Cybersecurity: Cornerstone of a Safe, Connected Society Tyson Storch* Trustworthy Computing Microsoft Corporation March 9, 2012 * This paper benefited from several reviewers who provided substantive comments and helped to shape this paper. Please see Appendix B for a list of contributors. 1 Contents Part I: Introduction................................................................................................................................... 3 Part II: What is Cybersecurity? .............................................................................................................. 3 Part III: Microsoft’s Approach ............................................................................................................... 5 A. Understanding the Threat Landscape .......................................................................................... 6 1. Cyber Attack - Motivations........................................................................................................ 6 2. Cyber Attack - Basic Avenues ................................................................................................... 7 B. Microsoft’s Risk Management Approach .................................................................................... 7 1. Enhancing Secure Product Development to Address Product Vulnerabilities ................... 8 2. Enhancing Security for the Supply Chain ................................................................................ 8 3. Enhancing Operational Security ............................................................................................. 10 4. Enhancing Security against Social Engineering .................................................................... 11 Part IV: Emerging National Approaches to Cybersecurity ........................................................... 12 Part V: Collaborative Approaches for Advancing a More Secure Cyberspace......................... 13 A. Coordinated National Cybersecurity Strategy .......................................................................... 13 B. Flexible and Agile Risk Management ........................................................................................ 14 C. Innovative Information Sharing .................................................................................................. 15 D. International Implications ............................................................................................................. 16 Part VI: Conclusion. ................................................................................................................................ 17 2 Part I: Introduction Cybersecurity is the cornerstone of a networked world. Over the next few years, the world will see an unprecedented growth in Internet users, devices and data which will create vast opportunities and equally daunting challenges. For government policymakers, who are the main focus of this paper, such challenges include protecting public health and safety, economic security, and national defense, all of which are core to managing a modern nation. Microsoft’s experience in managing cybersecurity risks for more than one billion customers has given us insight and perspective into current and future challenges. As Microsoft marks a tenyear milestone of Trustworthy Computing, our commitment to greater security, privacy and reliability continues to emphasize partnerships with governments, enterprises and citizens. Working together, in a more connected society, we can build a safer, more trusted computing experience. This paper 1) discusses Trustworthy Computing’s approach to cybersecurity, 2) makes observations on emerging national approaches and 3) provides recommendations to government policymakers on approaches to consider when developing policies and practices to address key cybersecurity concerns. Central to the success of these efforts will be coordinated national cybersecurity strategies, flexible and agile risk management, and information sharing in a global context. Part II: What is Cybersecurity? Cybersecurity encompasses many different concepts, from information security to operational security to computer system security. Cybersecurity also means different things to different audiences. For individual citizens, it is about feeling safe, and protecting their personal data and privacy. For enterprises, cybersecurity is about ensuring the availability of critical business functions and the protection of confidential data by maintaining operational and information security. For governments, it is about protecting citizens, enterprises, critical infrastructure, and government computer systems from attack or compromise. While definitions vary, cybersecurity essentially represents the collective activities and resources that enable citizens, enterprises and governments to meet their computing objectives in a secure, private, and reliable manner. 3 For government policymakers, such objectives include protecting public health and safety, economic security and national defense, which are core to managing a modern nation. Today, Information and Communications Technology (ICT) are essential underpinnings of modern society and how governments manage public services, economic growth and national security. For example, in the European Union, the ICT sector is directly responsible for five percent of gross domestic product.1 Perhaps more important, is ICT’s impact on other sectors, which accounts for seventy five percent of the overall economic impact of the Internet.2 ICT can help fulfill key government objectives, such as economic stability, safety, freedom, social stability, public safety, and education, all of which can lead to improving a nation’s overall well-being and quality of life for its citizenry. At the same time, ICT dependence carries with it an evolving set of risks. A wide range of actors - from nation-states to highly sophisticated and well-funded criminal organizations to loosely affiliated groups of “hacktivists” - are focusing their energies on exploiting and attacking an increasingly networked environment. These raise new challenges for policymakers, including the ability for attackers to strike from afar and to do so anonymously and at the speed of light (a keystroke takes one hundred fifty milliseconds to travel around the world); a proliferation of mobile devices, which may lag behind traditional personal computers, and less portable devices in terms of security; and an increase in the number of worldwide Internet users, who through their own practices, can create new points of vulnerability. Given these dynamics, cybersecurity will continue to be a necessary cornerstone for the ICT sector overall to maintain its role as an engine of innovation, growth, jobs and social development. As cyberspace continues to evolve, and as ICT influence on every sector of the economy continues to grow, so too must cybersecurity as new environments and threats emerge. Indeed, because threats and technologies have the potential to evolve much faster than the regulatory processes, government and industry must work together to develop appropriate frameworks that will allow cybersecurity solutions to keep pace with the dynamic threat environment, while also enabling innovation. One important way to keep pace with the changing threat environment is to ensure that government and industry are focused on outcome-based results, in addition to the process to deliver them. In short, it is about advancing risk-based security rather than “check-the-box” compliance. 1 2 See the European Commission Communication: A Digital Agenda for Europe COM (2010) 245 See the McKinsey Global Institute’s report: Internet matters: The Net’s sweeping impact on growth, jobs and prosperity (2011) 4 Part III: Microsoft’s Approach We recommend policymakers consider Microsoft practices, discussed in this Part III, as they develop their own policies and practices for their citizens. As Microsoft recently marked a tenyear milestone of Trustworthy Computing, we recognize that our commitment to greater security, privacy and reliability3 in our products and services is more important than ever. Our experience in managing cybersecurity risks has given us perspective and insight into current and future challenges that government policymakers face as they work to build strategies, plans, and regulations related to cybersecurity. For example, we have developed methodologies and tools such as the Security Development Lifecycle (SDL), which helps reduce vulnerabilities in our products, and defensive capabilities, like those developed by the Microsoft Security Response Center, which help ensure we can respond efficiently when new vulnerabilities or attack vectors are identified. These efforts have had measureable, positive impact on the security profile of our products and services. Microsoft works across the security industry and IT ecosystem. We collaborate with policymakers, technical and business leaders, standards bodies and advocacy groups, such as SAFECode,4 to champion security innovation and improve computing experiences for everyone. What follows below is a brief overview of Microsoft’s risk management approach, including understanding the evolving threat landscape and applying this knowledge to help reduce the attack surface of our products and services. While risk may never be completely eliminated, it can be managed (e.g., accepted, transferred or mitigated). Even though risk management may not be new to governments, cybersecurity presents significantly different challenges and many of our experiences and practices can benefit governments, enterprises and citizens as they seek to better understand and manage their respective cybersecurity risk. 3 While this paper does not specifically address privacy or reliability, they are also core Trustworthy Computing pillars. For more information on privacy and reliability see Trustworthy Computing site. 4 See Software Assurance For Excellence in Code at www.safecode.org. 5 A. Understanding the Threat Landscape As governments work to advance their national security goals through effective cybersecurity, understanding key motivations and avenues of attack is essential to effectively and efficiently applying resources to realizing those goals and minimizing risk. 1. Cyber Attack - Motivations In his white paper Rethinking the Cyber Threat - A Framework and Path Forward, Scott Charney5 outlines motivations for cyber attacks into four main categories: Cybercrime captures the largest numbers of actors (from juveniles to repeat offenders) and the largest number of motives and actions (from committing complex fraud to significantly damaging an IT system in a non-warfare context). Economic espionage involves penetrating companies and other organizations to steal intellectual property, trade secrets, or other high-value data. Economic espionage appears to be practiced by bad actors working on their own, as well as government-sponsored actors working on behalf of countries who support domestic industries by stealing the intellectual property created in other nations (or fail to act when a domestic company steals information from its foreign competitors). In this category, governments clearly have philosophical differences about what constitutes acceptable behavior. For example, many countries believe that businesses should compete on a level playing field, and that legal systems should protect the right of those who develop new ideas to monetize them. Another area of philosophical dispute, and one that is even more challenging than economic espionage, relates to freedom of speech. Military espionage relates to the allegations that a national government intrudes and exfiltrates data from another national government, e.g., from government agencies and/or the military industrial base. Without diminishing the seriousness of these allegations, it is important to recognize that military espionage has been occurring from time immemorial, and that some victims of military espionage may be engaged in such espionage activities themselves. Cyber warfare is a particularly difficult area because the Internet is a shared and integrated domain. In the physical world, it is easier to separate military from civilian targets. The Internet does not permit such clean demarcations. No matter the motivation, cyber attacks present significant challenges because the Internet permits a potentially anonymous and untraceable individual with virtually no resources to 5 Scott Charney is Corporate Vice President, Trustworthy Computing, at Microsoft. 6 threaten key operations of a national government or enterprise, putting citizen safety and economic security at risk. 2. Cyber Attack − Basic Avenues In addition to motive, it is important for government policymakers to understand four potential avenues that bad actors could use for attacks:6 Product Vulnerabilities. The first area attackers may focus on is vulnerabilities that are introduced while the product is being made. As ICT products are increasingly complex and made by humans, they will never be perfect. Attackers can attempt to exploit vulnerabilities in hardware and software, including the operating system, applications, and services. Supply Chain, Including Product Integration and Delivery. The second area attackers might target is to introduce vulnerabilities into the product or service that is received by the customer. We commonly refer to these as supply chain issues, and they include attacks on product suppliers and subcontractors, malicious insiders, and non-genuine products that could be tampered with in transit or during deployment to the customer. Operational Security. Once the product is produced and safely delivered to a customer’s hands, an attacker looks at how it is deployed and the policies that are being used, searching for weak spots in an organization’s operational security. Potential weak spots may be found in a company’s failure to enforce least-privilege policies on the network, failure to require strong passwords, application of software updates and security patches in a timely fashion or a lax hiring process. Social Engineering. As security improves in products and services, we see social engineering becoming the attack route of choice. Cyber attackers are getting more adept at creating plausible e-mails that deliver malicious code. For example, some pose as IT staff and ask for passwords. Once viewed as only a component of operational security, defending against social engineering and the emergent engineering efforts to mitigate it are now recognized by Microsoft as a distinct domain. B. Microsoft’s Risk Management Approach In response to the cyber attack avenues outlined above, Microsoft manages risks through an ongoing effort to enhance secure product development, supply chain security risk management practices, and operational security, as well as understanding social engineering. Building on various internal risk management programs and methods, including maturity models, risk profiling and assessment tools, Microsoft seeks to continually improve the efficiency and effectiveness of its risk management approaches. Microsoft shares those practices with industry and policymakers as appropriate. Matt Thomlinson, General Manager, Trustworthy Computing Microsoft, spoke of the four areas attackers can focus on. See keynote address presented at North Atlantic Treaty Organization (NATO) Information Assurance Symposium 2011. 6 7 1. Enhancing Secure Product Development to Address Product Vulnerabilities From the inception of a product at Microsoft, we apply rigorous processes and tools to reduce vulnerabilities. Our Security Development Lifecycle (SDL) is applied to every product during development and has proven its ability to increase the security of software. We have made the SDL process and many of our tools available for others, downloadable at http://microsoft.com/SDL.7 The SDL has delivered results by reducing product vulnerabilities and raising the costs of an attack. Indeed, we see attackers moving away from Microsoft products as they get harder to attack. In the August 2011 edition of the IT Threat Evolution report,8 none of the top 10 software vulnerabilities involved Microsoft products. Many governments and enterprises are now applying the SDL to their in-house software and services development efforts.9 We also invest in mitigations so that if an attacker discovers a software vulnerability, it is much more difficult for an attacker to use. These mitigations, such as Address Space Layout Randomization,10 included in Windows Vista and later product versions, are built in and most are enabled within the operating system by default. While one may not notice them when using a computer, they help to limit the attack surface. Finally, it is important to apply software updates to quickly respond to issues and decrease the likelihood of attacks against known vulnerabilities. Microsoft works hard to make these updates timely, easy to install and reliable. 2. Enhancing Security for the Supply Chain Taking efforts to secure Microsoft’s supply chain is a part of our approach to risk management, and should be a standard practice for governments as well. The amazing global transformation of the last few decades is the product of global free trade and ICT innovation. However, governments worldwide have begun to express concerns about the threat to their ICT systems from the global supply chain for ICT products. These concerns are based on the risk that an adversary might tamper with products during their development, manufacture, production or 7 For a selected list of Microsoft resources, see Appendix A. 8 See “IT Threat Evolution: Q2 2011,” Kaspersky Labs, August 11, 2011. 9 See “Defense Information Systems Agency Application Security and Development Security Technical Implementation Guide (STIG) (version 2, REL. 1) (24 JUL 2008); See also Microsoft Whitepaper, “MidAmerican Energy Holdings Company uses Microsoft SDL to make its Software More Secure,“ March 2011. 10 For a general definition of ASLR, see https://secure.wikimedia.org/wikipedia/en/wiki/Address_space_layout_randomization 8 delivery. In response to these concerns, some governments have begun to develop policies and requirements intended to mitigate these supply chain risks. Microsoft understands these concerns. In a world of diverse and competing economic, political, and military interests, no country wants to be dependent on products and services that may be tainted by an adversary. For both governments and vendors who support them, like Microsoft, the challenge of managing supply chain risk is also compounded by complexities inherent in the supply chains themselves. The supply chains that support the delivery of information and communications products and services consist of globally-distributed and dynamic collections of people, processes and technologies that encompass numerous hardware and software components. The risks, therefore, are not subject to easy quantification and remediation; it is difficult to know whether a process, hardware component, or a complex piece of software has been subject to malicious manipulation or modification because available testing capabilities cannot provide satisfactory answers to that question. In 2011, Microsoft published two white papers on cyber supply chain risk management. The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust, presents a set of key principles to enable governments and vendors to manage supply chain policies more effectively. The second paper, Toward a Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity, provides a framework for the pragmatic creation and assessment of Software Integrity risk management practices in the product development process and online services operations. While some countries are taking steps to reduce dependencies on foreign products and, arguably, to support domestic innovation, Microsoft believes national policies codifying preferences for domestic suppliers create trade barriers, undermine foreign investment, and deprive domestic industry of the benefits of technological innovations from elsewhere in the world. The question becomes, therefore, “how do countries protect national security interests without inappropriately undermining the value produced by a global supply chain?” The answer to that question requires understanding the elements of the trust problem and formulating a meaningful and workable framework for addressing supply chain risks. We recommend that when developing a national risk management approach for supply chain issues, governments consider four guiding principles for their supply chain efforts: (1) that they 9 are risk-based, utilizing collaboratively developed standards; (2) transparent; (3) flexible; and (4) reciprocal.11 3. Enhancing Operational Security Strong operational security and use of best practices are essential elements of any risk management approach, and critical components for any government to consider. As noted above, attackers often focus on finding deployment issues such as unpatched or misconfigured computers and weak passwords. Computers that unintentionally connect a corporate or government network to the Internet, or run unapproved file-sharing software that makes internal documents publicly available are another favorite method of attack. Operational security risks can be managed by the use of best practices, including enforcing strong security policies, aggressively updating software, monitoring your network for threats, employing defense-indepth and ensuring your enterprise has incident response procedures. Microsoft’s patch management system, with its automated releases for the second Tuesday of each month, was designed to enhance operational security, by having standard, predictable releases of software patches on a monthly basis. Additionally, it highlights whether the updates are of critical or moderate concern and provides prescriptive guidance for our customers on when to deploy them. The importance of solid operational security measures, such as staying current with security updates is a critical component of any government’s risk management practice. We tracked the exploitation of Microsoft Office vulnerabilities in Volume 8 of our Security Intelligence Report (SIR). It showed the effectiveness of staying up-to-date on new software versions, with the finding: “If the Office 2003 RTM users in the sample had installed SP3 and no other security updates, they would have been protected against 96 percent of observed attacks; likewise, Office 2007 RTM users would have been protected from 99 percent of attacks by installing SP2.” Operational security can be enhanced by the use of best practices, including the following: Architect for Containment. In the modern threat landscape that includes persistent and determined adversaries, attackers will attempt to penetrate a computer system stealthily and then leverage the fact that a hard perimeter, once defeated, reveals a soft interior that can be navigated easily for long periods of time12. This being the case, the security strategy deployed for blunting threats through prevention and response, now needs to extend to 11 See Microsoft Whitepaper, Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust, by Scott Charney and Eric T. Werner, July 2011, p. 9. 12 See Microsoft Whitepaper, Trustworthy Computing Next, by Scott Charney, February 2012 10 containment (e.g., network segmentation, limiting user access to least privilege) to ensure that, if part of a network is compromised, the adversary is well contained. Employ defense-in-depth. Network defenses should be deep, integrating multiple, overlapping, and mutually supportive defensive systems. Defense systems should include firewalls, gateway antivirus protection, intrusion detection, intrusion protection systems, and Web security gateway solutions. Aggressively update. An aggressive security update program is essential. Operating systems, applications, and browser plug-ins should be updated whenever new code is released. Automated security update deployment should be used whenever possible to maintain up-to-date protection across the organization. Additionally, security countermeasures, including virus definitions and intrusion prevention must be updated continually. Monitor for threats. Proactively monitor infrastructure for network intrusions, malicious code propagation attempts, suspicious traffic patterns, attempts to connect to known malicious or suspicious hosts, and attempts to spoof trusted web sites. It is also important to remain constantly aware of new vulnerability threats and adhere to remediation guidance. Ensure proper incident response procedures. Proper incident response should be an integral part of an overall security policy and risk mitigation strategy. This should involve proactively creating incident response plans, and assembling an incident response team. While the section above recommends practices that are important for core operations, they may not protect users from themselves. Governments and enterprises will need to work together create practices for effectively educating users about the dangers of social engineering, as well as identifying best practices for making products more robust against social engineering techniques. 4. Enhancing Security against Social Engineering Sometimes users make poor choices that compromise the security of their devices and data; when these are directed by an attacker, we call that social engineering. Social engineering attacks can be difficult to protect against, because it is hard to protect against the legitimate actions of a misguided user. Education is a key part of defense. Organizations should raise awareness of these threats and provide training to help spot and prevent social engineering. For example, users should be suspicious of communications from unknown parties, particularly those that include attachments, as well as URLs served on social media sites that promise rewards or other unusual opportunities. Web browser URL reputation solutions, such as Internet Explorer’s SmartScreen, 11 can help by blocking known malicious sites or downloads. Organizations can also protect users from their own actions by instituting best practices such as: Using encryption. Encryption should be used to protect sensitive data, including drive encryption like Windows BitLocker to secure data should a computer be stolen or simply lost. Enforcing an effective password policy. Ensure passwords or passphrases are at least eight to ten characters long and include a mixture of letters and numbers. Users should be encouraged to avoid re-using the same passwords on multiple web sites, and sharing passwords with others. Passwords should be changed at least every ninety days. Applying least privilege accounts and software restriction policies as appropriate. Microsoft continues to invest in research, innovation and development designed to reduce product vulnerabilities, improve supply chain risk management, enhance operational security and advance security related to social engineering attacks. As discussed below, nations are striving to improve cybersecurity and recognize its importance to their critical objectives, such as promoting economic and national security as well as citizen safety and innovation. Part IV: Emerging National Approaches to Cybersecurity In order to meet its national objectives, it is critical for a government to develop cybersecurity capabilities as part of its national security plan. This can help spur other benefits, too. For example, government leadership and policies that develop capabilities to enhance cybersecurity can help improve citizen safety, develop a skilled workforce capable of protecting critical infrastructure, improve commerce and investment as a result of greater confidence in the security of the underlying infrastructure, and ultimately create new jobs and communities that contribute to improved quality of life. In recognition of the benefits for secure ICT, some governments have begun to build a series of complementary plans and programs to address these requirements. According to the International Critical Information Infrastructure Protection Handbook, over twenty nations have developed critical information infrastructure protection policies.13 The United Nations Institute for Disarmament Research (UNIDIR) notes that thirty-three states have developed cyber strategies related to defense.14 The Organization for Economic Cooperation and Development 13 International CIIP Handbook 2008/2009, Andreas Wenger, Victor Mauer, and Myriam Dunn Caveltry, Center for Security Studies, ETH Zurich 14 United Nations Institute for Disarmament Research (UNIDIR), Cybersecurity and Cyberwarfare, Preliminary Assessment of National Doctrine and Organization, p.3 (2011) 12 has also been tracking the emergence of national identities tied to increasing cybersecurity and recently published a report highlighting findings from eighteen countries that either have or plan to develop a national strategy for identity management.15 Looking across the emerging landscape of government strategies we find common elements, including: Identity and Access; Software and Systems Assurance – including supply chain risk management; Compliance and Monitoring; Data Protection; Resiliency and Risk Management; and Response. In addition to these elements, many governments are also looking to use cloud services because they increase innovation and reduce costs in delivering services, and are asking how to incorporate cloud services into a national cyber security strategy. Not surprisingly, governments are concerned about security and sovereignty issues related to the cloud. Governments are working with the private sector to identify and manage these risks, including efforts like the Cloud Security Alliance, which seeks to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing. Part V: Collaborative Approaches for Advancing a More Secure Cyberspace There are four key factors that a government should consider carefully to improve its cybersecurity profile in the near-term and promote innovation and leadership in the long-term. These include a national, coordinated cybersecurity strategy; a flexible and agile cybersecurity risk management approach; appropriate information sharing capabilities; and international implications (i.e., reciprocity) of any resulting policies or practices. A. Coordinated National Cybersecurity Strategy Governments must have a clear, coordinated and actionable cybersecurity strategy designed to ensure national security, economic security, and public safety, and to ensure delivery of critical services to its citizens. Importantly, each government must ensure that its cyber policies are Organization for Economic Cooperation and Development, OECD (2011), “National Strategies and Policies for Digital Identity Management in OECD Countries”, OECD Digital Economy Papers, No. 177, OECD Publishing, p. 4. http://dx.doi.org/10.1787/5kgdzvn5rfs2-en 15 13 technology neutral and do not stifle innovation. Technology neutral policies do not promote, require, or otherwise advance a particular technology product or set of products to the exclusion of others; rather they identify desired outcomes and allow the marketplace to find the most innovative way to achieve those outcomes. In addition, governments must integrate and harmonize their cyber policies, recognizing that actions each government takes will have ramifications beyond its individual borders. Policymakers must be mindful of the global import of their actions and ensure that competing interests are balanced appropriately. B. Flexible and Agile Risk Management Any framework designed to manage cybersecurity risk must be flexible enough to permit future improvements to security − an important point since cyber threats evolve over time. Governments, enterprises, and citizens depend on the information infrastructure and the data that IT systems contain, and there are often no alternative physical means to perform core functions. Yet, as discussed above, the information infrastructure faces a myriad of everchanging cyber threats. Risk management is the appropriate approach to improve the security of the ICT systems on which we all depend. There are simply not enough resources or time to address all the risks we face. While risk management is a well understood discipline, managing cyber risks is particularly difficult, especially in government environments. This is because cyber risks are complex; the infrastructure and information systems are varied and distributed; it can be difficult to quantify risks and the value of potential mitigations; and it is important that we not hinder innovation and agility. Therefore, while governments and enterprises must continue to anchor approaches to securing the information infrastructure in risk management, they must also evolve how that discipline is applied to better address the unique nature of cyber risks. When doing so, it is important to note that government and industry should strive to ensure that their approach is appropriately scoped to address pressing national security and public safety concerns, and remain sufficiently flexible and agile to enable organizations to manage risk in a dynamic cyber threat environment. In managing cyber risk for information infrastructure, government must balance dual, and often interrelated, roles. First, as a public policy entity, the government is responsible for protecting public safety, as well as economic and national security, and must consider which infrastructures support those missions. National governments are also a large and widely distributed enterprise, with countless globally distributed customers (e.g., citizens who want to connect with their government), partners, operations, networks, and resources. Although distinct, the policy and enterprise roles are not entirely separate, as each affects and informs the other. Government 14 and industry must be particularly careful when delineating the elements of the information infrastructure that are truly critical to national security and public safety. We recommend that governments work to ensure that the highest priority risks are addressed. Microsoft believes each risk should be assessed to determine its severity, the consequences of a successful exploit should be understood, and the likelihood of harm should be evaluated. Appropriately identifying the systems and assets that should be addressed as priorities, as well as the risks to be addressed, will enable both government and private sector leaders to better secure the nation’s critical information infrastructure. Similarly, governments must create a risk management framework that enables the necessary agility to respond to rapidly changing cyber threats.16 It is important to understand that risk has historically been managed by focusing on “verticals” (e.g., banking, health care), but information technology runs horizontally underneath all verticals. A risk management model should (1) recognize this horizontal layer (that is, IT risks need to be managed in common ways), but also (2) appreciate that verticals have unique requirements. We therefore recommend a hybrid model that includes: A centrally managed horizontal security function to provide a foundation of broad policy, security outcomes, and standards; and Vertical security functions resident in individual organizations to enable them to manage their unique risks with agility. This combination of horizontal and vertical functions ensures that minimum security goals and standards are set, yet provides organizations with flexibility to manage the unique risks associated with their operating environments. C. Information Sharing Successful risk management depends on effective information sharing. Information sharing succeeds when it is targeted at solving specific problems and challenges. Information sharing itself is not an objective but rather a tool, and sharing for sharing’s sake is not helpful. Threats and risks are not best managed by sharing all information with all parties, but rather by sharing the right information with the right parties (that is, parties who are positioned to take meaningful action). Targeted information sharing also better protects sensitive information See “Written Testimony of Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft Corporation Before the Senate Committee on Homeland Security and Governmental Affairs Hearing on “Securing America’s Future: The Cyber-Security Act of 2012,” February 16, 2012, p. 4. 16 15 (whether in the hands of the government or private sector), helps protect privacy, and actually permits more meaningful sharing of data. Microsoft recommends that governments, working with industry, create two complementary information sharing capabilities: one focused on the most significant threats to a government’s national security and public safety and another designed to enable greater automated management of IT security compliance across the government’s enterprise.17 For example a government could, in part, promote effective information sharing capabilities by: Exchanging technical data with rules and mechanisms that require both sides to protect sensitive data; Analyzing the risks holistically and developing strategies to manage those risks; and Developing cyber threat and risk analytics as a shared discipline. For any such governmental organization to achieve success, it needs to have the right legal environment, including legal protections, for such information sharing and action, and it must itself share sensitive and actionable information with the private sector. D. International Implications As cybersecurity becomes an increasingly important fundament of an interconnected world, governments must remember that domestic cybersecurity policies now have international implications. While it is important that governments appropriately develop policies and regulations to address Identity and Access, Software and Systems Assurance, Compliance and Monitoring, Data Protection, Resiliency, Risk Management, and Response – all core cybersecurity efforts – governments must also be aware that such policies are not created in a vacuum. Regulations and requirements that are designed to protect a government, its enterprises and citizens could in fact become an impediment to the government’s long term goals related to innovation, economic development, as well as increased security itself. Just as trade relationships are based upon the idea that opening markets in reciprocal ways can create trading opportunities between participating countries, it must be recognized that creating cybersecurity requirements that block market access may lead to similar “reciprocal” behaviors, potentially fragmenting the Internet and denying people everywhere the benefit of the highly innovative low-cost products that only a global supply chain can produce. As such, governments should examine the potential implications of those policies in or to understand potential issues related to reciprocity. 17 Ibid., p. 7 16 Part VI: Conclusion Over the next few years, the world will see an unprecedented growth in Internet users, devices and data, which will create vast opportunities and equally daunting challenges. Cybersecurity is the cornerstone of a networked world. Only through collaboration and appropriately evolving practices like secure product development, supply chain security and operational security, can we create more effective cybersecurity policies and practices. Such policies and practices will help protect public health and safety, increase economic innovation, solidify national defense, and secure the promise of our collective future. Working together, in a more connected society, we can help ensure a safer, more trusted computing experience. 17 Appendix A Selected Microsoft Security Resources Since 2002, Microsoft has developed a rich set of resources that it shares openly with others across the IT ecosystem to enhance the security of cyberspace. The following list provides more information on some of the resources included in this white paper: Security Development Lifecycle. The SDL is a software development security assurance process consisting of security practices grouped by seven phases: training, requirements, design, implementation, verification, release, and response. Experience at Microsoft has shown security practices executed in chronological order helped result in greater security gains and cost benefits than from ad hoc implementation. The SDL process is not specific to Microsoft or the Windows platform and can be applied to different operating systems, platforms, development methodologies, and to projects of any size. Microsoft makes the SDL available to everyone. Microsoft Security Engineering Center. The MSEC helps to protect Microsoft customers by delivering inherently more secure products and services, through the Microsoft Security Development Lifecycle (SDL), comprehensive security assurance in software development and state-of-the-art security science. MSEC addresses software security via three main areas—Process, People, and Technology. Microsoft Security Response Center. The MSRC identifies, monitors, resolves, and responds to security incidents and Microsoft software security vulnerabilities, twenty four hours a day, with a commitment is to prevent worldwide incidents and create a safer, more trusted Internet. The center manages a company-wide security update release process and serves as the single point of coordination and communications. MSRC is tapped into a worldwide network of security researchers and partners and closely monitors security news lists and public forums. Microsoft Active Protections Program. With the vast majority of attacks targeting the browser and application spaces rather than the operating system, communication and collaboration among vendors is critical to improving the security landscape. Microsoft works closely with both competitors and partners to address vulnerabilities. The Microsoft Active Protections Program (MAPP) gives partners vulnerability information early so they can build enhanced software protections for customers. The Microsoft Vulnerability Research Program helps secure software running on the Windows platform by finding vulnerabilities in third-party software, communicating them to the affected vendors, and helping those vendors implement security functionality built into the Windows platform. Appendix B – List of Contributors 18 In addition to the materials cited in the footnotes, this paper benefited from several contributors, including substantive comments from Paul Nicholas, Eric Werner, Cristin Goodwin, Angela McKay, Aaron Kleiner, Andrew Cushman, and Lori Woehler. Special thanks to all of you for taking the time to review and provide feedback. Cybersecurity: The Cornerstone of a Safe, Connected Nation © 2012 Microsoft Corp. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Licensed under Creative Commons Attribution-Non CommercialShare Alike 3.0 Unported 19