Today, in a blog post and email to employees, Microsoft is announcing a broad vision for tackling the cybersecurity challenges that have increasingly plagued the company and its customers in recent years. Known as the Secure Future Initiative, the plan leans heavily on artificial intelligence tools as a “game changer” and also includes a call for international cyberspace norms, an expansion of the company’s 2017 Digital Geneva Convention.
The most tangible and immediately applicable component of the strategy, though, relates to improvements in Microsoft’s software development and engineering approach. In Thursday’s email, executive vice president for Microsoft security Charlie Bell and colleagues Scott Guthrie and Rajesh Jha lay out a plan to further safeguard identity management systems in Microsoft products, improve security software development, and shorten response and patch release times for addressing vulnerabilities, specifically those in the cloud.
The announcement comes as Microsoft has faced scrutiny over situations where vulnerabilities in its products have enabled attackers—both financially-motivated cybercriminals and state-backed hackers—to rampage through the company’s own systems and those of customers. And the climate around accountability is evolving as regulators and law enforcement look for new paths to deterring, but also preventing, damaging hacks. On Monday, for example, the United States Securities and Exchange Commission (SEC) announced charges against the IT management company SolarWinds and its chief information security officer over “cybersecurity risks and vulnerabilities” that the SEC alleges were known and should have been addressed.
Microsoft said on Thursday that its Secure Future Initiative comes in response to wildly escalating threats from attackers. “In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” company vice chair and president Brad Smith wrote.
In an interview with WIRED, Microsoft’s Bell emphasized that both cybercriminal and state-backed actors are professionalizing and homing in on phishing and creative approaches to credential theft as the most direct and effective method for infiltrating organizations of all sorts. He noted that while it is difficult to get an accurate accounting of total global economic losses due to cybercrime and cyberattacks, Microsoft believes that total losses have been greater than $6 trillion and could close in on $10 trillion by 2025.
“The threat is growing,” he tells WIRED. “It’s a huge drag on the world. So when you look at all of this going on and you say well what can we do? Microsoft is in the center of much of the ability to defend. It caused us to step back.”
Speeding vulnerability response times by 50 percent and moving toward mandating secure default settings for customers are two aggressive steps Microsoft says it plans to take to make a tangible impact on customer security. Bell says that multi-factor authentication adoption among Microsoft customers is at roughly 34 percent, but “it should be 100 percent.”
The changes come as other giants across the industry, including Google, are acknowledging the need to push secure defaults, particularly around authentication. The software development platform GitHub, which Microsoft owns, has been working on rolling out mandatory two-factor for months. Apple has long mandated two-factor for most accounts, and Google has been publicly working toward the goal for years.
On many components of the Secure Future Initiative, Microsoft is not exactly late to the party on hardline changes, but is noticeably behind the early advocates. And in general, concepts of engineering software to be secure by design or building system architecture to be zero trust were prominent features of the past decade. Yet, between cloud services and all of the legacy Windows systems around the world, Microsoft is at the very heart of IT infrastructure, and in many ways, global cybersecurity moves at Microsoft’s pace.
“It’s an absolutely terrible world if we don’t get ahead of it,” Bell says. “We have all the data right now that the threat actors—they’re poking from the outside, they see a little bit. We know everything because we’re on the inside. If we’re gonna tackle the security problem we’ve got to be real about the fact that you’re not going to flip a light switch and everybody’s running in the cloud. There’s a lot of operational ground to cover between here and there. And Microsoft is the company that supports that world, that critical infrastructure that’s out there.”
