Today, in a blog post and email to employees, Microsoft is announcing a broad vision for tackling the cybersecurity challenges that have increasingly plagued the company and its customers in recent years. Known as the Secure Future Initiative, the plan leans heavily on artificial intelligence tools as a “game changer” and also includes a call for international cyberspace norms, an expansion of the company’s 2017 Digital Geneva Convention.
The most tangible and immediately applicable component of the strategy, though, relates to improvements in Microsoft’s software development and engineering approach. In Thursday’s email, executive vice president for Microsoft security Charlie Bell and colleagues Scott Guthrie and Rajesh Jha lay out a plan to further safeguard identity management systems in Microsoft products, improve security software development, and shorten response and patch release times for addressing vulnerabilities, specifically those in the cloud.
The announcement comes as Microsoft has faced scrutiny over situations where vulnerabilities in its products have enabled attackers—both financially-motivated cybercriminals and state-backed hackers—to rampage through the company’s own systems and those of customers. And the climate around accountability is evolving as regulators and law enforcement look for new paths to deterring, but also preventing, damaging hacks. On Monday, for example, the United States Securities and Exchange Commission (SEC) announced charges against the IT management company SolarWinds and its chief information security officer over “cybersecurity risks and vulnerabilities” that the SEC alleges were known and should have been addressed.
Microsoft said on Thursday that its Secure Future Initiative comes in response to wildly escalating threats from attackers. “In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” company vice chair and president Brad Smith wrote.
In an interview with WIRED, Microsoft’s Bell emphasized that both cybercriminal and state-backed actors are professionalizing and homing in on phishing and creative approaches to credential theft as the most direct and effective method for infiltrating organizations of all sorts. He noted that while it is difficult to get an accurate accounting of total global economic losses due to cybercrime and cyberattacks, Microsoft believes that total losses have been greater than $6 trillion and could close in on $10 trillion by 2025.
“The threat is growing,” he tells WIRED. “It’s a huge drag on the world. So when you look at all of this going on and you say well what can we do? Microsoft is in the center of much of the ability to defend. It caused us to step back.”