This discussion is over since a long time and most people probably accepted the fact that the world changed – the cheese moved. BYOD, Consumerization of IT or however you want to call it at the end of the day is a reality. They might have different forms: In our case at Microsoft it might be officially a pre-stage as internally we get the hardware but we can set it up the way we want as long as we are following the policies. But even this is not the complete truth as there are a lot of people buying their own hardware and using it to work. I am currently not only running my notebook with Windows 7, I am using Windows 8 Developer Preview on a slate as well – and as I want to understand how we can make it happen – I did not join it to the domain as I want to run the Consumerization of IT scenario. This immediately raises questions on security.

We most probably need mail (Outlook in my case), Lync and some documents on a slate. So, I need to have Outlook installed and connected to Exchange (including RMS-protected mail), Lync as well as OneNote and some documents I want to have with me while I am travelling. What does this mean for IT? What about me connecting to the corporate network? Let’s look at some of the scenarios and functionalities. I know that there are answers to some of the problems but lets look at the questions first:

• Authentication: As it is not a device IT controls, how is the user authenticated? So we might want to require a PIN or a password to unlock the device. This makes sense anyway but there needs to be more than a “only” a paper policy. For those of you who have seen the build presentations on Windows 8 might have seen a new way to authenticate: A user can have a picture and store three gestures to unlock. A great way to authenticate to a slate but does the policy allow for that? Even if it is not a domain authentication, it is the authentication to the holy grail – the mail.
• Lost devices: Typically these devices are cool – that’s the reason why our users buy them – no? So, the risk of them getting stolen – or lost as they are small – is fairly high. How is the data and how are the credentials on the PC protected? So, we talk of disk encryption first, remote wipe second.
• Disk Encryption: There are devices like Windows Phone 7, which have a very sound security model and a very good device security but unfortunately no encryption, yet. There are others with “encryption” built in, which is broken in minutes as the device can be jail broken easily. What is the policy there? On the slate there will be a need for disk encryption as well. Which user will use something like this without being told? Yes, I know. You will but you are definitely not a representative sample as security people. On Windows we can switch Bitlocker on and will have at least the ability to securely protect the disk.
• Wipe: I would want my device to be wiped after a few unsuccessful authentication attempt or – if I lose it – I want to be able to remote-wipe the business data if I am IT.
• Network Access: Now the device comes on our network. What happens if the devices does not have any anti-malware protection? It might spread all the dirt on your network. Not something we typically enjoy. There are solutions to that – since a long time we talk about Server and Domain Isolation Using IPsec and Group Policy which at least separated the trusted and the untrusted devices. But we basically want the devices on the network and have them accessing the data – if they follow certain policies. Therefore we need a way to do policy enforcement and health checks with the ability to quarantine.
• VPN Access: This might be easier as we can enforce the policies as mentioned above much easier as the machines come through a well-defined channel where we can check them but are we allowed to? Think about privacy implications as well.
• Mail: Finally talking of mail. Access to e-mail is probably one of the crucial areas to enable and manage as a lot of confidential information is buried somewhere in mail. Additionally, to access mail, the keys will be needed if the mail is encrypted. Thus a lot of critical information is on such a device.
• Data: As a user I want my data (or at least key part of my data) synced between my devices. In my case between the business notebook and my slate. This should be done in a secure and safe way. Do we as IT want to allow the use of technologies like Live Mesh, which can either do a peer-to-peer synchronization or a peer-to-peer-to-Skydrive sync. In other words, a copy of the data can be hosted in the public cloud secured with a LiveID password.

So, a lot of different problems/questions. However, they are only partly new as I have seen a lot of people taking data home to their own private PC – the one the kids are gaming on – to do their work. Taking home means USB or even sending the data to the private mail account.

Protecting such an environment can have different approaches and I would be interested in what you think and what you need:

• First and foremost we need policies clarifying what can be done and what not. For severe violations, there needs to be disciplinary action.
• We want to have some policy enforcement. Basically, the key functionality the user is interested in is often e-mail and therefore Exchange might be one of your key management point for this. Exchange is basically able to enforce the following policy options to your device (from Understanding Exchange ActiveSync): Remote Wipe, Device Password Policies (minimum length, characters, alphanumeric, inactivity time, enforce history, enable recovery, wipe device after failed attempts), device encryption. Therefore, it can be expected that the key requirements can be met. But there is a fair chance as well that not all devices fulfill all the requirements. Or even worse: The active sync client could simply lie to the server.
• Would it be an option for an IT organization to require a client installation? Would the policy “if you want to use your own device, you have to let us install a piece of software” something which can be implemented? I am not completely sure are the user will look at the device as his/her own and will refuse interference. On the other hand it is the company’s data. A fairly interesting conflict. If we are allowed to install a client, all of a sudden technologies like Network Access Protection become feasible as we have a trusted piece of software being able to check the health of a computer

But what else is needed? Do you need management? Inventory? What else would you expect in such a scenario from your technology? Let me know – I am interested in this debate.

Roger

I quote:

Yet Android costs Google billions, without drawing revenue. Microsoft is making half a billion a year from Android. The settlement with Oracle, when it eventually comes, will add even more costs to working with Android – for anyone who dabbled with it.

Google executives must be wondering – in the words of David Byrne – “how did I get here?”

The company is going to have to spend very big to settle a clutch of outstanding IP issues, and almost certainly have to restructure Android governance to restore confidence in its stewardship of the systems. But even after all the smoke has cleared, things at Mountain View will have irrevocably changed. No amount of public relations or lobbying, or invite-only conferences, are going to return Google to the golden status it enjoyed only a few years ago.

Imagine you’re a public policy person, or a business strategist. Why would you think Google can give you a glimpse of the future, when it can’t even understand the present?

Roger

• Part 1: Introduction to Consistently Low Malware Infection Rates
• Part 2: Lessons from Austria
• Part 3: Lessons from Finland
• Part 4: Lessons from Germany
• Part 5: Lessons from Japan
• Part 6: Finale – Key Findings

Roger

Roger

and the scariest part is that I never looked at it that way but he is right

Roger

For all the ones still claiming that Open Source software creates less vulnerabilities, here you find the some stats on Office:

Interesting, hmm….

Roger

• Governments
• Legislative Bodies
• The Armed Forces
• Law Enforcement
• Judges and Prosecutors
• The End User
• The Private Sector
• The IT Sector
• Banks and Financial Services
• Critical National Infrastructure
• WikiLeaks

The interesting one is the last one – a whole chapter on WikiLeaks.

The paper is very well structured and gives always a structured view on the different challenges. If I would have to pick a few of them, those would be my highlights:

From a strategic challenge perspective:

• The threats to cyber security are the greatest national and economic security threats states face. Cyber security will evolve into a key challenge, economically, politically, socially, and militarily. Yet it remains the least understood and most underestimated threat.
• The very complexity of the threat deters a full understanding of its implications and hinders a comprehensive debate on the strategic responses needed.

I recently had a discussion with a government and everybody was talking about “Cyber” and “Cybersecurity”. Have you ever dared to ask what Cyber means to them? It is the number one theme and the number one theme people do not understand. Especially for politicians it is far away from their world as the theme we are talking of is even hard to grasp for specialists.

Challenges for governments:

Of particular concern, are the often meagre resources available in developing countries, least developed countries and failed states to establish and implement an effective cyber-security regime. Without the participation of all countries, the overall system remains vulnerable to attack. International cooperation is hampered by these large discrepancies between national cyber capabilities.

[…]

With few exceptions, governmental responses to the threats and risks of cyberspace have taken two tracks: legal and organisational. Neither has been very well unified or coherent, rather, they have been more organic in their development and, consequently, less cohesive than one would wish. A lack of leadership, organisational stability and expertise are the main factors limiting the capacity to respond.

It sometimes really makes me feel sad, seeing different organizations within governments fighting each other for the leadership in Cyber. Even worse: We see this within international bodies as well. Guess who wins: The Criminals.

We simply do not have the resources nor the energies available to afford this. Microsoft wants to collaborate and support organizations which drive a cybersecurity agenda but we cannot afford (we simply do not have the people) to help a lot of organizations, which fight each other.

If you are out there from a government or an international organization, you should definitely think about this! This is your responsibility. Ours is to provide our help.

Challenges for legislative bodies:

• The technical complexity of the issue, which surpasses the professional experience of most members of parliament and requires highly specialized staffers that few parliaments can afford.
• The fact that cyber security is a cross-cutting issue, which cannot easily be fitted into existing committee structures. To put it simply: Who is in charge—the armed forces committee or the security committee? Justice, police, or the committee for homeland security? Telecommunications? Or all of them? And what role is there for Foreign Affairs?

Governments, have you read the point above? We need to fix this and we need to fix this now as…

• Cyber security is addressed, fully or partially, by many countries through their military and/or intelligence structures—i.e. through agencies that are, by their very nature, more exclusive and nontransparent.

Another challenge, which goes in the same direction: A lot of governments fear the collaboration with the private sector. Sometimes I hear statements like “we cannot work with you too closely because it would be politically incorrect if Microsoft helps us too far with our Cybersecurity strategy” – these are statements from people who listened to us and understood the value we can bring to the table (not selling products, fixing problems). Still, this fear blocks creative solutions between the public and the private sector.

There are good examples where this works but unfortunately there are not too many because of this fear. Interestingly enough it often works better in developing countries rather than developed – and again there are exceptions to the rule.

Challenges for the armed forces:

That’s a hard one as Cyberwar completely changes the world of the armed forces. One is:

• The military has become completely dependent on cyberspace for its activities. Any threat in the cyber domain is of fundamental consequence for the armed forces.

They have to rely on the critical infrastructure but are often not part of the government’s CIP program.

• The traditional conservatism of the military is a hindrance (historical examples include the difficulties that militaries have had with the introduction of the machine gun, the dreadnought, the tank, or aircraft carrier). There is some truth in the saying that the military always tends to prepare for the last war.

I am seeing some where good initiatives from people who understand that they are challenged. This then comes back to the collaboration between private and public sector. Us from the private sector, let’s help these people to move forward in their defensive capabilities. At least we will not engage in offense.

and finally:

• Cyberspace presents the military with questions for which there are not only no answers, but for which we might not even have understood the questions yet.

Well and we did not touch on the Cloud yet as it is worse there…

Challenges for law enforcement:

This is kind of a pet theme for me especially when it come to international collaboration and international harmonization of laws. The paper raises similar challenges:

• While Internet criminality is international in nature, cyber crime legislation varies from country to country.

[…]

• A country is, under international law, not responsible for the cyber activities of its citizens, even if those activities constitute de facto the equivalent of an act of war against another country. The situation invites cyber ambitious countries to hide their own cyber activities behind the cover of allegedly anonymous hackers or hacktivists.

This is actually an interesting approach and could solve the attestation problem. If a country can be held accountable internationally for not reacting on an attack which originates from within their boarders, this might significantly change the way governments treat such attacks as nobody can hide behind an activity, which is then concealed as a private activist group exercising the activity.

Challenges for judges and prosecutors:

In my experience, we have a significant knowledge problem with judges and prosecutors. Having digital evidence in court is in a lot of countries a real challenge as it always comes down to experts testifying.

Judges, prosecutors and law enforcement agencies often lack sufficient knowledge to effectively bring cyber criminals to justice. More must be done in training and education to ensure that these officials have the knowledge, skills, and capacity to properly fight cyber crime and to make their charges stick.

Private Sector:

The private sector is not much better, though:

If the government response to cyber security can be characterized as ad hoc, the private sector response to cyber security can best be characterised as unstructured.

And I do not think that they are wrong.

The IT Sector

The quality of software also needs to improve. Much attention has been on operating system security, but the target has now moved to the application layer, which has had insufficient security focus. Beyond the application layer, lower level software such as firmware is poised to be the next target of attack. There has been little to no attention aimed at reducing the vulnerabilities in this space, which must change.

There are different things we are working on but basically our Security Development Lifecycle is a sound, proven and I would even say auditable basis to go forward. The challenge here will be that you find much more application providers than Operating System Manufacturers.

Banks and Financial Services

What is interesting is that they are separating banks, the IT sector from the Critical Infrastructure, which you cannot in my opinion. They/we are a key part of it – and especially the banks showed it during the crisis.

• Due to the massive amount of money being transferred electronically around the globe every second, financially motivated cyber criminality is on the rise.
• The situation is rendered even more attractive for criminals by the fact that banks, more often than not, do not report successful attacks.

The last point is a call I make often to the banks but at the end of the day to everybody: We have to start to report attacks to the police. Otherwise, it is the Wild West out there. The problem currently is that we have a legal system, which works, we have Law Enforcement in a lot of countries doing a great job fighting cybercrime – often focused on child porn, which is great – but attacks on our infrastructures are not followed through as they are not reported. A fairly safe bet for the criminals.

Critical National Infrastructure

That’s a really complex thing and a lot of governments struggle with this. In my opinion for different reasons:

• Constantly changing governments makes it hard to build trust between the private and the public sector
• Often the focus of governments is providing the key infrastructure like roads, power, internet but protection comes, once it is here
• Partly this is a cultural thing as well as it depends to a certain point on the way the government and the society is structured. How trustworthy is the government from a citizen perspective? How far is the government willing to work with the private sector in a trusted way or how far is the government in the position to invest a lot of money to build the competency on its own? Even in Western Europe, where such initiatives grew already fairly far, there are a lot of different models in place already and you see that societies with similar cultures (e.g. Switzerland and The Netherlands) come up with fairly similar approaches, whereas different cultures (Switzerland and Germany) come up with fundamentally different way of tackling the challenge.

What does the paper see as the big challenges? Here you go:

• The protection of CNI, has been recognized by most countries, as a priority. This basic awareness alone does, however, not translate into effective mechanisms for actual protection.

[…]

• To create a genuine private public partnership in protection of CNI, the private sector would have to perceive a clear-cut, measurable advantage in reporting to law enforcement agencies, and to subsequently develop together with them a coherent defensive system. Currently, it does not.

[…]

• The problem is exacerbated by the fact that, as examples prove, cyber malware has already been planted into some of the world’s critical infrastructure systems. The corresponding need to develop intelligent systems able to check automatically and regularly for the presence of highly sophisticated malware, is only about to be understood. It will be a costly enterprise in the best of circumstances and likely to be unevenly applied, thus reducing the eventual positive effects of select countermeasures for the overall system of interlinked critical infrastructures.
• Comprehensively coherent and harmonized national approaches are indispensable in this domain; without international coordination no progress will be possible.

It is so obvious but so hard to achieve: International cooperation is key (and this means e.g. outside the EU as well) and one cannot address CIP without the private sector (which kind of runs the critical infrastructure…)

WikiLeaks

The final chapter, which comes back to ethics and freedom of speech. My position is clear here: “Freedom of speech” does not mean you can say everything!

Finally, what I really like with this paper is, that is comes down to the point to state, what they think the response could be:

Not surprising, the start with the Public Private Partnership. Now, I stopped to use this term, simply because it is often loaded with formal contracts and MoUs etc. What I think we need is a collaboration/cooperation between the sectors, where the public sector has to learn as well that collaboration with governments should not be to the disadvantage of the companies doing it. E.g. if we spend a lot of time and money working with the governments to pave the way for the industry, is this very good but we have the investment and the competition the benefit. At least the public acknowledgment of such a collaboration happens sometimes helps.

Where is the challenge we need to overcome? Well….

• The private sector is understandably reluctant to share sensitive proprietary information about intrusions, actual damage, theft and crime, as well as prevention practices, with either government agencies or competitors because information sharing is a risky proposition with less than clear benefits. No company wants information to surface that they have given in confidence, since such an event could jeopardize their market position, customer base or capital investments.
• Nor would private companies risk voluntarily opening themselves up to costly and time-consuming litigation. Industry fears that breaches on innocent customers might inadvertently occur during investigations. Negative publicity or exposure as a result of reports of information infrastructure violations could lead to threats to investor and consumer confidence in a company’s products. Moreover, companies fear revealing trade secrets to competitors, and hence are reluctant to share proprietary information. They also fear that sharing this information with government may lead to increased regulation of the industry or of e-commerce in general.

[…]

• On the other hand, many private sector mechanisms for information sharing already exist without the need for government intervention. For example, both the “white-hat hacker” and the security researcher community provide a valuable private sector service. They are active information sharers which head off a vast number of attacks and identify vulnerabilities before harm occurs. Particularly on the technical level, information sharing about vulnerabilities and remediation happens routinely in the private sector. This is not because of a mandate from government. Rather the impulse to share is based on a well-grounded exchange of network-protective information done by engineers of, for example, the major telecom companies. And if the government wants to join in the sharing, they would be welcome—that is, if they bring added value to the arrangement.
• There is an urgent need for active, robust, and credible liaison of government with the private sector. Government agencies have to respect the confidentiality as well as the value of the information and secrets that the private sector may give them to do their job. In order to do the job on both sides, real-time feedback on information sharing is essential. All partners engaged in ensuring IT security will not share information unless they have a high degree of confidence that this information will be protected from disclosure. Hence, all partners must take steps to protect sensitive data as a precursor to information sharing. Only then will it be possible to form trusted relationships and begin data sharing. Similar principles apply to information sharing between governments and international organisations.

I think that governments have to learn in the cyberspace that a partnership is not unilateral only. It should work both ways. I often see governments talking about partnerships but mean us sharing information. I want intelligence back – not about single cases but trends and maybe real-time intelligence as well, where our technology is concerned. However, more often than not it is a one-way street and the reason is trust again.

And the second way to approach the challenge is naturally International Cooperation. This comes natural if you read the statement above but is absolutely key. There are a lot of intergovernmental organizations trying to address the issue but unfortunately I see them often competing rather than collaborating. We need solutions and we need them fast – not in 2020 but in 2012.

All in all, a very good read, which in my opinion lays out the problems extremely well and gives a few natural approaches to possible solutions.

Roger