Presenting his keynote at ISSE 2012, in Brussels 24th October, Nicholas argued that “as the private sector owns and operates the majority of infrastructures, networks and platforms, and responds to increasingly sophisticated cyber events, it’s absurd that they are not always included in relevant international cybersecurity discussions”.
The paradigm shift in the industry requires a change in risk management and collaboration between the private and public sectors and academia, he said. “Connectivity between machines and applications enables innovation – the average person has 13 accounts and 10-20 apps – but it also results in a decreasing span of control”, Nicholas said, adding that 75% of user data and attributes are out of their control.
Nicholas declared that 33 states have developed a military doctrine for cyberspace and 36 could develop offensive capabilities. “Inclusivity is key to understanding the full dimension of cybersecurity challenges”, he insisted. “We [Microsoft] are partnering with security researchers and the public sector to create a safer internet.”
In contrast to the ISSE opening keynote given by James Sheire, senior advisor, national strategy for trusted identities in cyberspace, yesterday, Paul Nicholas declared that building security into software is not the silver bullet. “Should software makers be more like BMW and build security in? No, they shouldn’t. The [movement] out there to attack software services and hardware is lucrative and diversified – they’ll look for vulnerabilities and will sell them to governments, organisations, or just the highest bidder”, he said, suggesting that a more specialised approach and product is needed.
The standard ISO 27034 -1 was released as the first international standard on secure software development, Nicholas told his audience. “It’s a big step forward. We need stronger investment in international standards for secure software development, and also for supply chain security, which is a real concern”.
As part of Microsoft’s “internet health” movement, the Microsoft Active Protections Programme (MAPP) was launched four years ago to stop attackers using the list of upcoming patches to create exploits. “We decided to share this with 80 information security vendors instead – some of who are our competitors – so that they can get ahead of the attackers. We made this call because it means our users will be safer.”
With the exclusion of two vendors which released the information early and were consequently “bumped out of the problem”, Nicholas considers the initiative a large success, and “the reason why we don’t have noisy exploits like Slammer any more”.
“You can’t stop cybercrime, but you can increase the cost and disruption to the attackers”, Nicholas said, echoing a presentation given on the TwC Press Tour in June 2012 (and previously reported by Infosecurity) and referring to the “taking down of five botnets in the last few years: Waledec, Rustock, Kelihos, Zeus and Nitol”.
The public private collaboration was not the only one which Nicholas called for. “It’s a tough business for ISPs at the moment. They say ‘if software providers wrote better code we wouldn’t have this problem’, but we need to work together”, he concluded, “we need a new generation of device health”.