Chapter 04 Microsoft’s commitment to a trusted, responsible, and inclusive cloud

For Microsoft, creating a cloud for global good starts with a commitment to harnessing our own resources and being accountable for what we do.

We believe a trusted, responsible and inclusive cloud is grounded in how we engage as a business, the development of our technology, our advocacy and outreach, corporate philanthropy, and how we are serving the communities in which we operate.

At Microsoft, our commitments include:

Increased transparency. We believe that providing clear and relevant information about the issues covered in this document to customers, business partners, governments and others is vital to the work of creating a cloud for global good. We will continue to focus on expanding transparency; one example of this is our Transparency Hub. On this site, we disclose key information about our operations, including environmental and workforce data, details about our supply chain and political engagement, and summaries of requests we receive for customer data from governments.

Focused advocacy. We are dedicated to using our voice and resources to push for the changes needed to deliver the benefits of the cloud to people around the world. Microsoft operates in more than 120 countries, and we have deep economic and social connections to the communities in which we live and work. We aspire to use our knowledge of local conditions in combination with our global experience to drive informed and sustainable policy decisions that serve the interests of our customers, local communities and, ultimately, the global good.

Strong partnerships. We will continue to work with governments, civil society and industry on projects and programs designed to ensure that the benefits of cloud computing are available to all. We will also focus on increasing inclusion and expanding empowerment to people who still lack access to technology and the opportunities it enables. Building on the foundation of Microsoft’s long history of corporate giving, we will seek new ways to improve outcomes for more and more people around the world.

Constructive conversations. We believe that the best — and only — way to realize the opportunities that cloud computing offers is through ongoing and inclusive discussions. We’ll use our resources to bring interested parties together to talk about how to address the challenges that we all face. And we will continue to create platforms where people and organizations at the local, regional and global levels can raise concerns, share their best ideas and work toward solutions.

Ongoing research. We’ll work closely with leading researchers and academics to develop and share additional insights on cloud computing. To help policymakers understand the complex legal and economic implications of existing and emerging technology innovations, we will continue to facilitate evidence-based decision- making processes and support comprehensive and independent research across a broad range of disciplines and policy issues.

In the following section, we will outline how Microsoft is living up to these commitments by highlighting a few of the investments we have made in the past year to create a more trusted, responsible and inclusive cloud.

Satya Cloud for Global Good book

Protecting cyberspace in times of peace

Across the world, governments continue to invest in greater offensive capabilities in cyberspace, and nation-state attacks on civilians and critical infrastructure are on the rise. Some 74 percent of the world’s businesses are expecting to be hacked each year, with the economic cost of cybercrime estimated to reach U.S. $3 trillion by 2020.

Yet, the financial cost is just one element of the cyberthreat challenge. Many of the attacks expose personal data, or spread misinformation online. Moreover, online threats do not originate with criminals alone. In the past few years we have witnessed an increase in government investment in offensive cybercapabilities, and as a result a greater number of cyberattacks that appear to be backed by nation-states. These range from the Wannacry attack that held to ransom over 100,000 computers in hospitals, manufacturing plants, education systems and logistics operations across the world to the NotPetya attack, which appeared to target critical infrastructure in the Ukraine but affected companies around the world.

At Microsoft we accept that no single measure will be sufficient to address the cybersecurity challenges we face, and indeed that they will never go away completely. However, the events of the past year underscore that the time has come for the world’s governments to agree to a set of rules of behavior to ensure long-term stability of the online environment. In particular, governments must refrain from attacking civilians and critical infrastructures in cyberspace.

For this reason, in early 2017, Microsoft called for the creation of a Digital Geneva Convention. This convention would commit governments to adopt and implement norms that have been developed to protect civilians on the internet, without introducing restrictions on online content.

Brad Smith DGC

A Digital Geneva Convention

The Fourth Geneva Convention has long protected civilians in times of war. It is now clear that we need to build on this legacy and forge a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace.

The foundations for this effort are already in place, but it took the international community a long time to reach the barest of consensus — that international law applies in cyberspace. The United Nations almost two decades ago set up a working body to ensure agreement is reached on how to handle the then relatively new field of information technology (IT), and in particular the increasingly difficult question of cybersecurity. It was only in 2015 that the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE) confirmed that international law applies to cyberspace. Although particular groupings, such as G7 and G20, have reasserted this position, it seems progress has stalled.

All of this points to the need to identify new steps ahead. These could include:

Governments should pursue a multilateral agreement that affirms recent cybersecurity norms as global rules. Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace. More than that, the drafting process should be used to add specificity to the broad agreements in place now and ensure their implementation. For example, such a convention should commit governments to avoiding cyberattacks that target the private sector or critical infrastructure, or the use of hacking to steal intellectual property. Similarly, it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.

There is a need to set up an independent attribution organization that spans the public and private sectors. Today a perception exists about the ability to accurately attribute cyberattacks to their perpetrators. It is time for industry to dispel this myth. Although not simple, attribution capabilities have improved dramatically over the past few years. However, the capabilities are often dispersed between different technology companies and governments, and there are no established rules to dictate how this information could be shared. To address this, the world needs an independent organization that can investigate and share the evidence that attributes nation-state attacks to specific countries. Although there is no perfect analogy, the world needs an organization that can address cyberthreats in a manner like the role played by the International Atomic Energy Agency in the field of nuclear nonproliferation. This organization should consist of technical experts from across governments, the private sector, academia and civil society with the capability to examine specific attacks and share the evidence showing that a given attack was by a specific nation-state. Only then will nation-states know that if they violate the rules, the world will learn about it.

The tech sector needs to act collectively to better protect the internet and customers everywhere from nation-state attacks. As the first responders to threats that in part target our own infrastructure, it’s important for global technology companies to adopt concrete commitments to help deter and respond to nation-state cyberattacks. We believe that should include a pledge not to assist any actor, including governments, in attacking the information infrastructure of another party, irrespective of where they are in the world; a pledge to work together to address security issues, as well as to not traffic in vulnerabilities for offensive purposes or embrace business models that do so.

What Microsoft is doing:

The tech sector plays a unique role as the internet’s first responders, and we should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust. Microsoft is aggressively taking new steps to better protect and defend customers. This includes new security features at every level of the technology stack, reflecting the $1 billion that we’re spending annually in the security field.

Within Microsoft we’ve forged a unique, internal three-part partnership among the 3,500 security professionals from across the company. The Microsoft Threat Intelligence Center (MSTIC) is our reconnaissance arm, combing through the constant stream of data from our more than 200 cloud services and third-party feeds. Using machine learning, behavioral analysis and forensic techniques, this dedicated team creates a real-time picture — a security intelligence graph — of cyberactivity related to advanced and persistent threats to Microsoft and our customers. When a threat is detected, MSTIC alerts our Cyber Defense Operations Center (CDOC), an “eyes on glass” command center staffed 24 hours a day, seven days a week by rotating teams of security and engineering professionals from across our product and services portfolio. This team of specialists serves as our front line, taking immediate action against threats to defend our own systems and protect customers.

As we identify threats, we’re not only working with customers, but using legal process, led by our Digital Crimes Unit (DCU), to respond in new and innovative ways that disrupt attacks, including those launched by nation-states. Last year MSTIC identified an attack pattern that led to a group associated with a nation-state that had registered internet domains using names that included Microsoft and other companies’ trademarks. We went to federal court, obtained court orders and successfully sought appointment of a special master to oversee and expedite additional motions in our case. Working under this judicial supervision, we can notify internet registries whenever this group registers a fake Microsoft domain and request that control of that domain be transferred immediately to a sinkhole operated by DCU.

Using this novel approach, we can disrupt the nation-state’s use of these domains within 24 hours. Since last summer, in response to extended nation-state attacks, we have taken down 60 domains in 49 countries spread over six continents. In each instance we stopped the flow of data to the hackers from any customers whose computers were hacked, we notified the customers of the nation- state attack, and we helped them clean their environment and increase their security.

We are also working hard to protect other areas of potential vulnerability in the digital estate. Email, for example, is responsible for an estimated 90 percent of all hacking via “phishing” attacks. In response to this, we have introduced Advanced Threat Protection for Microsoft Exchange Online. It identifies recognizable malware and suspicious code patterns in emails and stops them before they can do damage. In addition, Office 365 Threat Intelligence provides enterprises with information on the top targeted users, malware frequency and security recommendations related to their business. Building on that, we added new data governance features for Office 365, including alerts that will be sent automatically to users when someone attempts to copy and download their inbox. We’ll be adding new features and offers in the coming months that provide additional protection.

But security-related product features are just the start. Data analytics and machine learning have become game-changing defense mechanisms. Microsoft’s datacenters are connected to over a billion computing end points and receive over a trillion data points every day. Advanced Threat Protection alone processes 6 billion emails each day. This provides the foundation for world- class early warning systems to detect cybersecurity attacks.

Across the tech sector, companies are racing to provide stronger cybersecurity protection for customers, including from nation- states. Each of our advances is making an important contribution. But we’re nowhere close to being able to declare victory. We therefore need to recognize a critical truth — this is not a problem that we can solve solely with each of us acting alone.

If we’re going to turn these words into effective action, we need to come together as an industry to develop our own clear principles and to help put in place the steps needed to make these principles real. For example, we should commit ourselves to collaborative and proactive defense against nation-state attacks and to remediate the impact of such attacks. We should pledge that we’ll continue to take no efforts to assist in offensive actions anywhere. We should make software patches available to all our users, regardless of the attackers and their motives. We should adopt coordinated disclosure practices for the handling of product and service vulnerabilities.

We need to come together as an industry to develop our own clear principles.

There is strong progress on which we can build. For example, we at Microsoft have been collaborating with other leading cloud companies like Amazon and Google to combat cloud abuse such as spam and phishing sites. We’re working together on a common abuse reporting schema to accelerate the reporting of abuses we may see on each other’s networks. On issues such as customer notification of potential nation-state attacks, we’ve all learned from important work where Google and Facebook have been early and impressive leaders. More broadly, there is good work and common collaboration springing up everywhere, from new startups to the industry’s largest companies.

A Digital Geneva Convention will safeguard citizens around the world from major state-led or state-sanctioned cyberattacks. Given the critical importance of effective cybersecurity to international peace and the stability of the global economy, such an initiative is becoming increasingly critical. We need to build on the work done to date, but move with greater urgency and take steps now to pave the way a legally binding agreement that will ensure a stable and secure cyberspace. Microsoft is committed to working with governments around the world and the global tech industry to find a practical way forward to make this vision a reality.

We face major challenges as a society in the way in which we manage the impact of our activity on our environment. If we are to enjoy the benefits of a healthy, functioning planet, we must find a way to use the world’s resources in a way that allows us to live and work in a more sustainable fashion.

This is no small challenge. With the world’s population set to reach 10 billion by 2050, we will need to produce 70 percent more food on less land, using less water and without resorting to a significant increase in the use of existing fertilizer. Global biodiversity continues to decline with species extinction rates at record levels, and projected demand for fresh water over the next five decades is projected to outstrip supply by 40 percent. Climate change is exacerbating the speed, magnitude and severity of these issues, and causing dramatic global changes in our ecosystems that threaten human health, infrastructure and natural systems.

The scale and speed of the changes we see in our physical and natural world require new solutions. But the latest innovative technologies often come with a price tag and require computational expertise that puts them out of reach for many researchers and nongovernmental organizations. In response, Microsoft has created AI for Earth.[50] The program is aimed at putting the power of AI toward solving some of the biggest environmental challenges of our time. In late 2017, we announced an expansion of the program, including an additional $50 million in funding.

The program has three pillars:

Access: We will improve access by making a new pool of grants available to help researchers and organizations gain access to cloud and AI computing resources. This includes access to Azure compute time and our data science virtual machine offerings on Azure. These grant applications are available today.

Education: We will provide new training and educational opportunities to make sure people and organizations know what AI tools are available, how to use them and how the tools can help meet their specific needs. Our approach will be both broad and deep, reaching many people through general session trainings as well as small-group faculty summits on single-issue areas and training for grantees.

Innovation: We also want to encourage others to innovate based on the power and potential of AI. We will partner with others on lighthouse projects that demonstrate how AI can deliver results more rapidly, accurately and efficiently. Already, we have three projects underway — one enabling land cover mapping to aid precision conservation; another that will enable smart agriculture through sensors, drones, data and broadband connectivity; and another that will test the viability of using our smart mosquito traps to remotely track and monitor species health.

AI for Earth

AI for Earth builds upon Microsoft’s long history of innovation in AI, as well as our commitment to sustainability. We’ve taken many steps to operate more sustainably as a company, including operating 100 percent carbon neutral since 2012, setting commitments to increase the amount of renewable energy we use to power our datacenters and ensuring they operate more efficiently, and using the cloud and AI within our operations to reduce our resource consumption across the globe.

The private sector has an important role to play in addressing climate change, both within our operations and by democratizing the use of advanced technologies like AI across companies, countries and research organizations of all sizes, on every continent. These tools, and the insights derived from their use, can help our customers and partners not only reduce emissions to slow or stop climate change, but also adapt and thrive in a changing environment.

America is a vast country that continues to inspire inventors and innovators to devise and advance new ways to bring its people closer together and drive its economy forward. This can be seen in wave after wave of new technologies that have helped revolutionize transportation, communication and commerce for this country, and for the world. But the speed and spread of these innovations has often been uneven, sometimes leaving entire groups of Americans behind.

Access to electricity — the foundation of so many of the key innovations of modern life — is one example. By the mid-1930s, the electrification of urban America was nearly complete and had already revolutionized manufacturing and transformed almost every aspect of people’s day-to-day lives at work and at home.

But for millions of Americans living in rural towns, life remained largely unchanged. In 1930, only 10 percent of the country’s 6 million farms were connected to the electric grid. That meant the average farming family still spent 10 hours a week hauling water. Cows were milked by hand. Modern conveniences that city residents took for granted — refrigeration, electric lights, indoor plumbing — remained a dream for their rural fellow citizens.

Over the next 20 years, a nationwide focus on rural electrification brought this innovation to millions who had previously been left behind. By 1950, 90 percent of American farms were wired for electricity. The impact on economic opportunity and quality of life was dramatic: Automated milking machines cut the labor required to collect milk by 50 percent; the average value of crops per farm jumped more than 34 percent; and farming families no longer had to heat water for cooking over wood fires, light their homes with kerosene lamps or wash clothes by hand.

We’ve reached a similar moment in 21st century America. For so many of us, computers, mobile devices and cloud computing have already transformed how we connect to one another, work, learn and play. And we are only at the beginning of a sweeping technology revolution that offers the promise of new economic opportunities and new ways to address a wide range of once- unsolvable problems.

But as was true in the 1930s, rural Americans face significant barriers when it comes to accessing the benefits of the current technology revolution. Although 90 percent of Americans have broadband access, nearly 40 percent of Americans living in rural areas don’t live within reach of a broadband connection — 23.4 million rural Americans in all — meaning they are unable to take advantage of the economic and educational opportunities enjoyed by their urban neighbors.[51],[52]

Yet despite this glaring disparity, real progress to close the rural broadband gap has plateaued in recent years. High costs, the absence of new and alternative technologies, and market and regulatory conditions have hampered efforts to expand coverage. But this is changing, thanks to recent advancements in technology, newly adopted standards, business model innovations and a growing demand for a broad range of cloud services.

A new rural broadband strategy

In July 2017, Microsoft called for the elimination of the rural broadband gap in America within the next five years.

We believe that this is an achievable goal based on a new strategic approach that combines private-sector capital investments focused on new technologies with public-sector support. This is supported by findings by the Boston Consulting Group suggesting that a combination of technologies can substantially reduce the total cost of extending broadband coverage.

Specifically, a technology model that uses a combination of the TV White Spaces spectrum, fixed wireless and satellite coverage can reduce the initial capital and operating costs by roughly 80 percent compared with the cost of using fiber cables alone, and by approximately 50 percent compared with the cost of current LTE fixed wireless technology.

One key to deploying this strategy successfully is to use the right technology in the right places.

TV White Spaces is expected to provide the best approach to reach approximately 80 percent of this underserved rural population, particularly in areas with a population density between two and 200 people per square mile. Microsoft itself has considerable experience with this technology, having deployed 20 TV White Spaces projects worldwide.

But TV White Spaces alone will not provide the complete solution. Satellite coverage is expected to be the most cost-effective solution for most areas with a population density of less than two people per square mile, and LTE fixed wireless for most areas with a density greater than 200 people per square mile. This mixed model for expanding broadband coverage will likely bring the total national cost of closing the rural broadband gap to roughly $10 billion.

Microsoft’s new Rural Airband Initiative

Rural Broadband

At Microsoft, we’re prepared to invest our own resources to help serve as a catalyst for broader market adoption of this new model. We’re committed to three elements on a five-year basis:

  1. Direct projects with partners.

    Microsoft will invest in partnerships with telecommunications companies with the goal of bringing broadband connectivity to 2 million people in rural America by July 4, 2022. We and our partners will have 12 projects up and running in 12 states in the next 12 months.

    Our goal is not to enter the telecommunications business ourselves or to profit directly from these projects. We will invest in the upfront capital projects needed to expand broadband coverage, seek a revenue share from operators to recoup our investment, and then use these revenue proceeds to invest in additional projects to expand coverage further.

  2. Digital skills training for people of all ages.

    Working through Microsoft Philanthropies, our Rural Airband Initiative will invest in helping train people of all ages in these rural communities on the latest technologies so they can use this new connectivity to improve education, healthcare and agriculture, and transform their businesses.

    Our first partnership under the Rural Airband Initiative will be a multiyear partnership with National 4-H Council — engaging America’s largest youth development organization, 4-H, to provide digital literacy skills training to youth as well as teen-led learning programs in rural communities.

  3. Stimulating investment by others through technology licensing.

    Our ultimate goal is to help serve as a catalyst for market investments by others in order to reach additional rural communities. That’s why we’re launching a new program to stimulate investment through royalty-free access to at least 38 patents and sample source code related to technology we’ve developed to better enable broadband connectivity through the use of TV White Spaces spectrum in rural areas.

A vital role for the public sector

Although we believe the private sector can play the leading role in closing the rural broadband gap, the public sector also has a vital role to play. Three related governmental measures are needed:

First, the Federal Communications Commission (FCC) needs to ensure the continued use of the spectrum needed for this mixed technology model. Specifically, it will be important for the FCC to ensure that at least three channels below 700 MHz — the so-called TV White Spaces — are available for wireless use on an unlicensed basis in every market in the country, with additional TV White Spaces available in smaller markets and rural areas.

In addition, federal and state infrastructure investments should include targeted funds on a matching basis for the capital investments that will best expand coverage into rural areas that currently lack broadband access. These funds should be made available for use by multiple technologies based on what is most needed.

What’s at stake

It’s not just the United States that has the challenge of a broadband gap. Across the world, there are billions of people who have no access to high-speed broadband or who struggle with the affordability of connectivity. But, like many countries, America has become accustomed to ongoing capital investments to expand broadband capacity in areas that already have broadband coverage. The time has come to expand this coverage to those areas that currently lack it entirely.

And although we are making a major push in the United States, the Microsoft’s Rural Airband Initiative is drawing on years of experience from more than 20 projects in 10 countries. This experience has given us the insights to know where to put our resources as well as where we need the support and expertise of others.

We believe there is an opportunity for other companies large and small to join in with market-based investments. We all have the opportunity to innovate together — achieving together what none of us can accomplish alone.

And just as we look forward to sharing what we have learned as a company, we look forward to applying over the next five years what we undoubtedly can learn from others.

Broadband connections have become indispensable for accessing healthcare, advancing education, improving agriculture and growing a small business. No country should settle for an outcome that leaves behind a large percentage of the community. We can and should bring the benefits of broadband coverage to every corner of the nation.

We look forward to working in partnership with government leaders at all levels, private-sector companies that have the expertise to develop and deliver affordable solutions, and local community members who can help enable the capabilities that a new generation of digital innovations and cloud computing can provide.