenging than economic espionage,
relates to freedom of speech.
Military espionage relates to the allegations that a national government intrudes and
exfiltrates data from another national government, e.g., from government agencies and/or
the military industrial base. Without diminishing the seriousness of these allegations, it is
important to recognize that military espionage has been occurring from time immemorial,
and that some victims of military espionage may be engaged in such espionage activities
themselves.
Cyber warfare is a particularly difficult area because the Internet is a shared and integrated
domain. In the physical world, it is easier to separate military from civilian targets. The
Internet does not permit such clean demarcations.
No matter the motivation, cyber attacks present significant challenges because the Internet
permits a potentially anonymous and untraceable individual with virtually no resources to
5
Scott Charney is Corporate Vice President, Trustworthy Computing, at Microsoft.
6
threaten key operations of a national government or enterprise, putting citizen safety and
economic security at risk.
2. Cyber Attack − Basic Avenues
In addition to motive, it is important for government policymakers to understand four potential
avenues that bad actors could use for attacks:6
 Product Vulnerabilities. The first area attackers may focus on is vulnerabilities that are
introduced while the product is being made. As ICT products are increasingly complex and
made by humans, they will never be perfect. Attackers can attempt to exploit vulnerabilities
in hardware and software, including the operating system, applications, and services.
 Supply Chain, Including Product Integration and Delivery. The second area attackers
might target is to introduce vulnerabilities into the product or service that is received by the
customer. We commonly refer to these as supply chain issues, and they include attacks on
product suppliers and subcontractors, malicious insiders, and non-genuine products that
could be tampered with in transit or during deployment to the customer.
 Operational Security. Once the product is produced and safely delivered to a customer’s
hands, an attacker looks at how it is deployed and the policies that are being used, searching
for weak spots in an organization’s operational security. Potential weak spots may be found
in a company’s failure to enforce least-privilege policies on the network, failure to require
strong passwords, application of software updates and security patches in a timely fashion
or a lax hiring process.
 Social Engineering. As security improves in products and services, we see social engineering
becoming the attack route of choice. Cyber attackers are getting more adept at creating
plausible e-mails that deliver malicious code. For example, some pose as IT staff and ask for
passwords. Once viewed as only a component of operational security, defending against
social engineering and the emergent engineering efforts to mitigate it are now recognized
by Microsoft as a distinct domain.
B. Microsoft’s Risk Management Approach
In response to the cyber attack avenues outlined above, Microsoft manages risks through an
ongoing effort to enhance secure product development, supply chain security risk management
practices, and operational security, as well as understanding social engineering. Building on
various internal risk management programs and methods, including maturity models, risk
profiling and assessment tools, Microsoft seeks to continually improve the efficiency and
effectiveness of its risk management approaches. Microsoft shares those practices with industry
and policymakers as appropriate.
Matt Thomlinson, General Manager, Trustworthy Computing Microsoft, spoke of the four areas attackers can focus on. See keynote
address presented at North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011.
6
7
1. Enhancing Secure Product Development to Address Product Vulnerabilities
From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce
vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during
development and has proven its ability to increase the security of software. We have made the
SDL process and many of our tools available for others, downloadable at
http://microsoft.com/SDL.7
The SDL has delivered results by reducing product vulnerabilities and raising the costs of an
attack. Indeed, we see attackers moving away from Microsoft products as they get harder to
attack. In the August 2011 edition of the IT Threat Evolution report,8 none of the top 10 software
vulnerabilities involved Microsoft products. Many governments and enterprises are now
applying the SDL to their in-house software and services development efforts.9
We also invest in mitigations so that if an attacker discovers a software vulnerability, it is much
more difficult for an attacker to use. These mitigations, such as Address Space Layout
Randomization,10 included in Windows Vista and later product versions, are built in and most are
enabled within the operating system by default. While one may not notice them when using a
computer, they help to limit the attack surface.
Finally, it is important to apply software updates to quickly respond to issues and decrease the
likelihood of attacks against known vulnerabilities. Microsoft works hard to make these updates
timely, easy to install and reliable.
2. Enhancing Security for the Supply Chain
Taking efforts to secure Microsoft’s supply chain is a part of our approach to risk management,
and should be a standard practice for governments as well. The amazing global transformation
of the last few decades is the product of global free trade and ICT innovation. However,
governments worldwide have begun to express concerns about the threat to their ICT systems
from the global supply chain for ICT products. These concerns are based on the risk that an
adversary might tamper with products during their development, manufacture, production or
7
For a selected list of Microsoft resources, see Appendix A.
8
See “IT Threat Evolution: Q2 2011,” Kaspersky Labs, August 11, 2011.
9
See “Defense Information Systems Agency Application Security and Development Security Technical Implementation Guide (STIG)
(version 2, REL. 1) (24 JUL 2008); See also Microsoft Whitepaper, “MidAmerican Energy Holdings Company uses Microsoft SDL to
make its Software More Secure,“ March 2011.
10
For a general definition of ASLR, see https://secure.wikimedia.org/wikipedia/en/wiki/Address_space_layout_randomization
8
delivery. In response to these concerns, some governments have begun to develop policies and
requirements intended to mitigate these supply chain risks.
Microsoft understands these concerns. In a world of diverse and competing economic, political,
and military interests, no country wants to be dependent on products and services that may be
tainted by an adversary.
For both governments and vendors who support them, like Microsoft, the challenge of
managing supply chain risk is also compounded by complexities inherent in the supply chains
themselves. The supply chains that support the delivery of information and communications
products and services consist of globally-distributed and dynamic collections of people,
processes and technologies that encompass numerous hardware and software components. The
risks, therefore, are not subject to easy quantification and remediation; it is difficult to know
whether a process, hardware component, or a complex piece of software has been subject to
malicious manipulation or modification because available testing capabilities cannot provide
satisfactory answers to that question.
In 2011, Microsoft published two white papers on cyber supply chain risk management. The first
white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and
Trust, presents a set of key principles to enable governments and vendors to manage supply
chain policies more effectively. The second paper, Toward a Trusted Supply Chain: A Risk-Based
Approach to Managing Software Integrity, provides a framework for the pragmatic creation and
assessment of Software Integrity risk management practices in the product development
process and online services operations.
While some countries are taking steps to reduce dependencies on foreign products and,
arguably, to support domestic innovation, Microsoft believes national policies codifying
preferences for domestic suppliers create trade barriers, undermine foreign investment, and
deprive domestic industry of the benefits of technological innovations from elsewhere in the
world. The question becomes, therefore, “how do countries protect national security interests
without inappropriately undermining the value produced by a global supply chain?” The answer
to that question requires understanding the elements of the trust problem and formulating a
meaningful and workable framework for addressing supply chain risks.
We recommend that when developing a national risk management approach for supply chain
issues, governments consider four guiding principles for their supply chain efforts: (1) that they
9
are risk-based, utilizing collaboratively developed standards; (2) transparent; (3) flexible; and (4)
reciprocal.11
3. Enhancing Operational Security
Strong operational security and use of best practices are essential elements of any risk
management approach, and critical components for any government to consider. As noted
above, attackers often focus on finding deployment issues such as unpatched or misconfigured
computers and weak passwords. Computers that unintentionally connect a corporate or
government network to the Internet, or run unapproved file-sharing software that makes
internal documents publicly available are another favorite method of attack. Operational security
risks can be managed by the use of best practices, including enforcing strong security policies,
aggressively updating software, monitoring your network for threats, employing defense-indepth and ensuring your enterprise has incident response procedures.
Microsoft’s patch management system, with its automated releases for the second Tuesday of
each month, was designed to enhance operational security, by having standard, predictable
releases of software patches on a monthly basis. Additionally, it highlights whether the updates
are of critical or moderate concern and provides prescriptive guidance for our customers on
when to deploy them.
The importance of solid operational security measures, such as staying current with security
updates is a critical component of any government’s risk management practice. We tracked the
exploitation of Microsoft Office vulnerabilities in Volume 8 of our Security Intelligence Report
(SIR). It showed the effectiveness of staying up-to-date on new software versions, with the
finding: “If the Office 2003 RTM users in the sample had installed SP3 and no other security
updates, they would have been protected against 96 percent of observed attacks; likewise,
Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.”
Operational security can be enhanced by the use of best practices, including the following:
 Architect for Containment. In the modern threat landscape that includes persistent and
determined adversaries, attackers will attempt to penetrate a computer system stealthily and
then leverage the fact that a hard perimeter, once defeated, reveals a soft interior that can
be navigated easily for long periods of time12. This being the case, the security strategy
deployed for blunting threats through prevention and response, now needs to extend to
11
See Microsoft Whitepaper, Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust, by Scott
Charney and Eric T. Werner, July 2011, p. 9.
12
See Microsoft Whitepaper, Trustworthy Computing Next, by Scott Charney, February 2012
10
containment (e.g., network segmentation, limiting user access to least privilege) to ensure
that, if part of a network is compromised, the adversary is well contained.




Employ defense-in-depth. Network defenses should be deep, integrating multiple,
overlapping, and mutually supportive defensive systems. Defense systems should include
firewalls, gateway antivirus protection, intrusion detection, intrusion protection systems, and
Web security gateway solutions.
Aggressively update. An aggressive security update program is essential. Operating
systems, applications, and browser plug-ins should be updated whenever new code is
released. Automated security update deployment should be used whenever possible to
maintain up-to-date protection across the organization. Additionally, security
countermeasures, including virus definitions and intrusion prevention must be updated
continually.
Monitor for threats. Proactively monitor infrastructure for network intrusions, malicious
code propagation attempts, suspicious traffic patterns, attempts to connect to known
malicious or suspicious hosts, and attempts to spoof trusted web sites. It is also important to
remain constantly aware of new vulnerability threats and adhere to remediation guidance.
Ensure proper incident response procedures. Proper incident response should be an
integral part of an overall security policy and risk mitigation strategy. This should involve
proactively creating incident response plans, and assembling an incident response team.
While the section above recommends practices that are important for core operations, they may
not protect users from themselves. Governments and enterprises will need to work together
create practices for effectively educating users about the dangers of social engineering, as well
as identifying best practices for making products more robust against social engineering
techniques.
4. Enhancing Security against Social Engineering
Sometimes users make poor choices that compromise the security of their devices and data;
when these are directed by an attacker, we call that social engineering. Social engineering
attacks can be difficult to protect against, because it is hard to protect against the legitimate
actions of a misguided user.
Education is a key part of defense. Organizations should raise awareness of these threats and
provide training to help spot and prevent social engineering. For example, users should be
suspicious of communications from unknown parties, particularly those that include
attachments, as well as URLs served on social media sites that promise rewards or other unusual
opportunities. Web browser URL reputation solutions, such as Internet Explorer’s SmartScreen,
11
can help by blocking known malicious sites or downloads. Organizations can also protect users
from their own actions by instituting best practices such as:
 Using encryption. Encryption should be used to protect sensitive data, including drive
encryption like Windows BitLocker to secure data should a computer be stolen or simply
lost.
 Enforcing an effective password policy. Ensure passwords or passphrases are at least eight
to ten characters long and include a mixture of letters and numbers. Users should be
encouraged to avoid re-using the same passwords on multiple web sites, and sharing
passwords with others. Passwords should be changed at least every ninety days.
 Applying least privilege accounts and software restriction policies as appropriate.
Microsoft continues to invest in research, innovation and development designed to reduce
product vulnerabilities, improve supply chain risk management, enhance operational security
and advance security related to social engineering attacks. As discussed below, nations are
striving to improve cybersecurity and recognize its importance to their critical objectives, such as
promoting economic and national security as well as citizen safety and innovation.
Part IV: Emerging National Approaches to Cybersecurity
In order to meet its national objectives, it is critical for a government to develop cybersecurity
capabilities as part of its national security plan. This can help spur other benefits, too. For
example, government leadership and policies that develop capabilities to enhance cybersecurity
can help improve citizen safety, develop a skilled workforce capable of protecting critical
infrastructure, improve commerce and investment as a result of greater confidence in the
security of the underlying infrastructure, and ultimately create new jobs and communities that
contribute to improved quality of life.
In recognition of the benefits for secure ICT, some governments have begun to build a series of
complementary plans and programs to address these requirements. According to the
International Critical Information Infrastructure Protection Handbook, over twenty nations have
developed critical information infrastructure protection policies.13 The United Nations Institute
for Disarmament Research (UNIDIR) notes that thirty-three states have developed cyber
strategies related to defense.14 The Organization for Economic Cooperation and Development
13
International CIIP Handbook 2008/2009, Andreas Wenger, Victor Mauer, and Myriam Dunn Caveltry, Center for Security Studies,
ETH Zurich
14
United Nations Institute for Disarmament Research (UNIDIR), Cybersecurity and Cyberwarfare, Preliminary Assessment of National
Doctrine and Organization, p.3 (2011)
12
has also been tracking the emergence of national identities tied to increasing cybersecurity and
recently published a report highlighting findings from eighteen countries that either have or
plan to develop a national strategy for identity management.15 Looking across the emerging
landscape of government strategies we find common elements, including:
 Identity and Access;
 Software and Systems Assurance – including supply chain risk management;
 Compliance and Monitoring;
 Data Protection;
 Resiliency and Risk Management; and
 Response.
In addition to these elements, many governments are also looking to use cloud services because
they increase innovation and reduce costs in delivering services, and are asking how to
incorporate cloud services into a national cyber security strategy. Not surprisingly, governments
are concerned about security and sovereignty issues related to the cloud. Governments are
working with the private sector to identify and manage these risks, including efforts like the
Cloud Security Alliance, which seeks to promote the use of best practices for providing security
assurance within cloud computing and to provide education on the uses of cloud computing to
help secure all other forms of computing.
Part V: Collaborative Approaches for Advancing a More Secure
Cyberspace
There are four key factors that a government should consider carefully to improve its
cybersecurity profile in the near-term and promote innovation and leadership in the long-term.
These include a national, coordinated cybersecurity strategy; a flexible and agile cybersecurity
risk management approach; appropriate information sharing capabilities; and international
implications (i.e., reciprocity) of any resulting policies or practices.
A. Coordinated National Cybersecurity Strategy
Governments must have a clear, coordinated and actionable cybersecurity strategy designed to
ensure national security, economic security, and public safety, and to ensure delivery of critical
services to its citizens. Importantly, each government must ensure that its cyber policies are
Organization for Economic Cooperation and Development, OECD (2011), “National Strategies and Policies for Digital Identity
Management in OECD Countries”, OECD Digital Economy Papers, No. 177, OECD Publishing, p. 4.
http://dx.doi.org/10.1787/5kgdzvn5rfs2-en
15
13
technology neutral and do not stifle innovation. Technology neutral policies do not promote,
require, or otherwise advance a particular technology product or set of products to the
exclusion of others; rather they identify desired outcomes and allow the marketplace to find the
most innovative way to achieve those outcomes. In addition, governments must integrate and
harmonize their cyber policies, recognizing that actions each government takes will have
ramifications beyond its individual borders. Policymakers must be mindful of the global import
of their actions and ensure that competing interests are balanced appropriately.
B. Flexible and Agile Risk Management
Any framework designed to manage cybersecurity risk must be flexible enough to permit future
improvements to security − an important point since cyber threats evolve over time.
Governments, enterprises, and citizens depend on the information infrastructure and the data
that IT systems contain, and there are often no alternative physical means to perform core
functions. Yet, as discussed above, the information infrastructure faces a myriad of everchanging cyber threats. Risk management is the appropriate approach to improve the security
of the ICT systems on which we all depend. There are simply not enough resources or time to
address all the risks we face.
While risk management is a well understood discipline, managing cyber risks is particularly
difficult, especially in government environments. This is because cyber risks are complex; the
infrastructure and information systems are varied and distributed; it can be difficult to quantify
risks and the value of potential mitigations; and it is important that we not hinder innovation
and agility. Therefore, while governments and enterprises must continue to anchor approaches
to securing the information infrastructure in risk management, they must also evolve how that
discipline is applied to better address the unique nature of cyber risks. When doing so, it is
important to note that government and industry should strive to ensure that their approach is
appropriately scoped to address pressing national security and public safety concerns, and
remain sufficiently flexible and agile to enable organizations to manage risk in a dynamic cyber
threat environment.
In managing cyber risk for information infrastructure, government must balance dual, and often
interrelated, roles. First, as a public policy entity, the government is responsible for protecting
public safety, as well as economic and national security, and must consider which infrastructures
support those missions. National governments are also a large and widely distributed enterprise,
with countless globally distributed customers (e.g., citizens who want to connect with their
government), partners, operations, networks, and resources. Although distinct, the policy and
enterprise roles are not entirely separate, as each affects and informs the other. Government
14
and industry must be particularly careful when delineating the elements of the information
infrastructure that are truly critical to national security and public safety.
We recommend that governments work to ensure that the highest priority risks are addressed.
Microsoft believes each risk should be assessed to determine its severity, the consequences of a
successful exploit should be understood, and the likelihood of harm should be evaluated.
Appropriately identifying the systems and assets that should be addressed as priorities, as well
as the risks to be addressed, will enable both government and private sector leaders to better
secure the nation’s critical information infrastructure. Similarly, governments must create a risk
management framework that enables the necessary agility to respond to rapidly changing cyber
threats.16
It is important to understand that risk has historically been managed by focusing on “verticals”
(e.g., banking, health care), but information technology runs horizontally underneath all verticals.
A risk management model should (1) recognize this horizontal layer (that is, IT risks need to be
managed in common ways), but also (2) appreciate that verticals have unique requirements.
We therefore recommend a hybrid model that includes:
 A centrally managed horizontal security function to provide a foundation of broad policy,
security outcomes, and standards; and
 Vertical security functions resident in individual organizations to enable them to manage
their unique risks with agility.
This combination of horizontal and vertical functions ensures that minimum security goals and
standards are set, yet provides organizations with flexibility to manage the unique risks
associated with their operating environments.
C. Information Sharing
Successful risk management depends on effective information sharing. Information sharing
succeeds when it is targeted at solving specific problems and challenges. Information sharing
itself is not an objective but rather a tool, and sharing for sharing’s sake is not helpful. Threats
and risks are not best managed by sharing all information with all parties, but rather by sharing
the right information with the right parties (that is, parties who are positioned to take
meaningful action). Targeted information sharing also better protects sensitive information
See “Written Testimony of Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft Corporation Before the
Senate Committee on Homeland Security and Governmental Affairs Hearing on “Securing America’s Future: The Cyber-Security Act
of 2012,” February 16, 2012, p. 4.
16
15
(whether in the hands of the government or private sector), helps protect privacy, and actually
permits more meaningful sharing of data.
Microsoft recommends that governments, working with industry, create two complementary
information sharing capabilities: one focused on the most significant threats to a government’s
national security and public safety and another designed to enable greater automated
management of IT security compliance across the government’s enterprise.17
For example a government could, in part, promote effective information sharing capabilities by:
 Exchanging technical data with rules and mechanisms that require both sides to protect
sensitive data;
 Analyzing the risks holistically and developing strategies to manage those risks; and
 Developing cyber threat and risk analytics as a shared discipline.
For any such governmental organization to achieve success, it needs to have the right legal
environment, including legal protections, for such information sharing and action, and it must
itself share sensitive and actionable information with the private sector.
D. International Implications
As cybersecurity becomes an increasingly important fundament of an interconnected world,
governments must remember that domestic cybersecurity policies now have international
implications. While it is important that governments appropriately develop policies and
regulations to address Identity and Access, Software and Systems Assurance, Compliance and
Monitoring, Data Protection, Resiliency, Risk Management, and Response – all core cybersecurity
efforts – governments must also be aware that such policies are not created in a vacuum.
Regulations and requirements that are designed to protect a government, its enterprises and
citizens could in fact become an impediment to the government’s long term goals related to
innovation, economic development, as well as increased security itself. Just as trade
relationships are based upon the idea that opening markets in reciprocal ways can create
trading opportunities between participating countries, it must be recognized that creating
cybersecurity requirements that block market access may lead to similar “reciprocal” behaviors,
potentially fragmenting the Internet and denying people everywhere the benefit of the highly
innovative low-cost products that only a global supply chain can produce. As such,
governments should examine the potential implications of those policies in or to understand
potential issues related to reciprocity.
17
Ibid., p. 7
16
Part VI: Conclusion
Over the next few years, the world will see an unprecedented growth in Internet users, devices
and data, which will create vast opportunities and equally daunting challenges. Cybersecurity is
the cornerstone of a networked world. Only through collaboration and appropriately evolving
practices like secure product development, supply chain security and operational security, can
we create more effective cybersecurity policies and practices. Such policies and practices will
help protect public health and safety, increase economic innovation, solidify national defense,
and secure the promise of our collective future. Working together, in a more connected society,
we can help ensure a safer, more trusted computing experience.
17
Appendix A
Selected Microsoft Security Resources
Since 2002, Microsoft has developed a rich set of resources that it shares openly with others
across the IT ecosystem to enhance the security of cyberspace. The following list provides more
information on some of the resources included in this white paper:
 Security Development Lifecycle. The SDL is a software development security assurance
process consisting of security practices grouped by seven phases: training, requirements,
design, implementation, verification, release, and response. Experience at Microsoft has
shown security practices executed in chronological order helped result in greater security
gains and cost benefits than from ad hoc implementation. The SDL process is not specific to
Microsoft or the Windows platform and can be applied to different operating systems,
platforms, development methodologies, and to projects of any size. Microsoft makes the
SDL available to everyone.
 Microsoft Security Engineering Center. The MSEC helps to protect Microsoft customers by
delivering inherently more secure products and services, through the Microsoft Security
Development Lifecycle (SDL), comprehensive security assurance in software development
and state-of-the-art security science. MSEC addresses software security via three main
areas—Process, People, and Technology.
 Microsoft Security Response Center. The MSRC identifies, monitors, resolves, and
responds to security incidents and Microsoft software security vulnerabilities, twenty four
hours a day, with a commitment is to prevent worldwide incidents and create a safer, more
trusted Internet. The center manages a company-wide security update release process and
serves as the single point of coordination and communications. MSRC is tapped into a
worldwide network of security researchers and partners and closely monitors security news
lists and public forums.
 Microsoft Active Protections Program. With the vast majority of attacks targeting the
browser and application spaces rather than the operating system, communication and
collaboration among vendors is critical to improving the security landscape. Microsoft
works closely with both competitors and partners to address vulnerabilities. The Microsoft
Active Protections Program (MAPP) gives partners vulnerability information early so they
can build enhanced software protections for customers.
 The Microsoft Vulnerability Research Program helps secure software running on the
Windows platform by finding vulnerabilities in third-party software, communicating them
to the affected vendors, and helping those vendors implement security functionality built
into the Windows platform.
Appendix B – List of Contributors
18
In addition to the materials cited in the footnotes, this paper benefited from several
contributors, including substantive comments from Paul Nicholas, Eric Werner, Cristin Goodwin,
Angela McKay, Aaron Kleiner, Andrew Cushman, and Lori Woehler. Special thanks to all of you
for taking the time to review and provide feedback.
Cybersecurity: The Cornerstone of a Safe, Connected Nation
© 2012 Microsoft Corp. All rights reserved.
This document is provided "as-is." Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice. You bear the risk of using it. This document does not
provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this
document for your internal, reference purposes. Licensed under Creative Commons Attribution-Non CommercialShare Alike 3.0 Unported
19