Microsoft and Security Incentives

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft:

Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.

[…]

“The government needs to focus on encouraging and catalyzing competition,” Grotto said. He believes it also needs to publicly scrutinize Microsoft and make sure everyone knows when it messes up.

“At the end of the day, Microsoft, any company, is going to respond most directly to market incentives,” Grotto told us. “Unless this scrutiny generates changed behavior among its customers who might want to look elsewhere, then the incentives for Microsoft to change are not going to be as strong as they should be.”

Breaking up the tech monopolies is one of the best things we can do for cybersecurity.

Tags: cybersecurity, incentives, Microsoft, national security policy

Posted on April 23, 2024 at 7:09 AM • 25 Comments

Comments

postscript • April 23, 2024 8:45 AM

Microsoft’s logging is criminally wasteful. Maybe Grotto can talk to them about how much time, network, disk space and SIEM license is squandered constantly by moving and filtering all the boilerplate and other useless crap that Windows constantly emits. Every logging manager has to reinvent this stupid wheel. Minor changes in how they do logging could save enough resources to power whole cities.

JonKnowsNothing • April 23, 2024 9:18 AM

@ALL

re: Breaking up the tech monopolies is one of the best things we can do for cybersecurity

Is it? Is this the best we can come up with?

There are multiple issues under the covers when you break up a locked system. The USA had a virtual monopoly in our telephony system called AT&T aka Ma Bell. The current company using the name “AT&T” is only distantly related to the original version.

The breakup created the RBOC or Regional Bell Operating Companies and the USA was divided into mini-monopoly geographic areas.

Can you find an RBOC today?
- Nope

The RBOCs are all gone, re-merged into new monopoly systems where they harvested the old “everyone knows” names and slapped that on the new configuration; which is the old configuration.

We did get a huge explosion of pent-up engineering projects and improved services ONLY WHILE the RBOCs were in place. Once the RBOCs were gone, well, we have what we have.

There are lots of things that scale with size and lots of things that don’t. So, it would be important to understand what the goal is and what the downsides are.

There are only so many Top Grade Security Workers to go around. Most of which do not work in the private sector.

If the fault is determined to be the Market Control, breaking up a monopoly, of which nearly every large corporation is a de facto monopoly, can be a good thing. Preventing a monopoly from reforming legally or illegally by collusion, is not so easy to prevent. The Austerity Economic Model will demand a reformation because they can create and exploit a new revenue and asset base. Blocking Wall Street and Oligarchs and Private Equity from extracting Value for Money is not a sure thing.

Did OpenAI get rid of Sam Altman? How about ElMusko’s global interference?
- If we can’t get rid of 2 oligarchs, do you really think we can get rid of a global monopoly?

K.S. • April 23, 2024 9:32 AM

IT security certifications (FIPS, CC, JITC, DSS etc.) universally impose extensive audit capability requirements. It is surprising to hear that MS, that has a team dedicated to certifications, would have issues with products providing logging capabilities. I think “provide logging capabilities” might be a euphemism for something else, something similar to “lawful interception”.

Who? • April 23, 2024 12:26 PM

Microsoft should not be broken-up, it should be broken-down.

Policy Proposal • April 23, 2024 1:02 PM

Market incentives do not directly reward security investment because the costs are (a) rare and (b) distributed. Customers, whether they are businesses or consumers, have no way of knowing what security is associated with their purchases or how much of the cost is security investment.

Maybe there is a way to change this.

Require all tech products (smart things/cars/etc, IoT, software, services) to get insurance to cover events that are (a) rare and (b) distributed. The insurance must pay for damages and recovery for both the business and its customers.

Insurance must be acquired at a product offering level (e.g. Azure, Windows, Office365, XBox) so that large companies cannot buy some kind of umbrella insurance to amortize and outcompete on smaller products (e.g. digital effects software).

In order to be eligible for insurance the company and its product must: (a) have an active bug bounty program (b) maintain an auditable record of security including discussions, decisions, bugs, investments covering the lifetime of the product and the current state of the company IT systems.

Additionally, software engineers will register for professional licensure, and the appropriate licensure of employees will be part of insurance audits. When software engineers contribute to projects with security issues, this is logged against their license. Serious breaches of negligence will result in the revocation of their license.

This probably isn’t perfect – I’m not a policy author by trade.

Anyways, something like this would ensure that costs of a compromise can be covered, incentivize businesses to invest in security, and bring the costs of security into the cost of services where the market can weed out companies with inefficient security and companies that are risking “the commons” for private gain.

JonKnowsNothing • April 23, 2024 2:52 PM

@Policy Proposal, All

re: There will be push backs on multiple fronts

No licensing or certification or degree program can guarantee that the person is competent and will write reliable code. It’s the same issue as MDs, Dentists, Lawyers. They got certs but they may not be good at their jobs. Plenty of RL anecdotes of encounters with the ones that are licensed but are not competent.

The MDs, RNs and Psychologists (US UK maybe FR) who designed and implement the CIA Gitmo Torture program are working somewhere near you. You have no way of knowing who they are. Gives you comfort doesn’t it?

All that these programs do, at best, is authenticate the person can regurgitate pre-canned responses to pre-canned questions.

Professional Organizations are de facto Lobby Groups, working to ensure tax benefits to their members and reduction of competition by increasing the barriers to entry to their market place. They are not “for the public good or for the public welfare” groups. They are self-interest groups designed to keep everyone else out.

Insurance is an accepted Financial Gambling Scheme. It is not intended to ever be a Full Coverage for Every Event Gamble. Not even Las Vegas would touch such a bet.

Insurance is based on the actuarial probability of an event. The number of bettors in the pool must be large enough, and pay in enough, so that when an event occurs, there is enough money in the pool to cover it.

The hitch is this:

the bettors must ante up every year (or period), if no event happens then all those bets are forfeited and becomes money for the house. The house is the insurance company. Those forfeited monies are profits.

There are some variations of Government Backed Insurance programs. In the USA Flood Insurance is provided by the USGov. The program collects flood event bets from people. If a flood happens the USGov pays out “something”. If there is no flood, the bets are forfeited into the government coffers.

Because of multiple other economic pressures, eg from the Real Estate Industry, the USGov accepts flood bets from places known to have floods. This is an important aspect of mandated insurance. (USA) Unless you are an oligarch, people finance a house through a variety of banking schemes. The bank owns the house, you get a 30yr fixed rate rental and if you do not re-finance, after 30 years you own the house. The bank is not interested in losing money over 30 years, so conventional financing requires insurance; fire, flood insurance or other disaster insurances can be required.

If the house catches on fire, the insurance first pays the bank off. You get the residual.
If the house floods, the USGov first pays off the bank. You get the residual.

The bank always gets their money. You may not get enough to rebuild or purchase another property and you may not get enough to cover your loan debt (aka being underwater).

Now consider the actuarial problem of calculating the probability of a malware, cyber attack and creating a payoff pool big enough to “pay for damages and recovery for both the business and its customers”.

The attack surface is large, events are common
The size of impacted group is global

Nearly every insurance program, somewhere in the fine print, has a list of exclusions. (1a, 1b) Sometimes you can get insurance to cover those exclusions. This is placing more bets on the specific event.

Consider:

There is a lot of climate change damage: floods, droughts, fires.

There is a lot of physical devastation to buildings, homes, apartments, infrastructure, farms, factories from military conflicts.

Do you think an insurance company is going to payout to rebuild climate affected areas? (2)
Do you think an insurance company is going payout to rebuild UKR, RU, GAZA?

===
1a)

ht tps:// en .wikipedia.org/wiki/Property_insurance#Exclusions

The following are excluded from insurance coverage:

Loss or damage caused by war, civil war, and kindred perils
Loss or damage caused by nuclear activity
Loss or damage to the stocks in cold storage caused by change in temperature
Loss or damage due to over-running of electric and/or electronic machines

1b)

ht tps:/ /e n.wikipedia.org/wiki/War_exclusion_clause

You are not insured for: war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom or any hostile act by or against a belligerent power, capture, seizure, arrest, restraint or detainment (piracy excepted), and the consequences thereof or any attempt thereat, derelict mines, torpedoes, bombs or other derelict weapons of war

2) USA California, at least 3 insurance companies have now withdrawn from providing home insurance in California and have withdrawn from all insurance activities in the state.

Their primary reason is the

Cost of insurance payouts due to fires in California

As bank loans require fire insurance be maintained for the duration of the loan, the backwash is TBD if home owners with loans and business loans cannot find alternate fire insurance coverage.

cybershow • April 23, 2024 2:57 PM

Microsoft as a threat to national security is nothing new. Prominent
figures in the US army, navy and defence research have been saying so
for years. Here are a few links:

hxxp://techrights.org/o/2021/07/19/microsoft-national-security/

hxxps://obamawhitehouse.archives.gov/files/documents/cyber/IEEE%20-%20IT%20Monoculture.pdf

hxxps://www.networkworld.com/article/895510/software-retiring-exec-tells-microsoft-to-embrace-open-source.html

hxxps://www.strassmann.com/pubs/computerworld/ms-security.shtml

cybershow • April 23, 2024 4:05 PM

@K.S.

“logging capabilities” might be a euphemism for something else,
something similar to “lawful interception”.

Good catch.

That’s why a richer and more explicit definition of “National
Security” is essential. Some of the links above strengthen the case
for civic cybersecurity as we call it here. In that definition
‘national security’ is literally no more than the sum total of
individual securities, schools, hospitals, small businesses (I’ve
written about it quite a bit). Through that lens, BigTech is a menace
to everyone. The parochial definition of ‘national security’ as secret
special interests, disappoints all of the above stakeholders –
evidently the military and government included.

Winter • April 23, 2024 4:28 PM

@cybershow

Microsoft as a threat to national security is nothing new.

You take the frog in the well view of MS.

MS is is a threat global security. Their failings in security are a threat to any nation in the world.

Karl • April 23, 2024 5:25 PM

Federal Government politicians & their regulatory bureaucrats always have much superior ethics, technical expertise, and selfless concern for the public good … versus typical greedy private business entities.

Therefore, close government supervision of all U.S. economic sectors is imperative, especially for hi-tech.

Free Enterprise & Free Markets are dangerous 18th Century political superstitions.

JonKnowsNothing • April 23, 2024 5:42 PM

@Winter, @cybershow, All

re: MS is is a threat global security. Their failings in security are a threat to any nation in the world.

The underlying problem with MS is a 1:Many condition.

It only takes 1 agency or actor, anywhere in the world, to exploit it.

However, the current level of exploit is Many:Many.

Many agencies and many actors all over the globe exploit it.

Rules and prohibitions do not apply outside of a geographic area. Even international rules are not enforceable. Only rules that are self-beneficial are sustained.

yif you want them to abandon their existing exploits, You would have to give them something of “greater value” in exchange.

I don’t know what that could be.

Money? They have more of it than they can spent.
Threats? They generate more than we can counter.
Jail time? They don’t care and most are immune to jail sentences.
A trip to the Lubyanka?(1) This would not phase them as they are the ones with the guns.

I suppose we could offer up ElMusko, but I’m not sure he is a very enjoyable house guest.

Personally, I would rather re-watch My Dinner with Andre(2) where the conversation is more entertaining.

===

ht tps:/ /e n.wikipedia.org/wiki/Lubyanka_Building

The Lubyanka building is home to the Lubyanka prison, the headquarters of the Border Guard Service, a KGB museum, and a subsection of the FSB. Part of the prison was turned into a prison museum, but a special authorization is required for visits.
In Soviet Russian jokes, it was referred to as “the tallest building in Moscow”, since Siberia (a euphemism for the Gulag labour camp system) could be seen from its bas-ement.

htt ps:// en.wi kipedia.org/wiki/Dinner_With_Andre

My Dinner with Andre is a 1981 American comedy-drama film directed by Louis Malle, and written by and starring André Gregory and Wallace Shawn as fictionalized versions of themselves sharing a conversation at Café des Artistes in Manhattan.

lurker • April 23, 2024 6:03 PM

@cybershow
“Microsoft as a threat to national security is nothing new.”

Then why oh why does the US Govt continue to shovel it onto their desktops and into their servers like it was the only dogfood in the store?

lurker • April 23, 2024 6:09 PM

@JonKnowsNothing, @ALL

Showing my simple mind again, I would have thought insurance companies would have an incentive to reduce malware, and thus increase their profits. Or have they defined it as one of those Too Hard problems where they choose not to do business?

Andy • April 23, 2024 8:20 PM

I am sorry, but the person who wrote the article is greatly deluded. The US is a corporate oligarchy. Corporations run government, not the other way around.

dean • April 23, 2024 8:39 PM

insurance companies would have an incentive to reduce malware, and thus increase their profits

It doesn’t really work that way. Reducing malware would increase the profits of all insurance companies, but only briefly; they’d be making their product (“cyber” insurance) less valuable, and some competitor would notice this and undercut them. Insurance companies, after all, are devoted to quantifying risk; if any business can declare they want profit margin X, and then achieve it, it’s them.

Regarding the Bell breakup, I think the regional phone providers (RBOCs) were mostly a side show. Performative, so that the public knew the government was doing something, but not actually useful. They were still each a monopoly, to some degree, in their local areas; and while they were nominally regulated, the regulators didn’t really have any idea what things should cost. Hence, the companies got to collect fees—for things like tone dialing, Caller ID, Call Waiting—well in excess of any reasonable costs.

If any part of that breakup worked (which is debatable), I suspect it was separating local and long-distance service. The long-distance rates did come down; people were aware of competitors, and used them. I’m not sure whether the existence of competitive local exchange carriers (CLECs) can be traced back to the breakup, but they had some relevance too, particularly in the early days of DSL.

So, when talking about breaking up a company, the details matter a lot. What would make sense for a Microsoft breakup? I’ll semi-arbitrarily name a few things, mostly to start the discussion, that I guess could work as separate companies:

“cloud” infrastructure (Azure)
operating systems
gaming hardware
gaming software
other software (maybe including services like Hotmail that are basically hosted versions of software)

But perhaps we should really start by talking about which areas a company has a monopoly in, what problems result from that, and what goals anti-trust action should have. For example, does Microsoft’s semi-monopoly in operating systems actually harm the gaming hardware market? It’d be a shame to break some companies up, and then realize it didn’t actually solve anything. And it might make future anti-trust breakups much less tenable.

As for Meta, Facebook would be the obvious thing to spin off. Despite their grand claims and promises, it has basically nothing to do with virtual reality, right? They could also sell off WhatsApp, but really, would it accomplish anything useful? WhatsApp and Facebook would still each have a monopoly in their respective areas of business, and that’s what really seems to bother people. Enforcing interoperability is probably the only way to break those monopolies; at that point, would it matter that the same company owns both?

JonKnowsNothing • April 23, 2024 9:55 PM

@dean, @lurker, All

re: anti-trust is a long row to hoe

Anti-trust takes years or decades to even make a dent. During that period the company (IBM, M$) can make changes legally to make the entire suit moot. (which is the point of anti-trust)

It’s also only good in the USA. The Tiktok snarl is an example of US limited scope.

re: Regarding the Bell breakup, I think the regional phone providers (RBOCs) were mostly a side show.

They certainly were. They also created and crushed a lot of noob telephony companies along the way, with an epic Wall Street collapse for many-most of them. This “appearance of new changes” let the Wall Street Bankers & Private Equity exploit their Zero Sum Game to strip many new to the market players (eg retirement investments). Lots of old players got stripped too.

It was also the time when Major Financial Institutions and Banks got a separate pathway to the stock market shares and prices with After Hours Trading. These entities reaped huge profits before the markets opened to individual traders.

It was a huge shell game. Silicon Valley exploded and burned.

JonKnowsNothing • April 23, 2024 10:33 PM

@lurker, @dean, All

re: would have thought insurance companies would have an incentive

All insurance is a gamble. It’s legal gambling and accepted practice in business.

You bet against your self. The insurance company picks up the bet. If you lose if the event happens, then the insurance company pays out. If you do not lose, they get to keep the bet.

It takes a bit of sideways looking to catch the idea.

You have a ship at sea. There are many perils: pirates, storms, mutiny on the Bounty. If your ship makes it to port you will be a Wealthy Oligarch. If your ship sinks you lose your shirt and trousers.
A shipping insurance company calculates the risk of “pirates, storms, mutiny”. There are lots of examples but there are many more ships that get to port than sink. (No one cares about the sailors).
- The maritime insurance company tells you how big a bet you have to make. Depending on distance and risk it could be small amount or a very large amount
- - Car Insurance v House Insurance v Satellite Insurance
- - Flood insurance is cheap where you don’t need it. The folks affected by 2024 Persian Gulf floods probably do not have flood insurance.
The maritime insurance company knows it there will be some ships lost, but most will make it to port. They only have to provide for those few that are lost and the rest goes in their pockets.
So you are betting your ship will be lost at sea; the insurance company is taking the other side of the bet that your ship will make it to port safely.
If you win the bet, your ship sank and the insurance company is supposed to payout on the policy. This is not the market value of the goods on the ship, only a portion of the value.

Of course, having insurance is not the same as collecting the funds from it.

Insurance companies yell for “Natural Disaster” declarations, as there are exclusions and limitations on what they have to payout.

The incentive is only proportional to “the risk of loss” v “the risk of no loss”.

If you make the software more robust, there is less risk. The value of the policy for the insurance company declines. If there is no risk, no one buys insurance (2024 Persian Gulf floods).

If there is a lot of risk, certainty risk, the insurance company will not pick up the bet (fires in California). If your boat is going to sink anyway… well that’s a different insurance fiddle.

There are specialist insurance companies that do take on polices with high risk. There are all sorts of riders and add-ons to policies. Underlying all of that is the risk calculation.

ResearcherZero • April 24, 2024 12:24 AM

There are also ‘fit and proper’ tests that could be applied, in addition to breaking up monopolies. The concentration within a market apportions too much power in the hands of a few and stifles competition. This is inevitable, as power eventually corrupts any person.

A check on power, and a wake up call, is good practice for the benefit of all.

So a choice could be offered, to be broken up, removal of license, or clean up one’s act.
Of course the legislation may need to be updated. It is complex, providing plenty of fair grounds to legal appeal. Ultimately it is the public benefit that matters, and that also includes the right for small entities, and individuals to have access to a fair market.

Clearly many are not receiving adequate complaint resolution and adequate service.
Small entities and individuals deserve justice, choice and reasonable service. These rights, though guaranteed in law, are often undermined by large tech companies.

Competition law and ‘fit and proper’ tests may need some finessing to make them relevant.

“The concept of the fit and proper person turns up in much legislation that regulates the private use of a public resource or public good.”

‘https://www.crikey.com.au/2011/07/14/a-fit-and-proper-test-case-rating-alan-bonds-character/

Fit and proper tests already apply to some commercial sectors…

Most of the tests in s 15(6) must be met on a continuing basis, including the “fit and proper person” test in s 15(6)(a). If the licensee no longer complies, the Minister has the power to cancel a licence or, in the case of a renewal application, is required to refuse to renew a licence.

‘https://www.austlii.edu.au/au/journals/AUMPLawB/1996/27.pdf

In the UK…

Ofcom sent an open letter on 8 July 2011 to John Whittingdale MP (Chairman of the Culture, Media and Sport Committee) with the intention of “setting out as clearly as possible what Ofcom’s role, powers and duties are in these matters”.

Ofcom confirmed that “person” includes controlling directors and shareholders, and also that it would not act on unsubstantiated allegations. However, Ofcom did not provide any general guidance on the factors it takes into account when assessing fitness or propriety, simply stating that it will consider “any relevant conduct of those who manage and control such a licence”.

‘https://www.ofcom.org.uk/__data/assets/pdf_file/0019/51346/j_whittingdale_080711.pdf

Under Sections 3(3) of each of the 1990 and 1996 Broadcasting Acts, must be satisfied that any person holding a broadcasting licence is, and remains, fit and proper to hold those licences. It is the licensee (which, if it is a corporate body, will include controlling directors and shareholders) in relation to whom Ofcom has to be satisfied that it is fit and proper.

‘https://www.ofcom.org.uk/__data/assets/pdf_file/0013/41152/fandpfaq-update.pdf

dean • April 24, 2024 12:37 AM

@JonKnowsNothing

the company (IBM, M$) can make changes legally to make the entire suit moot. (which is the point of anti-trust)

It’s one purpose of anti-trust actions. I presume another purpose is to disincentivize other companies from behaving badly. If they can get away with it for years, then escape consequences by playing nicely when the lawyers show up, it won’t have that effect. (Kind of like all those times we see the FTC catch a company breaking a law, and the punishment is that they agree to stop breaking the law for 10 years.)

Winter • April 24, 2024 1:26 AM

@JonKnowsNothing

All insurance is a gamble. It’s legal gambling and accepted practice in business.

All investment is a gamble. etc.

The whole point of investing is risk diversification. Insurance is distributing risks from those who cannot bear it to enough others that each can bear their portion for a price.

Not really different from other investments.

The problem with software/hacking insurance is that the probabilities cannot be quantified as the field changes too fast. This is compounded by the fact that a successful attack can have almost unlimited damages as it will ravage whole industries like a wildfire. [1]

This systemic risk is the other side of the network effect. As everybody is better off if all use the same software, monopolies are rive. As these monopolies are allowed to kill all competition we end up with a perfect storm:
Everybody has all their eggs in the same basket. Any successful attack will affect everyone at once.

Software insurance is like earthquake or pandemic insurance. There is never only one claim for damage. Every policy holder will claim damages at the same time. No insurer can handle this.

[1] Notpetya damage is estimated at $10B

Morley • April 24, 2024 10:14 AM

Breaking up one would be a windfall for the others. I wonder if we can break them all up at roughly the same time.

Would you like flies with that? • April 25, 2024 5:46 AM

How the Media Blamed SSH and Linux (for Nearly a Whole Fortnight!) Instead of Microsoft’s GitHub and Systemd

https://techrights.org/n/2024/04/11/Video_How_the_Media_Blamed_SSH_and_Linux_for_Nearly_a_Whole_For.shtml

Jam it • April 26, 2024 7:11 PM

Abolishing any form of cyber insurance, and upping penalties for negligence or malfeasance would lift the most boats. As long as any company sees a payout to do nothing (weak compliance/insurance), rather than the payout to hire the most qualified people to just fix the problems they create, the shenanigans will continue to literally no one’s benefit.

com off the shelf: crap. • April 29, 2024 6:01 PM

Security and COTS.

FACT is: software and hardware is essentially military equipment, reduced to civilian grade and regulated, down to a functioning stairwell.

David Wittenberg • May 1, 2024 1:31 PM

I urge you to read the Cyber Safety Review Board’s “Review of the Summer 2023 Microsoft Exchange Online Intrusion” in particular section 2.1.1 on Microsoft’s security culture. It starts with “The Board concludes that Microsoft’s security culture was inadequate.”
It’s rare to see such strong language in a government report.

https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

Microsoft and Security Incentives

Comments

Leave a comment Cancel reply