Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along . . . → Read More: 10 Years of Trustworthy Computing at Microsoft]]>

Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines:

• Oh, you are joining a desktop company? Why?
• A security guy? Joining Microsoft? hmm…

So, these reactions came from the time immediately before we launched Windows XP (you are not on XP today, are you? If you are, read this article). Microsoft was not perceived as an enterprise player and was not seen as secure – they were wrong back then in the first case but right in the second one I guess. I joined being part of the consulting organization but soon met the country manager and I was having a chat with him about the perception on Microsoft’s security in the market. We (say: he ) then decided that we need to work on that and that I shall draw a job description – the job then was called Chief Security Officer and Chief Security Advisor later on. And then Nimda hit! And then Blaster hit! And then Slammer hit! I had the “privilege” back then to run the incident response team in Switzerland and had the privilege to have customers screaming at me, tell me that we fucked up (that was a quote).

Interestingly in the meantime the famous Bill Gates’ Memo hit the streets, saying:

There are many changes Microsoft needs to make as a company to ensure and keep our customers’ trust at every level – from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.

and even more important:

In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

This memo led to the creation of Trustworthy Computing with Scot Charney running the organization since it’s beginning and Scott then created the Chief Security Advisor community, the community I was in since the beginning and have the honor to run today globally.

Coming back to the beginning: I remember the first keynote I did for Microsoft was on Trustworthy Computing immediately after this announcement. People approached me in the breaks and asked me whether I really believe what I just said: that Microsoft is going to change. And I confirmed that. I have never seen (not before nor after) a company stopping development for almost four months to address issues and then change the way the company operates – that radically. I would never ever put my name and my credibility at risk if I would not have believed back then and I am still convinced that we did and still do an outstanding job and that we are leading the industry today. Interestingly I do not get these questions anymore…

So, what happened over these 10 years of Trustworthy Computing? What were significant achievements? Well, there are numerous and I have to apologize to the teams I am not mentioning here upfront…

• Immediately after SQL Slammer in 2003 we span up a process called Software Security Incident Response Process (SSIRP), a process which is still in place today and we constantly adapt it to new threats and especially new challenges. This was a huge effort as we needed to be able to ramp up an incident organization all across the globe 24*7 – and we still are today.
• Probably the biggest and most fundamental change was the way we develop software. We introduced the Security Development Lifecycle (SDL) and constantly keep it updated. Not only did we change the development process internally, we make this information available to the industry for free. Others shall be able to learn from our learning from the past. What concerns me is the slow adoption of such methodologies from a vendor side as well as from a customer side. Who really asks for a process? Typically customers ask for product certification but not for a sound process – something we as an industry need to continue on changing.
• Different teams were spun up to address security re-actively like the Microsoft Security Response Center and the Malware Protection Center.
• Since 2006 we publish our Security Intelligence Report – the most comprehensive report in the market.
• Our Digital Crimes Unit is fighting cybercrime from a legal as well as from a technology perspective. We are working closely with the Council of Europe and other organizations improving the legal situation. We are taking down botnets like Waledac, Rustock and Kelhios in close collaboration with the authorities.  We are providing technology to fight sexual exploitation of children like PhotoDNA.

A lot of things happened over the course of the years and there is still a lot to do. These are just some highlights (besides the creation of the Chief Security Advisor community).

If you want to see a condensed version of the “life” of Trustworthy Computing”, here you go:

And the official story on the news center: At 10-Year Milestone, Microsoft’s Trustworthy Computing Initiative More Important than Ever

Sometimes I am asked how many people work at Microsoft on security. And the answer is "everybody” (well, almost ). It is not something we separate and put into a team labeled security. It is part of all our lives to one extent or another and this is the way it should be.

If I would have a wish for 2012, it would be that the industry would stand together much closer to address the issues of today and the future. I do not see that security is something the industry should compete on – rather collaborate to fight the criminals – together with the governments and the governments together with us. I was already fairly vocal about this in the Octopus Conference and will continue to ask for it. To help with this dialogue, we published a model called Cybersecurity Agenda for Governments and will soon publish a book on it as well.

In parallel, the teams internally will continue their great work to bring Trustworthy Computing to the next level. All of this is needed, when we think that there will be a third billion devices added to the Internet in the next five years!

Roger

This made us thinking about what . . . → Read More: Cybersecurity–More than a good headline]]> A lot of governments all across the globe are working on starting, restarting or pushing their Cybersecurity initiative. What often concerns me is, that the last real headline has more impact on the strategy and the themes to be addressed than a structure or a plan or a strategy.

This made us thinking about what is needed to run a successful Cybersecurity Agenda within a country? What themes ought to be addressed and in which form.

We came up with a fairly simple model:

To explain the model, we just published two papers about it:

• Cybersecurity white paper abstract – a one pager with a high-level description
• Cybersecurity: More than a good headline – a few more pages going deeper into the discussion of the different subjects.

In parallel we are working on a book about this, giving much more examples and background – so stay tuned.

The only thing I really know: When I do a presentation explaining Cybersecurity and at the end show the slide above, governments love it. Typically they approach me asking for the deck – if they are not politically correct they tell me that they just want to get this slide.

Comments are very welcome. If you need/want further information, get in touch with me. Happy to help

Roger

Pakistan is another example: Pakistan to open cyber warfare school

I can understand where governments and militaries are coming from but this deeply . . . → Read More: Another Cyberwarfare School–better keep them employed!]]> A lot of countries are currently looking at their capabilities to defend their networks as well as leveraging technology for offense doing “Cyberwarfare”. Let’s now not debate where this starts or ends…

Pakistan is another example: Pakistan to open cyber warfare school

I can understand where governments and militaries are coming from but this deeply concerns me if we think it through. What if these people do not get a job or if they are not satisfied with the salary they get (or their boss or …). What are they going to do? You might end up with a bunch of highly skilled unemployed people – with the possibility to do really bad stuff for money.

This is scary to me…

Roger

The German Chaos Computer Club analyzed the Trojan . . . → Read More: German’s Government-Created Trojan Vulnerable]]> It is not that rare for Law Enforcement that they use software to spy in the case of severe accusations like terrorism. What is kind of surprising is the level of sophistication some of these Trojans seem to have – and not necessarily to the good side.

The German Chaos Computer Club analyzed the Trojan used by some state police force in Germany and found things like hard-coded keys, self-written encryption (well, they call it obfuscation at best) etc.

You can read the article on the CCC website: Chaos Computer Club analyzes government malware

Roger

However, what really scares me is, that I expect governments to train more people than they really need – or some of them might be laid off during priority shifts . . . → Read More: China’s Cyberwar Capability–Make Sure They Have Jobs]]> This is not surprising as I guess they are not alone: China’s Blue Army of 30 computer experts could deploy cyber warfare on foreign powers

However, what really scares me is, that I expect governments to train more people than they really need – or some of them might be laid off during priority shifts in governments. What happens to them? They have outstanding hacking skills… Just hoping that they do not move to the dark side might not really be good enough

Roger

Facebook adopts PhotoDNA and joins Microsoft and The National Center for Missing & Exploited Children to disrupt the proliferation of online child exploitation.

You find the information here.

Roger

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA . . . → Read More: Effectiveness of SecureID reduced?]]> It seems that RSA got attacked and might have lost some information. They actually took a really courageous step and went public and the Executive Chairman wrote an open letter. To quote:

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

and

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Roger