Cyber-insecurity and Its Impact on Business

U.S. companies are losing client confidence and trust as news of ongoing surveillance programs and continued security breaches dominate headlines and water-cooler conversations. What can they do, what must they do, to combat customer and public skepticism while strengthening protections and security for users and themselves?
Read the full transcript below. (Transcript by Realtime Transcriptions.)
Kirkpatrick: We'll start off this morning with a conversation with Craig Mundie, who is an old friend of mine, someone I have interviewed many times. When I was at Fortune one time, we had a little conflict, as he said. Sorry to remind you of this, Craig, but he said that I had not quoted him correctly when I quoted him, calling open source socialism. And then we went back to the tape and, in fact, I had. Anyway, those days are gone, because Microsoft even has a whole Hadoop thing, for those of you who know what that is.
Craig, come out. That's not what we are going to talk about, but you probably remember that. That was one of my more memorable recollections of my interactions with Craig Mundie. Craig's been at Microsoft for more than two decades.
Mundie: 21 years.
Kirkpatrick: When Bill Gates left, he took over a number of Bill's responsibilities, and has recently spent—he was running Microsoft Research for a lot of recent years. He's been a huge policy advocate globally.
I once went to China with him and spent a lot of time talking about what was happening in China. Meanwhile, he was meeting with the senior leadership, which is something he has done in country after country. I think it's one of the reasons this conversation is going to be meaty. Craig really does spend a lot of time talking to the leaders of the world about what's happening with the landscape of the Internet and security and where it's headed.
He is leaving Microsoft shortly. We'll see where he ends up. I'm sure he's going to stay deeply engaged with a lot of these issues of how we can really thrive in the Internet landscape, given a lot of the uncertainties.
So I wanted to just start, Craig, with asking you—you were very eloquent as we were preparing for this, about there's a sort of taxonomy that isn't understood by most leaders, even in the tech industry, perhaps, but certainly in business and government; and that you said that a lot of the language around sort of cyber-security gets very muddy. So how should we be thinking about that more clearly?
Mundie: Like anything else in tech, the challenges inside the security or the issues around it have evolved fairly rapidly. And today, I think they mirror the kind of problems that the world has had in the physical world for many, many years, but we got there fairly quickly.
If you go back a little more than 10 years, most of the stuff that was going on has been in the first bucket, which I call malicious mischief. These were hackers and people who are sort of doing it for sport almost, and notoriety; but today, I think that there's five major classes of cyber bad things going on, and I call them malicious mischief, crime, espionage, warfare, and terrorism.
Of course, we know all those in the physical world and now they're all present in the cyber environment. The thing that makes it a bit more complicated is in each of those categories, you now have to, in simple terms, think there are three different kind of actors, which you could think of there's amateurs, professionals, and governments.
And so right out of the chute there's 15 different boxes. And each of them is different in its character and each of them is going to be different in my view in terms of what we're going to have to do about it. And so when everybody puts everything under the banner of cyber security, it becomes something that's not actionable, and that's the problem we have had with policy-makers is they can't separate economic espionage from cyber terrorism from warfare, and they're all very different.
Kirkpatrick: So is the bottom line from your point of view that it's really, really scary out there and we ought to be super-worried?
Mundie: Yes, we should be super-worried.
Kirkpatrick: Are you worried more than they were two or four years ago about the risk of sort of this essential global utility, the economics of the planet, the Internet becoming less usable and more in jeopardy in itself?
Mundie: No, I'm not so much worried about the Internet infrastructure itself, because all of the bad actors need that infrastructure to do whatever it is they're trying to do. The question is what do they do with it now.
My fears are not in the sense new or elevated beyond what they were a couple years ago, but I think that we're evolving now to the point where—the last 12 months, for example, were really notable, because a lot of the activities have shifted from the sort of mischievous category or the criminal category into the destructive category.
This is where you see the non-deterrable actor; for example, a terrorist organization or a nation state that's sort of more of a rogue relative to international order, who have decided that they're willing to use cyber means in order to seek retribution. So in August of 2012, the first really well-known now destructive cyber attack was launched. Many people believe it came from Iran, and it was targeted first at Saudi Aramco in Saudi Arabia.
This is a nation state attacking a private business for the purposes of getting the attention of the other nation state's leaders. In this case, they used not just cyber means—this is the difference between what I call the pros. That would be organized crime is a pro, and governments. Governments have capabilities they are willing to use that don't—they're just not available even to criminal organizations.
And so they get into the organization, they plant malware that's destructive in nature, and on a Friday night, on a three-day holiday weekend, they wiped out 30,000 computers. And for that company, it was a very long slog.
Kirkpatrick: Saudi Aramco. But why do you call that the first one instead of the U.S. and Israeli attack on Iran known as Stuxnet, which was earlier?
Mundie: Well, I don't know all of the origins of that. People attribute it to the U.S., but that was against a military target, so the difference here is if you get a nation state essentially attacking soft targets, not military targets, that's a—
Kirkpatrick: So it's a landscape change, regardless of what you think of Stuxnet. Stuxnet, to me, is a significant—
Mundie: It was destructive.
Kirkpatrick: Partly because we were caught. Even if you don't agree, certainly it was—we were caught by—The New York Times felt very strongly that—
Mundie: Whether you want to start with Stuxnet or then Saudi Aramco or RasGas—
Kirkpatrick: What was RasGas?
Mundie: A week later in Saudi Arabia, the people who launched the one against Saudi Aramco watched how it got repaired in that first week, altered the malware to make it more completely destructive, and a week later launched it against the gas company in Saudi Arabia. So two attacks with that.
Then you have seen this year things that are generally attributed to North Korea being destructive attacks against South Korea. And so this, I think, is a very scary evolution, because you're starting to see people willing to deploy these things against what could become critical infrastructure.
Kirkpatrick: Didn't Russia and Georgia get into a little of that, too, at one point, we think?
Mundie: Again, that was—that was in the warfare category, and there was essentially a hot war shooting—
Kirkpatrick: Parallel to that, a cyber—
Mundie: They used cyber to soften up or eliminate command and control capability.
Kirkpatrick: Right. Wow.
Mundie: So the U.S. is the first country, about a year and a half ago, to make a formal doctrinal declaration that said they now consider cyber the fifth domain of warfare—land, sea, air, space, and cyber. And because of that, just in a kinetic war, you wouldn't say, “I'll only use the navy.” Well, now people are saying, “No, no. I won't only use the kinetic or I won't only live in cyber.” You blend them together. So there's an arms race going on.
Kirkpatrick: You mean both in defining what is an attack and defining the proper response?
Mundie: Correct. So in a sense, the U.S. was starting to try to tell people, “If you send me some bad packets, I might send you a cruise missile back,” because I think, in a naive way, many people were thinking this cyber thing, it's over here; it's on the side. If I do some bad things to you in cyber space, you will come back and do some bad things to me in cyber space. And people are now beginning to realize that there is no clean dividing line between these two.
Kirkpatrick: If someone who, as myself, relentlessly determined to try to find the optimistic interpretation and to hope that the planet and mankind will move in a positive direction in terms of amity, all the measures of health and wealth that I showed at the very outset, et cetera, what can we do about it? Is there a positive scenario that you can envision where we will move towards a more protected, economically viable landscape?
Mundie: Well, look, the viability of the Internet, in economic terms, is a given in my mind. In fact, it's so given that it's why it's becoming a target for the people who want to disrupt these things.
So there's two things I'm hopeful we can see happen. One of the reasons I've created this simple taxonomy and tried to explain it to policy-makers around the world every chance I get is that I want to make it clear that in many cases, in business, you hear the terms now, “frenemies” or “coopetition.” And I think governments are now going to have to have a coopetition, because this technology is now pervasive in virtually every society; and therefore, no society can afford—just like they can't afford to turn off electricity or running water, they can't turn off this anymore.
And so even if you have differences of opinion or even, you know, pretty serious conflict in some traditional sense, you may find that you have a common cause against cyber terrorists. And so, for example, doesn't matter which country you're in. If a terrorist organization was able to substantially disrupt the global banking system, there is no country that is immune from the side effects.
And so you could say, “Well, we may be annoyed about other things; but man, if we see these guys over here messing around with the global banking system, we'd better get on it and get on it together.” And so I'm trying to help people understand that there may be certain things that we have common cause across many nations and that we need to find a way to have those countries and their capabilities cooperate in both deterring and addressing or even fighting back, if you will, when you have those kind of actors.
And then the second thing I think we're going to have to do is we're going to have to do some tune-up on the technology of the Internet.
Kirkpatrick: Right. I want to get to that.
Mundie: Both are going to be required.
Kirkpatrick: Talk quickly on both of those points. Do you see progress? I mean, given all your conversations with global leaders, has that message started to get through? And what, on the second point, is the method that you think we ought to move forward to address some of these?
Mundie: On the first part, I'll say the earliest days. This taxonomy that I described today, we only invented in the last few months in order to try to give clarity to these discussions, largely because every time I tried to have a discussion or even watched governments try to have these discussions—you look at the U.S. and China. It's in a different case, but a year ago, no one actually had a clear definition of economic espionage; but as we have given clarity to that, the U.S. President Obama, when they had the Sunnylands meeting with President Xi, that went to almost the top of the president's agenda, because there's this asymmetric issue between the two countries with respect to economic espionage.
Kirkpatrick: Of course. It was so interesting, since it was two days after the Snowden information was released. And the timing of that was awfully interesting, yeah.
Mundie: Yes, and what was unfortunate in many senses is just as the two governments were actually starting to understand a little bit about oh, this economic espionage is really a problem, for the U.S. at least, when the Snowden leaks happened, the Chinese side broadly in the media said, “Well, you see you're spying on us too.”
Kirkpatrick: I'm sure that's what Xi said to Obama also.
Mundie: Right, but the problem is governments have spied on each other for hundreds of years, maybe thousands. My view, that's not going to go away, no matter what. Government-to-government espionage is not going away. On the other hand, almost all governments have sworn off of this idea, but governments should steal business assets for the purposes of advancing their own businesses.
Right now, there's still some countries that are practicing that, and so—
Kirkpatrick: Notably—
Mundie: Well, the ones that are popularly believed to do that, China, France.
Kirkpatrick: Do you believe China's doing it?
Mundie: Yes. Well, what I have said to the Chinese leaders, point-blank range, is the United States has caught somebody in China with their hand in the cookie jar relative to stealing business assets broadly.
Kirkpatrick: And giving them to Chinese—
Mundie: Giving them to Chinese businesses. And so that, in my view, is not a disputable fact now. The Chinese leaders, at the very top level say it is not our policy to do that, and so what I've pointed out to them; I said, “Well, we have seen in other countries where the government employees who by day are part of the espionage and surveillance business, by night serve criminal interests from the same desk and the same computer. And we've seen that in other countries.”
So I said, “You could tell me that your guys have gone rogue and at night the same people in that military building are basically stealing this for economic purposes, and it isn't your policy; but our position is we don't care whether it's crime or policy. Make it go away, all right.” And this, I think, is the kind of candid conversation that has to happen, and it has to be focused around these very narrow issues.
Kirkpatrick: So you see some progress on that.
Mundie: I see progress only in so far as there actually is a discussion going on, and until the last few months, there really wasn't.
Kirkpatrick: I want to go to the second point, because I know you have very clear and strong views about what kind of technology changes and behavioral changes maybe we can implement to address a significant portion of the taxonomy you are describing.
Mundie: Well, one of the biggest problems in all of this, just take for a moment, I'll call it the non-deterrable actor, the real terrorist organization. You have to deal with those, too, but if you want the rest of the functions to work better, we have to have much better identity, and not just for people. We have to have identity for computers, the physical devices, for the programs that run on those computers, for people. And for people, we also have to have roles.
Kirkpatrick: By identity, you mean uncontroversially labeled and—how would you define it? There's absolutely no doubt that that machine is that machine and we can identify who owns it or who has the rights to use it, and same with that application, same with that person.
Mundie: So we've started down this path quite a long time ago. The TPM hardware, which is a trusted program module, is a hardware route of trust. We have been gradually getting it put in more and more devices.
Kirkpatrick: We, being who?
Mundie: We, being the industry. Microsoft in particular has been a big advocate for this. I think we helped push it over the top in the last couple years on the PC side, because we require it for every machine, every new machine that would run Windows 8 or beyond. Depends on having this hardware route of trust.
From that, you not only know that the machine is there, but these hardware routes of trust actually allow you to then have what's called a secure boot. That means that you can validate the bits of the operating system that gets loaded. From that, you can work your way up the software stack, knowing with some certainty the origin and integrity of every piece of software in the system. And ultimately, everybody's going to have to do that.
This year, a number of companies, I think notably Microsoft, Google, and Apple, all got together to some extent and said, “We should ask all the phone manufacturers to do the same thing, because as the world moves to mobile”—unfortunately the phones that everybody carries around with them are about a decade behind right now from the personal computers in terms of how well they're engineered with respect to these kind of security mechanisms.
Kirkpatrick: And identity of the device in particular?
Mundie: And the mechanism to allow you to have a trusted boot for the software and to basically hold credentials for people or for programs with a high integrity.
Kirkpatrick: Just to summarize, so the point of identity is so then you have a rights-based architecture where you really know which machines and applications have the right to what information at what time, et cetera, and what people on their identity side?
Mundie: Well, I think there's two separate problems. The first is independent of whether you're trying to get to the rights question. That's the sort of the thing I have been talking about for the privacy problem, which is a related issue, but I think whether you're worried about the privacy problem or not, you still are going to have to be able to trust these computers.
And so this leads to the behavioral or operational changes. Today everybody just has their big computer network in their enterprise, if you will. They usually have a uniform set of credentials they use to access everything. They rely on access control lists, you know, in the operating systems in order to be able to decide that David can see this file and Craig can't see this file; but those mechanisms, in my view, are not strong enough, in part because they don't start with a robust identity mechanism in every case, and in part because a lot of these things were engineered at a time where the threats were not as high as they are today.
Unfortunately, many organizations don't actually keep upgrading their software to new versions, and one of the problems with that is that software advances. Even if you said, “Hey, its functions are only the same as the last one that I used, I don't need the new functions;” that's fine, but you need the new underlying security mechanisms, because the bad guys' weapon systems have been evolving.
Kirkpatrick: It's the classic arms race.
Mundie: But right now, most organizations are not really thinking about it that way.
Kirkpatrick: Even still.
Mundie: Even still. Look at this year, we're finally going to retire Windows XP. It's 14 years old. It is completely—I'll say unprotectable relative to contemporary threats, and we still have hundreds of millions of machines still running it. And people fight with us to say, but I want to keep it. And we say we can't in conscience do this. If you're an enterprise and you have one such machine on your corporate network, that will be the point of entry for the bad guy.
Kirkpatrick: Wow. This is so good. There's so much to say, but we've only got a few minutes left, and I want to let the audience get in. Is there any fundamental point you wanted to make that I haven't let you make before I—if you could articulate it as quickly as possible, because I want to see what people—who has a comment or question?
Let me ask you one, while we are seeing if anyone is awake enough to ask one. At the base of all this, thinking from your point of view, do you see that things are more or less likely—you sort of said you didn't think it was much worse earlier in the conversation, but on the phone, you sounded a little different—more or less likely to spin out of control or be able to put a lid on it today, compared to the past?
Mundie: Oh, I think the risks are substantially higher, and the reason is that the problems are escalating faster than the mechanisms to deal with them.
Kirkpatrick: In general.
Mundie: One of the things people don't understand about—I'll say these cyber sort of weapons of mass disruption. Everyone thinks about WMD as mass destruction, but these things are really mass disruption. And the thing that is, for me, scary about them is that let's say somebody has a really sophisticated weaponized mechanism to use malware to mess around with banks or the power grid or something.
In the Internet, things can happen so fast, at such high scale that I believe no country has really prepared itself to be able to deal with a disruption that affects the entire country at once. If you think of even biological weapons or nuclear weapons, other than a holocaustic kind of scenario, the Cold War, today we worry that somebody may—a terrorist might get a nuke to go off in one city. And that would be a huge problem, obviously, but it would only be one city; but if somebody had the equivalent capability in cyber, where they figured it all out and could turn off a substantial percentage of the power grid in the United States—look, power grids cascade into failure on natural terms, and we keep working to try to make them better, but let's say that somebody figured out a cyber means to cause one of these cascades and that affected the whole country.
How does the country bootstrap itself back into operation, when there's no part of the country that's running? And even weather and things like Sandy affect one part of the country. Big weather systems affect one part of the country. You don't get the whole country. So these are scary—
Kirkpatrick: It does sound scary. Okay, if Dan Elron has a question, I want to hear it. And you don't need to identify yourself. He's Dan Elron from Accenture.
Elron: Thank you. It's relatively early days for the Internet of Things. We know who they are, but pretty soon we'll have these smart devices in every home, car, bridge, et cetera, so should we do something different before we unleash this Internet of Things in sort of protecting ourselves based on lessons from the PC world?
Mundie: Yeah, I mean, when the panel was talking yesterday, I wanted to intervene and decided it wasn't time, but I would plead with the people that are doing the Internet of Things to recognize that they should start at least equivalent to what we have been able to put into PCs that are now putting into phones, but because they're all trying to reduce the cost to zero, there's no focus.
It's just exactly what happened with the mobile phones. Everybody wanted to be cheap as possible, so they wouldn't add a penny or two to basically add these capabilities, and the engineering from a software point of view is not being done with any eye toward these kind of issues.
So yes, I think with the Internet of Things coming on and at least 700 companies getting together to ponder this, they should start and decide, because I can tell you, because Microsoft lived through this 10, 12 years ago, and even today, when you design without the idea that these things are all connected and there's bad guys, you just do not put the level of in-depth design and testing into these things that you have to have.
And so, you know, Bill and I started the trustworthy computing thing at Microsoft 12 years ago, and we've changed the whole company's engineering practice over the course of a decade in order to make these things better and better. And I would tell you that almost no organization has made a similar investment, and almost none of the people that are assembling all these piece parts for the Internet of Things are making a similar investment. And I think that's a recipe for disaster.
Kirkpatrick: Well, on that cheery thought, I love listening to you talk about it, although I wish we had more time, because there's so many questions that this raises about the future of human society to me, which we were kind of getting at at the World Economic session earlier. So great to have you here, and your experience, explaining some of this stuff to us, so thank you, Craig.
Mundie: Thank you. Take care.