Jan Neutze, Microsoft’s Director of Cybersecurity Policy for Europe, Middle East and Africa, shares his insights on cybersecurity and the role Microsoft plays to ensure governments, businesses and individuals around the world are secure. In a conversation with Microsoft India News Center on the margins of the Global Conference on Cyberspace, held in New Delhi this week, he also discusses the need for robust cybersecurity programs and policies, and how Microsoft’s CyberSecurity Engagement Center (CSEC) in India was launched to tackle the continuous cyber threats we face.
Q: India is one of the fastest growing internet markets in the world, but that also makes it more vulnerable to cyberattacks. What is the role that Microsoft plays to ensure citizens, businesses and government bodies remain secure?
Jan Neutze: Cybersecurity is one of the most important aspects for any economy that is rapidly digitizing, especially digitizing at a rate such as India is currently seeing. From Microsoft’s perspective, there are things that we are doing to not only ensure the security of our own products and services but also the security of our customers.
At Microsoft, we integrate security at every step of our product development. We recognized that is one of the critical foundations of how we develop and deploy our products and services. We have a methodology for developing our software securely—what is called our security development lifecycle (SDL)—which is something we established as a mandatory policy in 2004 and have since continued to evolve to a point where it has become an industry-leading standard on how to actually develop software securely. We have also taken the learnings from SDL and applied it to how we securely develop our cloud services – a process we call Operational Security Assurance (OSA). Both SDL and OSA have become critical foundations for how we build security into our products and services right from the start.
Given our lessons learned over the last 15 years, there is a lot of experience we can share with others—both in the technology sectors and also across other sectors, especially in a time when we have many companies that are also becoming digital companies in the context of Internet of Things (IoT), where a lot of more traditional products are being connected to internet.
We are one of the leading cloud providers and securing how we deliver our 200+ cloud services is of fundamental importance. As such, we have a very significant investment of over USD 1 billion on cybersecurity every year, and we have we have over 3,500 internal security professionals that work on cybersecurity and cloud security at Microsoft. These include teams such as our Cyber Defense Operations Centre (CDOC), which operates 24×7, 365 days a year. Our security experts are basically marching around the clock.
CDOC essentially is a fusion center that brings together and analyzes cyber threat intelligence generated from a range of different sources. What makes Microsoft security capability unique is not only our significant volume of telemetry, but we also have the people who are able to analyze it and make determinations on what the threats are and how to keep our customers safe.
“We have over 3,500 internal security professionals that work on cybersecurity and cloud security at Microsoft, and invest over USD 1 billion on cybersecurity every year.”
Q: How does the government gain the trust of its citizens to enable seamless adoption of digitization in an environment of digital risks and cyberattacks?
JN: Having robust cybersecurity programs and cybersecurity policies in place is inevitable for any country that is advancing its digital transformation, and there are several perspectives that need to be part of this approach. Number one, it’s critical to have a national cybersecurity strategy that can tie in with the broader digitization program, which India has certainly developed and is in the process of implementing.
In addition to strategy, what we see from a global perspective is that many governments have now moved into a phase where they are trying to adopt cybersecurity regulation, and that includes things like regulating national infrastructure and to some degree, also to regulate or partner with the technology sector. The important question in this context is to develop a clear, risk-based approach to what needs to be regulated, what can be solved through public-private partnerships, and what are the ways those partnerships should be implemented.
At Microsoft, we try to be constructive in engaging on both regulatory and voluntary cybersecurity approaches. We regularly provide feedback on global best practices that can help shape those cybersecurity policies, and we participate in a range of public-private partnerships. To give you an example, one of long standing programs that we have at Microsoft is our Government Security Program which currently includes over 70 organizations in 40+ countries. This program is to give them access to a whole range of things including, in some cases, controlled access to review our Microsoft source code, as well as access to technical data and access to technical experts, all of which are geared towards ensuring the trust and confidence of governments in the security of our products and services.
There are many other examples on how governments and industry can and should collaborate on cybersecurity. But, at a high level, to advance cybersecurity underpinning a country’s digital transformation, you need to have these three things in place—you need to have strategy, you need to have a policy framework, and you need to, in addition, have a robust mechanism to collaborate with the industry.
“Microsoft’s Government Security Program currently includes over 70 organizations in 40+ countries.”
Q: What are your thoughts on the role of cybersecurity, especially in the context of the Indian government’s ‘Digital India’ program?
JN: At Microsoft, we are very excited and delighted to see that India is committed so much towards the ‘Digital India’ project. The fact that the government has recognised that this is an important priority for the country, is something other countries would do as well to study and learn from.
In its push to advance digitization, India has the opportunity to avoid some of the challenges and mistakes made by others and ensure that security is built into its framework right from the start, rather than sort of bolt it on at the end.
The Cyber Surakshit Bharat initiative, for instance, for which Microsoft is a partner, seeks to build out the cybersecurity capacity of the Chief Information Security Officers (CISOs) across the government, by training 1,200 government CISOs. We think this initiative has great potential, and we will see if we can replicate it elsewhere in the world.
Q: We, as Microsoft, enable a lot of enterprises in their digital transformation journey. What are the current trends in cyber threats and security issues, for businesses and industries in India and the risks to the country?
JN: Broadly speaking, there continue to be different types of cybersecurity threats; on one hand, we see continuous expansion of cybercrime, with cyber criminals becoming more sophisticated. The other category of threats and threat actors involves nation-states, and what governments are doing with regards to developing cyber offensive capabilities. These threats tend to be highly targeted at either critical infrastructure or governmental networks of other countries – though the challenge is that these threats are hard to contain and have the potential of significant and often unintended consequences which makes them so dangerous.
To tackle these challenges, Microsoft has developed several capabilities including our Digital Crimes Unit (DCU). Launched almost a decade ago, DCU opened a global Cybercrime Center in 2013 and has since established a network of satellite centers, the latest one – our Cyber Security Engagement Center (CSEC) here in India. This investments are helping us combating cybercrime and advancing cybersecurity in a holistic way.
Q: Tell us more about Microsoft’s CSEC in India. What is its role and how does it fit into your Microsoft’s global cybersecurity vision?
JN: Microsoft’s CSEC was launched last year in India and its mission is to drive public-private partnerships that will strengthen cooperation with Indian businesses, academic organizations, and government on cybersecurity. The CSEC also aims to fight cybercrime by securing Indian computers and internet users from various cybercrime threats by bringing together experts such as security response experts, investigators, and attorneys from Microsoft’s Digital Crime Unit.
Cybersecurity challenges don’t stop at national borders. It is a global challenge, so you need a global network of capabilities, which is have exactly what we have set up. That ties into some supplementary efforts and capabilities such as our global Transparency Centers, where we provide access not only to our source code but also secure access to Microsoft experts. In recent years we have opened these centers all over the world—North America, Europe, Asia, as well in Latin America—and all that is geared towards ensuring that we have a global approach to cybersecurity that can help us mitigate threats that we may see in one part of the world, and then make sure we can protect our customers in equal or equable ways around the world.
Q: One cybersecurity policy initiative that has recently made headlines is Microsoft’s call for a Digital Geneva Convention – can you tell us more about that?
JN: The Digital Geneva Convention is a call to action which our president, Brad Smith, first announced earlier this year at a cybersecurity conference in San Francisco. It proposes three different things: One is a call on governments to advance and implement certain limits on the use of their cybersecurity offensive capabilities to ensure better protection of civilians and civilian infrastructure from government-sponsored or government-directed cyberattacks.
The idea here is to build on existing legal foundations such as the existing Geneva Conventions, which apply to armed conflict, and to compliment that foundation with potentially new rules. There is a robust set of rules for what should be off limits during armed conflicts, but we believe there are gaps regarding protection of civilians and civilian infrastructure below that threshold – which is where we are currently seeing most of the malicious cyber activity.
The second element of our proposal is focused on what more industry should do to advance cybersecurity globally. We shouldn’t just ask the governments to be responsible actors in cyberspace, we also need industry to commit to certain principles. This includes, for example, a commitment for technology companies to be 100% focused on defense, and zero percent on offence and to be impartial in terms of how we approach the patching and mitigation of cybersecurity attacks.
And the third element of the Digital Geneva Convention talks about the role of attribution of significant cyber attacks against civilians with the aim of holding those that violate agreed upon norms and principles accountable. A possible way to do that is to develop new mechanisms to bring together relevant cyber threat intelligence from multiple sources across industry, academia, and possibly government.
So really, we are talking about three things: Governments need to do more; industry needs to do more; and potentially, together, we can do more on this question of cyber-attack attribution.
Q: How has the response been from governments across the world to establish a Digital Geneva Convention?
JN: The response from governments have generally been positive for the industry to play a larger role in this dialogue versus a dialogue that in the past has primarily taken place between and among governments. I think, that there is a recognition that as economies are digitizing and digital technology plays much larger role, digital companies also need to be more involved in these global cybersecurity discussions in a more meaningful way. The Global Conference on Cyberspace taking place in New Delhi this week is an important opportunity in that regard.