This week, I’m traveling in Europe for a series of cybersecurity policy events with Craig Mundie, Senior Advisor to the CEO, Eric Rudder, Chief Technical Strategy Officer, and David Tennenhouse, Corporate Vice President for the Technology Policy Group. I’ll be sharing my reflections on the events we are participating in during this visit.
My first stop was Brussels, Belgium for the Global Cyber Security Conference, which was organized by the European Security Round Table. I had the honor to participate in a panel alongside representatives from global and European multilateral organizations and government representatives from Japan and Korea. During my panel remarks, I emphasized the importance of outcome-focused information sharing. This topic is particularly important in Europe now, with the European Commission formulating a cybersecurity strategy and related Directive to the Member States of the European Union.
I believe our Cybersecurity efforts can be strengthened greatly when parties share information to advance specific outcomes. Microsoft has significant experience in building successful information sharing programs to draw upon. For example, our Microsoft Active Protections Program (MAPP) enables us to share threat and vulnerability information with our security protection partners in advance of public release. This allows MAPP partners to provide timely defenses for their customers via their security software or devices. MAPP reflects our commitment to helping customers manage risk and protect themselves.
Microsoft also offers programs that are tailored to governments, including the Microsoft Security Cooperation Program (SCP), and the Government Security Program, (GSP) . While the SCP is focused on sharing of cyber-threat information with technical authorities and other cyber-defenders within national governments, the GSP allows governments to examine the source code for many of our leading products. These programs help provide the assurance that governments need in order to confidently base their critical infrastructures, digital economies and national defense systems on our products and services.
The common thread between these programs is that they have value for all the parties involved, and information is shared with a particular outcome in mind, whether it be improved customer protection or providing transparency into Microsoft products and services that governments require.
In October 2012, Microsoft provided a response to the European Commission’s consultation regarding Network and Information Security. In our response, we discussed challenges around mandatory sharing of information, specifically the reporting of cybersecurity incidents to government authorities. As we have learned in the course of developing our information sharing programs, identifying the value and desired outcome of information sharing is critical. Our response to the Commission’s consultation can be found here, if you’re curious about our perspective on this topic.
My next stop will be Munich, Germany for the Munich Security Conference kicking off on Friday. I’ll update you soon on my thoughts from that event.