Microsoft says government snooping constitutes an APT event

Microsoft isn't happy, and their top lawyer had plenty to say about protecting customer information this week in a blog post that announced the company's efforts to implement wide-reaching encryption.

[NSA revelations bolstering demands for congressional action]

Brad Smith, the General Counsel & Executive Vice President of Legal & Corporate Affairs at Microsoft, said on Wednesday that the software giant is taking steps to protect customer data from government snooping. Like Google, Yahoo, and Twitter before them, Microsoft recognizes that their customers are concerned, and plans to do something about it.

The revelations from Edward Snowden this year, which focused on the wide-reaching, sweeping data collection done by the NSA and partner intelligence agencies, touched all of the major technology firms in one form or another.

"Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures -- and in our view, legal processes and protections -- in order to surreptitiously collect private customer data," Smith wrote.

Without naming him directly, Smith referenced the countless stories and media reports during the second half of the year sourced from Snowden's leaked documents. All summer long, a new story would emerge weekly it seemed, focused on governmental interception and collection (often without search warrants or legal subpoenas), somewhere in the world.

The most critical stories were reserved for the U.S., and the one that alarmed Silicon Valley the most focused on the collection of data as it moved between corporate datacenters and private networks. What was assumed to be a secure channel, was nothing of the sort.

Assuming all of the reports are true, then the government's efforts threaten to "seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an 'advanced persistent threat,' alongside sophisticated malware and cyber attacks," he said.

In order to address this new APT, Microsoft is planning to boost encryption across their services, reinforce existing legal protections; including fighting gag orders and continuing their customer notifications when able, and enhance the level of transparency of their existing software code, making it easier for some customers to see that there are no backdoors.

[NSA spreading malware to further goals for more power]

"For many years, we've used encryption in our products and services to protect our customers from online criminals and hackers. While we have no direct evidence that customer data has been breached by unauthorized government access, we don't want to take any chances and are addressing this issue head on," Smith said.

The massive engineering undertaking will include all of Microsoft's communications, productivity, and developer services including, Office 365, SkyDrive and Windows Azure. The changes listed in Smith's post include implementation of Perfect Forward Secrecy, and 2048-bit keys, for the customer data that will be encrypted.

In the case of third-party services that are running on Azure, the level of data protection will be up to the developers, but Microsoft plans to offer the tools needed to allow them to easily implement strengthened protections. The goal is to have everything done by the end of 2014.

Microsoft has taken a stance, and there's clear indications that the government is starting to push boundaries. If anything, it's clear that things have taken a turn for the worse when the nation's largest software corporation says the government's intelligence operations are a threat, placing them on the same level as common criminals.

The term APT is often overhyped and used to describe things that it shouldn't. It's a buzzword used to push marketing efforts and sales. However (and perhaps unfortunately), when placed in context, Microsoft's use of the term fits perfectly as a way to describe the NSA's initiatives.

"Ultimately, were sensitive to the balances that must be struck when it comes to technology, security and the law. We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution. We want to ensure that important questions about government access are decided by courts rather than dictated by technological might. And were focused on applying new safeguards worldwide, recognizing the global nature of these issues and challenges," Smith concluded.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about APTCounselGoogleMicrosoftNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place