Friday, June 17, 2016

A way forward for Microsoft and Friends

You can watch Jan Neutze from Microsoft talk to NATO at CyCon 2016 and see him repeat the talking points we have heard over and over from Microsoft.  They are, in bullet point form as follows:

  • Please don't trojan our software, because it hurts the trust relationship we have between ourselves and our customers. "Loss of trust is the single biggest concern we all have."
  • We deserve a voice (and a veto) on your offensive operations (and the norms around them)
  • We don't want to bear the cost of all the cyberwar every government wants to do, or all the regulatory regimes they can think up. 
  • "States should be discriminant in their actions and not create a mass event" (including loss of trust)
He goes on to say that of course he really likes the Vulnerability Equities Process - lots of people think this is the answer towards limiting our offensive capabilities. But the Vulnerability Equities Process is not cost free. In some cases, the resources people assume we have for developing additional capability in this space just don't exist at all. What they're really arguing for is an unrealistic unilateral curtailing of our offensive capability. But some of his requests are reasonable when you consider what we expect from other countries as well - in particular, how do you limit the events such that they are "Discriminant" and not "Mass events". 

But let's get back to the first and most important issue: Microsoft's trust relationship with their customers. There's a reason they call the Microsoft security group "Trustworthy computing". Bill Gate's memo was a life-changing event for the company, and remains a large influence to this day.

So let's get to the kinds of offensive interactions possible with Microsoft, like examining the kinds of chemical interactions possible with Oxygen:

  1. The Government could force Microsoft (or ask them nicely) to backdoor their software in a way that looks like a normal vulnerability
  2. The Government could force Microsoft (or ask them nicely) to push a particular trojaned version of software to a particular customer 
  3. The Government can do research on their own or buy vulnerabilities and use those against Microsoft customers in the wild
  4. The Government can do supply chain attacks, as machines go to Microsoft customers
  5. The Government can introduce vulnerabilities in cryptographic specs that Microsoft then implements
Of all those things, the one Microsoft should be complaining least about is number 3! Yet you hear constant unrealistic whining.

A simple requirement that would be great to make a norm would be having any introduced backdoors be "Nobody but US". If you use that simple rule, the risks of a "mass event" are almost gone, and Microsoft can be more comfortable that offensive use is "discriminant", which is not an unreasonable request.

No comments:

Post a Comment