Microsoft Does Damage Control With Its New 'Secure Future Initiative'

Microsoft claims to have a strategy to address the growing threats posed by state-sponsored hackers and cybercriminals in response to serious security incidents.


Microsoft is revealing a broad strategy today for addressing the cybersecurity issues plaguing the company and its clients more and more in recent years in a blog post and email to staff members. The plan, dubbed the Secure Future Initiative, calls for international cyberspace norms as an extension of the company's 2017 Digital Geneva Convention and primarily relies on artificial intelligence tools as a "game changer."


The part of the strategy that is most concrete and applicable right away, however, has to do with enhancing Microsoft's software engineering and development process. Executive vice president for Microsoft security Charlie Bell, along with colleagues Scott Guthrie and Rajesh Jha, outlined a plan in an email on Thursday. The goals are to enhance security software development, protect identity management systems in Microsoft products, and speed up response and patch release times for vulnerabilities—particularly those related to cloud computing.


The announcement coincides with Microsoft coming under fire for instances in which its products' flaws allowed attackers—both state-sponsored hackers and financially motivated cybercriminals—to rampage through the company's and its clients' systems. Furthermore, the environment surrounding accountability is changing as authorities and law enforcement search for fresh approaches not only to discourage but also to stop harmful hacks. For instance, the US Securities and Exchange Commission (SEC) charged SolarWinds, an IT management company, and its chief information security officer on Monday for allegedly knowing about and failing to address "cybersecurity risks and vulnerabilities."


Microsoft announced on Thursday that its Secure Future Initiative is a reaction to the rapidly growing threats posed by cybercriminals. Vice-chair and president of Microsoft Brad Smith wrote, "In recent months, we've concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response."

Microsoft's Bell stressed in a WIRED interview that the most direct and efficient way to penetrate any kind of organization is through phishing and innovative approaches to credential theft, which are being targeted by both state-sponsored actors and cybercriminals alike. Although it is challenging to accurately calculate the total economic losses caused by cybercrime and cyberattacks worldwide, he pointed out that Microsoft estimates that losses have exceeded $6 trillion and may approach $10 trillion by 2025.

He tells WIRED that "the threat is growing." "It greatly hinders the world." So what can we do when we consider everything that is happening? A large portion of the defence capability is centred around Microsoft. It made us take a step back.


Microsoft says it plans to take two aggressive steps to make a real impact on customer security: accelerating vulnerability response times by 50% and moving toward requiring customers to use secure default settings. According to Bell, only about 34% of Microsoft customers use multi-factor authentication, whereas "it should be 100%."


The adjustments coincide with the recognition by other industry titans, such as Google, of the necessity of promoting secure defaults, particularly about authentication. Microsoft owns the software development platform GitHub, and it has been working for months to make two-factor authentication mandatory. Google has pursued two-factor authentication for years, and Apple has long required it for most accounts.


Microsoft is lagging behind the early proponents of the Secure Future Initiative on many of its hardline changes, if not outright trailing them. Furthermore, the ideas of designing software to be secure by default or creating zero-trust system architecture were prevalent throughout the previous ten years. However, Microsoft is at the core of the global IT infrastructure due to cloud services and all of the legacy Windows systems, and in many respects, global cybersecurity advances at Microsoft's speed.


Bell claims that "if we don't get ahead of it, it's a terrible world." "At this moment, we possess all the information that the threat actors—snooping around and observing a little—can access. Since we are inside, we are aware of everything. To effectively address the security issue, we must acknowledge that changing the settings won't solve the problem because everyone relies on the cloud. Between here and there, there's a lot of operational ground to cover. And Microsoft is the organization that keeps that world running and maintains the essential infrastructure.