Microsoft Aims To Regain Trust in a Post-Snowden World
Nearly a year after Snowden leaks, Redmond officials speak out for transparency in security versus privacy conflict between IT providers and governments.
The growing adoption of secure software development practices and the evolution of the "trusted software stack" left Scott Charney, corporate vice president of the Microsoft Trustworthy Computing group, optimistic about the future of IT security early last year. Charney's confidence didn't foreshadow the stunning leaks by former National Security Agency (NSA) contractor Edward Snowden, who famously disclosed last June the NSA's surveillance programs where it was accessing supposedly secure systems.
Despite the Snowden revelations, Charney claims his optimism remains intact, albeit it's now tempered by the old conflicting priorities of security versus privacy, framed in a new threat landscape. "It's always a challenge when we have competing interests try to figure out how to think about the problem and make choices that will work for us as a society," Charney told attendees at the recent RSA Conference in San Francisco, where his annual keynote has served as Microsoft's de facto annual state of security progress report.
Charney's optimism notwithstanding, critics believe Microsoft, Google Inc., Apple Inc., Yahoo Inc. and other major providers have taken a step back. In a survey last fall of Redmond magazine readers, 70 percent said they were very or somewhat concerned about the NSA surveillance activities in wake of the Snowden revelations. Making matters worse for Microsoft, Snowden singled out the company for providing backdoors to its cloud services, a claim Microsoft has strongly denied.
Further casting a shadow over Microsoft, the company in March revealed it had gone into its Hotmail service to access e-mails by a former employee for allegedly stealing trade secrets and code. Saying it had probable cause to search the e-mails, which didn't require a court order specifically because it was its own service, the messages provided the evidence to have the employee arrested and charged.
"We've never had an order for bulk data, and we wouldn't provide it if even if we did."
Scott Charney, Corporate Vice President, Microsoft Trustworthy Computing Group
Nevertheless, the Microsoft snooping resulted in swift backlash and the company a week later said it will turn to law enforcement in the future and update its terms of service to reflect the new policy.
Blurring the Lines
Microsoft isn't the only company on the defense. RSA, a subsidiary of EMC Corp., was also fending off backlash following Snowden's disclosure, claiming it provided the NSA with a backdoor to its encryption products, a claim the company denied. RSA took more heat in late March when a team of professors from Johns Hopkins University, the University of Wisconsin, the University of Illinois, among others claimed they found a second tool the NSA used to exploit vulnerabilities in RSA encryption.
Art Coviello, executive chairman of RSA, the company that developed the widely used encryption algorithm, defended the company's decision to work with the NSA, implying that there had been a kind of betrayal. "When or if the NSA blurs the line between its defensive and intelligence-gathering roles, and exploits its position of trust within the security community, then that's a problem," Coviello said in his conference keynote.
Microsoft's Charney pointed to the inherent conflict between governments and technology providers. "Because [governments] exploit the Internet, there's always this inherent tension in their mission," Charney said. "If they know about a vulnerability in Windows, do they tell Microsoft so we can fix it? Or do they keep it to themselves so they can exploit it?"
Charney also used his pulpit to echo the denials by Microsoft that it supplied bulk data to the NSA. "We only respond to court orders that specify specific accounts," Charney said. "We've never had an order for bulk data, and we wouldn't provide it if even if we did. We have to honor the law in the countries where we do business."
Charney insisted Microsoft doesn't put backdoors into its products and services. "If I put a backdoor in our products, our market cap goes from $260 billion to zero overnight," he said. "It's economic suicide." Charney also complained how the media has portrayed Microsoft's interactions with authorities. He offered as an example the controversy around a set of forensic and auditing tools for Microsoft systems called Computer Online Forensic Evidence Extractor (COFFEE), which the company provides to law enforcement more or less on demand. "We give it to investigators when they seize a Windows computer," he said. "It's a bunch of tools that might help you find evidence. There's nothing secret about it. It's on the Web. It's standard utilities."
Moves to Improve Transparency
Microsoft -- along with Google, Facebook Inc., and Yahoo -- has been hard at work to clean up public perception of its role in the recently revealed NSA data collection, chiefly by pushing to expand its ability to be transparent, Charney pointed out. Microsoft General Counsel Brad Smith has blogged on those efforts. In a recent posting (bit.ly/1ekWklU), Smith talked about a lawsuit filed last summer by Microsoft and Google against the U.S. government, which argued that the two companies have a legal and constitutional right to disclose more detailed information about governmental demands for customer data.
"We contended that we should be able to disclose information about legal orders issued pursuant to U.S. national security laws such as the Foreign Intelligence Surveillance Act (FISA)," Smith wrote, "which we had previously been barred from disclosing." Microsoft, Google, Facebook, and Yahoo reached a transparency deal with the Justice Department last month that allows the companies to publish data about the types of requests they receive from national security authorities.
"Transparency" has been an industry byword since that deal was struck, and it served as something of a shibboleth among Microsoft presenters at the conference. "Transparency builds trust," Microsoft CISO Bret Arsenault told Redmond. "But that's really nothing new for us. The truth is, we've always tried to be transparent. Essentially, Snowden's actions have raised awareness at a global level, so people are asking questions about things that we were already doing."
Cloud vs. On-Premises Security
Is the cloud inherently vulnerable to the demands of a government for data access? Microsoft's Arsenault echoed Charney's claim that Microsoft has never been asked for bulk data, adding, "If we are ever asked, we will fight it," during a panel discussion.
Charney also acknowledged modern encryption systems could provide a technical solution to such a problem -- the customer possesses his own crypto key -- but then insisted it would be a mistake to pursue that strategy alone.
"I wouldn't want to see a technical control undermine the fact that we need to have the transparency for those requests," he said. "We need to do both, and we're all working on how to do that."
Transparency has emerged as a key component of a secure cloud, but only insofar as it engenders trust, said Bruce Schneier, cybersecurity expert and CTO of Co3 Systems Inc., speaking on the same panel. "Fundamentally, 'cloud' means to me your data is on somebody else's hard drive," he said. "Do I trust that other legal entity with my data on their hard drive? In some ways, this is no different than the levels of trust that we have had to have through the years. Vendors can screw our security, make bad decisions and lie to us."
Arsenault acknowledged the much-publicized Microsoft promise (bit.ly/1ptqh3D) to strengthen and expand its encryption of data -- both for data in transit and at its datacenters -- is a relatively direct response to the Snowden revelations. He described it as "a new standard for customer data." Microsoft has also said it intends to use Perfect Forward Secrecy to protect all data moving among its online services, including Microsoft Azure, Office 365, Outlook.com and OneDrive. The process relies on the ephemerality of cryptographic keys, and generates random, 2048-bit public keys for each online session.
But do those technical moves coupled with a public commitment to transparency -- even one backed up with lawyers -- really demonstrate that Microsoft is stepping up its cloud security game in the post-Snowden era?
"Enterprises are generally not quite as good at rolling out patches."
Mark Russinovich, Technical Fellow, Microsoft Azure Team
Snowden Stokes Cloud Fears
According to Mark Russinovich, Technical Fellow on the Microsoft Azure product team, the answer is yes. Russinovich is well known as the co-creator (with Bryce Cogswell) of the Sysinternals Windows administration and diagnostic tools. Also speaking at the RSA Conference on pubic cloud security, Russinovich said he has observed a new skittishness among existing and potential cloud users that's likely a reaction to the Snowden leaks. But even before Snowden went public with worrying information about the NSA's data collection practices, the No. 1 concern among users of cloud technologies was -- and still is -- security, he said.
Those concerns are, of course, not without foundation. During his presentation, Russinovich offered attendees a top-10 list of security risks inherent in public clouds, ranging from "shared technology vulnerabilities" and "abuse of cloud services," to "Shadow IT" and insecure APIs. He also included "malicious insiders," with the likes of Snowden.
But the good news, Russinovich insisted, is public cloud providers are generally better at responding to these threats than most organizations. "We recognize how risky it is to leave [the threats] out there," he said. "We can't wait for Patch Tuesday because we're exposed. We also have automated software deployment systems -- we have to run at scales of hundreds of thousands or millions of machines -- to be able to deploy software out to those machines quickly and efficiently without human interaction. Enterprises are generally not quite as good at rolling out patches."
Public cloud providers are just plain geared up to detect breaches, Russinovich pointed out; it's an essential part of their business. Along with its amped-up data encryption practices, the Microsoft Azure group enforces a set of controls that keep physical data from leaving the data center, Russinovich said. And it uses third-party certifications, such as FedRamp and HIPAA, to ensure its employees are handling data properly.
Microsoft's Charney said the solution to the inherent conflict between security and privacy thrown into the spotlight by the Snowden leaks lies, at least in part, with the adoption of worldwide "norms" that mirror the "doctrine of proportionality" exemplified by The Geneva Convention -- norms that weigh government interests in accessing data in the pursuit of law enforcement investigations against trust in the Internet and the privacy and security of users.
But the security industry can't wait for such norms to emerge, he admitted. "If you're in this industry you deliver stuff to customers every day," he said, "and you have to make choices, and you have to make choices now. You can choose to encrypt things, in which case governments' jobs will be harder and criminals' lives may be a little easier. Or you can choose not to encrypt things, in which case governments' lives may be a little easier, but you'll have bad implications for security and privacy."