Patch me if you can: Cyberattack Series
The Microsoft Incident Response team takes swift action to help contain a ransomware attack and regain positive administrative control of the customer environment.
When Bill Gates announced the Trustworthy Computing Initiative in 2002, he recognized that we needed to change both our processes and culture if we were to make fundamental changes in our products. To ensure that occurred, a centralized group was given responsibility to drive the initiative forward. At the 10 year milestone in 2012, a decade of progress was noted in a number of ways; a chief one being the existence of numerous specialists and practices in place throughout the company. Today, every group at Microsoft has embraced these issues and continues to innovate in security, privacy, and reliability.
But, of course, the world has changed dramatically since 2002. The rise of advanced persistent threats, nation-state cyber activity, and a mobile-first, cloud-first world means that security processes created for boxed products on a three-year ship cycle are not sufficient. Put another way, with security in our DNA, the question now becomes, “how do we improve security in a mobile-first, cloud-first world with new development cadences (e.g., flighting, test-in-production) and new threats (e.g., national state APTs)?” In my view, while a level of centralized tools and oversight is still needed, it is simply not sufficient.
Trustworthy Computing remains a critical component of Microsoft’s promise to our customers. To be the company our customers need, we must be able to maintain the proven processes while adapting to this new world. Last week’s changes acknowledge that our mission remains critical and will help us be even more impactful in the years ahead by simplifying the way we work, increasing agility, driving greater accountability, and creating support models that are more lean and efficient.
By consolidating work within the company, as well as altering some reporting structures, Microsoft will be able to make a number of trust-related decisions more quickly and execute plans with greater speed, whether the objective is to get innovations into the hands of our customers, improve our engineering systems, ensure compliance with legal or corporate policies, or engage with regulators around the world.
I will continue to lead the Trustworthy Computing team in our new home as part of the Cloud and Enterprise Division. Significantly, Trustworthy Computing will maintain our company-wide responsibility for centrally driven programs such as the Security Development Lifecycle (SDL) and Operational Security Assurance (OSA). But this change will also allow us to embed ourselves more fully in the engineering division most responsible for the future of cloud and security, while increasing the impact of our critical work on privacy issues by integrating those functions directly into the appropriate engineering and legal policy organizations.
Let me close by noting an important point: I was the architect of these changes. This is not about the company’s loss of focus or diminution of commitment. Rather, in my view, these changes are necessary if we are to advance the state of trust in computing. When I joined Microsoft in 2002, it was about stopping the bleeding, healing the ecosystem and, dare I say it, sometimes getting ahead of the curve. But in the future, with new deployment cadences and a mobile-first, cloud-first world, it is dangerous to rely upon past paradigms that were built for a different environment. While I am proud of our past, we need to plan for the future.
Scott Charney
Corporate Vice President
Trustworthy Computing