Microsoft: US government is an 'advanced persistent threat'
Microsoft: US government is an 'advanced persistent threat'
Summary: Microsoft's EVP of Legal and
Corporate Affairs outlined the company's new data protection strategy
on the basis that the US government is an "advanced persistent threat" —
a label used for cyber criminals.
While Microsoft's recent move to encrypt user data
made the most headlines, the reasoning underlying its new data
protection strategies classify the US government in the same category as
a cyber-criminal group.
Brad Smith, Microsoft's EVP of Legal and Corporate Affairs, labeled the American government as an "advanced persistent threat" in a December 4 post on The Official Microsoft Blog.
The term advanced persistent threat (APT) refers to an attacker,
usually an organized group of malicious attackers, that should be
considered harmful and dangerous — and an overall method of attack that
plays a "long game."
Microsoft's explosive post begins by stating, "Many of our customers
have serious concerns about government surveillance of the Internet."
Smith wrote in Protecting customer data from government snooping:
(...) Like many others, we are especially alarmed by recent
allegations in the press of a broader and concerted effort by some
governments to circumvent online security measures – and in our view,
legal processes and protections – in order to surreptitiously collect
private customer data.
In particular, recent press stories have reported allegations of
governmental interception and collection – without search warrants or
legal subpoenas – of customer data as it travels between customers and
servers or between company data centers in our industry.
If true, these efforts threaten to seriously undermine confidence in
the security and privacy of online communications. Indeed, government
snooping potentially now constitutes an “advanced persistent threat,”
alongside sophisticated malware and cyber attacks.
While the writing is cautiously couched in terms of "some
governments" it's crystal clear that Microsoft's "advanced persistent
threat" is referring to the ongoing revelations of US government
surveillance activities (in leaks by Edward Snowden), and the concerns
of Microsoft's American customers.
Cybersecurity firm Mandiant has tracked security breaches by advanced persistent threats since 2004; in February 2013 Mandiant reported that the most prolific APT in the world was "One of China's Cyber Espionage Units."
To see one of America's biggest companies say it must protect itself
from its own government as it would from a group of malfeasant Chinese
cyber-spies is a moment for the history books.
But security professionals worldwide may not be quite so surprised.
Not because hackers issued tinfoil bonnets at birth — most security
pros and researchers understand that the same APT techniques used by
cybercriminals to steal data from businesses and individuals for
financial gain are the same used by nation-states.
Microsoft and its Skype product have been named, alleged (and
ridiculed) as having some kind of role in this year's unending,
terrifying NSA scandal; namely, that products have been massaged with
backdoors to which US government entities have access.
Only Americans need to worry about search warrants and subpoenas — in that exact terminology, as written in Mr. Smith's text.
The Microsoft legal exec explained,
In light of these allegations, we’ve decided to take immediate and coordinated action in three areas:
- We are expanding encryption across our services.
- We are reinforcing legal protections for our customers’ data.
- We are enhancing the transparency of our software code, making it
easier for customers to reassure themselves that our products do not
contain back doors.
Springboarding from its "persistent threat" categorization, Microsoft
then explains its new encryption efforts — putting America's government
and malicious hackers in the same category.
For many years, we’ve used encryption in our products and services to
protect our customers from online criminals and hackers. While we have
no direct evidence that customer data has been breached by unauthorized
government access, we don't want to take any chances and are addressing
this issue head on.
In Microsoft legal's official post, it continues to describe legal
concerns relevant only for its American users and customers, and what it
will now do to reinforce legal protections for its customers' data.
Microsoft said that as part of fighting this advanced threat, it will now fight gag orders "head on."
In its new Reinforcing Legal Protections initiatives,
(...) we are committed to notifying business and government customers if we receive legal orders related to their data.
Where a gag order attempts to prohibit us from doing this, we will challenge it in court.
We’ve done this successfully in the past, and we will continue to do
so in the future to preserve our ability to alert customers when
governments seek to obtain their data.
And we’ll assert available jurisdictional objections to legal demands
when governments seek this type of customer content that is stored in
another country.
And if anyone was still skeptical about whether Microsoft meant the
US government when it said the words "advanced persistent threat," the
post concludes:
Ultimately, we’re sensitive to the balances that must be struck when
it comes to technology, security and the law. We all want to live in a
world that is safe and secure, but we also want to live in a country
that is protected by the Constitution.
We want to ensure that important questions about government access
are decided by courts rather than dictated by technological might.
Leaving us all to wonder just what kind of mess we're in when one of
the largest, richest and most visible American companies in the world
openly categorizes the US government as an "advanced persistent threat"
to both itself, and its customers.
No comments:
Post a Comment