Microsoft on Trustworthy Computing Posted by John on 27 May 2015

Scott Charney, corporate vice-president for Microsoft Trustworthy Computing, has spoken recently at the RSA Conference 2015 in San Francisco, about destructive cyber attacks.

“It is not just that breaches have continued unabated, it is that the attacks have become more destructive”, he said. Charney added that there needs to be a fundamental re-think on network security as the traditional view of data theft, and its implications, may not necessarily always be immediate in their repercussions, a destructive cyber attack must certainly is. Making reference to an event in 2008 , where someone hacked oil pipelines in the Middle East, he said: “They shut off the sensors, shut off the cameras, pressurised the pipeline and caused a kinetic explosion”. Charney then pointed out that other attacks, such as against Saudi Aramco and Sony Pictures, were so destructive they caused those organisations to stop their daily business.

“The nature of these attacks has changed the conversation outside the security community and in the executive suites and boardrooms”, he added.“There is more activity, and the reason that is critical is that when a market wakes up, it creates demand, and the people who build technology rise up to meet the demand”.

Charney believes that cloud computing will be key, but for that to happen there will need to be technologically enforced trust boundaries.
“These are necessary to ensure that those who want to migrate to the cloud have faith because they have control and because they have transparency”, he said. Charney sees Trustworthy computing to be about security, privacy and reliability, but in the transition to the cloud, people are also seeking transparency and control.

“In the old world it was the government, vendors and customers fighting the bad guys, but in a post-Snowden world, we are still all fighting the bad guys, but we all have a little bit of concern about each other”, he added. Charney stated that “Small businesses do not typically have an IT staff, they do not have a CISO, and they do not have a security information and event management system. One of the great things about the cloud is that security expertise and technology gets consolidated”.