Microsoft security guru: Abusing data should be a felony

If Microsoft's chief security adviser had his way, it would be a felony to misuse personal data.

Stiff penalties are the only way to ensure that people and organizations won't violate rules about appropriate data use, said Craig Mundie, speaking on privacy and cybersecurity at the EmTech MIT conference in Cambridge on Thursday (All of which should make for interesting conversation between Mundie and NSA director Gen. Keith Alexander, both of whom were to be honored later in the day at the Eisenhower Awards Dinner in New York City for their contributions to national security.)

Current rules for ensuring data privacy are broken, according to Mundie, in a world in which people are being observed in increasingly intimate ways by the tech devices and tools they use daily. "More and more, the data that you should be worried about, you don't even know about," said Mundie, who until late last year was Microsoft's chief research and strategy officer. "You don't even know to complain about the existence of the data."

[IN THE LABS:25 of today's coolest network and computing projects]

Back when credit cards emerged a few decades ago, individuals could weigh the risks and rewards of revealing private information in exchange for services that would make their life easier. That model worked to guide law and policies, but "is now failing in a gargantuan way" because of all the data being collected and retained in so many ways. With smartphone apps asking permission to use your location but never telling you what they plan to do with that info, or indicating what might happen to via downstream distribution, it's clear that data privacy rules need serious updating, Mundie said.

He envisions a "usage-based way of controlling data" under which information would be protected in a sort of cryptographic wrapper (think digital rights management on movie DVDs or music CDs) with metadata defining what can and more importantly can't be done with the data. Based on discussions Mundie has been involved in with people at other companies as well as with regulators around the world, he said reception to such a concept has been generally good, even in Europe where data privacy rules have become increasingly strict.

With sensitive data such as that related to genomics only becoming more commonly available, there's a realization that rules will need to change, but rules won't be able to apply to each specific type of data, Mundie said. "Therefore I think we need to move to a model with an architectural basis," he said.

A computerized architecture to manage all this would support users changing their mind over time regarding what they would allow others to do with their data, as new applications they never anticipated emerge, Mundie said. "You can't possibly write [all] the rules in advance," he said.

"Oftentimes it isn't until an app emerges and grows to scale that people start to realize it is kind of creepy," Mundie said.

Such a data privacy architecture would work both ways though, Mundie said. Governments might decide there is certain data that users must share for the common good, such as related to public health or law enforcement, he said. But rules would need to be very clear so that the public is comfortable with how such data is being used, unlike with that found to be collected in the wake of the Edward Snowden leaks.


As for the broader topic of cybersecurity, Mundie lumps threats into five not mutually exclusive categories: hacking; crime; espionage; warfare; and terrorism. Espionage and more specifically, economic espionage -- is the one that really has him worried these days, with countries such as China blatantly supporting or at least looking the other way when businesses within its borders swipe intellectual property from outfits in the United States and elsewhere to gain competitive advantage.

"Over a relatively short period of time, a decade or two, you could see a fundamental undermining of the economic well-being of a country" if such activities are allowed to persist, Mundie said. In the case of the United States and China in particular, the U.S. needs to take actions on the trade front, he said.

For organizations, traditional access control and password-based security techniques aren't enough to protect critical assets, Mundie said. Such assets will need to be encapsulated in more rigorous ways, he added.

One technique Microsoft has been taking for about two decades to keep its friends close and potential enemies closer is to share its Windows source code with other nations' governments and their intelligence agencies, figuring these governments use its technology so they would have an interest in protecting it.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecuritynsalegalWide Area Networkcybercrime

More about MicrosoftMITNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place