Source:- rte.ie
6.5 trillion: That’s the astonishing number of online threats that staff at Microsoft’s Cyber Defence Operations Centre see each day.
And quite a portion of those attacks are aimed at the company itself. The highest number of attempted intrusions into Microsoft’s network of products and services ever detected in one 24-hour period was 1.5 billion.
Keeping these so-called “bad actors” at bay is the overall responsibility of Ann Johnson. She is the company’s Corporate Vice-President, in charge of the Cybersecurity Solutions Group.
“It is obviously complex, and that’s coming in at a global scale,” she told RTÉ News during a visit to Dublin this week.
“So we use a lot of machine learning technology, we use a lot of artificial intelligence and automation. We want to parse the threats. We want to see what is real. Separate the signal from the noise.
“The other thing is we want to automate the response as much as we can. Because at the end of the day, 6.5 trillion and 1.5 billion is not something any amount of humans can consume, right?
“So the landscape is increasingly complex, the attacks are coming from around the world. But we feel like we have some pretty good system defences in place, based on the intelligence we see.”
And “around the world” means, literally from everywhere. From cyber-criminals, from nation states, from random hackers working by themselves, in every part of the globe.
Their targets are diverse, from Microsoft’s business applications, through to its Azure cloud services and its Office 365 suite of apps.
But because Microsoft’s business is now hugely focused on cloud-based products, it means the challenge and method of defending each area is more or less the same, Ms Johnson said.
Cyber security and the threat posed by nation states have been very much in the mainstream news lately because of the focus on Huawei and the US government’s stated concerns that the telecoms firm’s equipment could be used by the Chinese government as a back door for spying and cyber-attacks.
These concerns recently led the Trump administration to ban US companies from selling products and services to the Chinese manufacturer.
Google has already signalled it will limit Huawei’s access to its Android mobile operating system, while Facebook has suspended pre-installing its apps on Huawei devices.
Microsoft, though, has said little publicly about how it intends to handle the situation, despite also being a significant supplier to Huawei.
“Microsoft will comply with anything that the United States government requires us to comply with obviously because we are a United States company,” Ms Johnson said.
And what about the alleged threats posed by China?
“I think that there are a wide variety of actors globally that we need to continually be vigilant about,” she said diplomatically.
That vigilance has to take many different forms, as the threat posed by hackers evolves by the second. But sometimes the security response doesn’t change quite so fast.
Take, for example, passwords, which have been the main means of authenticating identity for decades now, but which can be highly insecure.
“We are on a mission to be passwordless and we think our customers should be on a mission to be passwordless and we think consumers should be on a mission to be passwordless.”
“At the end of the day research still shows that … 76% of breaches start with some type of stolen credential. So the more we can get passwords out of the ecosystem the higher the cost to the attackers, they actually have to come up with new methods, and obviously the more secure our infrastructure is going to be and the more secure our customers are going to be,” said Ms Johnson.
Passwords will, she predicted, give way increasingly to biometrics, which are more frictionless, offer ease of use and a variety of alternative form factors, including even ear profiles.
And the Microsoft cyber general said we shouldn’t be concerned about the risk of biometric data being stolen and misused in the same way passwords have been, as long as it is secured using best practice techniques used to protect other forms of data from theft.
“There is nothing particularly unique about biometric data than any other IP data in your organisations,” said Ms Johnson, who comes from New York but now lives in Seattle.
“You encrypt the data, you hash the data, you secure access to the data, you make sure access to the network it is on is secure. It is not unique in any way. But you do need to treat it as high-value data.”
Another high risk when it comes to cyber-threats are people themselves, something Microsoft is all too well aware of.
Earlier this year, the company admitted its Outlook.com service had been breached by a hacker, allowing unauthorised access to some accounts, after a support agent’s credentials were compromised.
According to Ms Johnson, we need to become less dependent on the human firewall by instead building technologies that protect people as much as the data.
“They are going to click on the link, so let’s build technologies behind clicking on the link that keeps them secure,” she explained.
“Let’s build technologies that allow them to get rid of their passwords. Let’s make sure we educate the humans as much as possible, but also put in the controls behind them so we are not solely dependent on them.”
One of the most difficult dangers to solve right now though is a less obvious one to industry outsiders.
A talent shortage is currently gripping the cyber-security world, with 1.5 million openings at present, 2,500 of which are in Ireland.
By 2022, it is estimated that global industry talent shortfall will have risen to a staggering three million people.
“It is something that the entire industry needs to get oriented around with regard to how we recruit and how we retain … and how we train them,” she said.
But how does the gap get filled, and quickly?
“I think there’s a few different things,” Ms Johnson outlined.
“To start with we need to solve the diversity problem. Cybersecurity is still 10-15% female so that is easy math …The second thing though is that educational background, we have to stop being so dug in that there must be a STEM degree or they must have a certain background.
“The thing about machine learning and the thing about artificial intelligence is that you want different perspectives to train those engines anyway. So there is a huge benefit.
“The other thing is that we need to think about non-traditional channels. We do a lot of work, for example, with the US military, transitioning military members.
“You kind of have to pull all those levers.”
Ms Johnson believes some of the gap, but not all, can be filled by evolving technology, including artificial intelligence.
“I’m not a big believer in a silver bullet or a single solution,” she said.
“I think AI can go a long way towards helping solve the problem. But it is still pretty nascent … we are still discovering what those use cases are.”
Public concerns about cyber-security don’t, however, seem to be putting people off using the cloud for services and data storage.
Here, 85% of people already interact digitally with public sector cloud-based services, such as MyGovID, Motortax.ie and MyWelfare.ie, according to a recent Microsoft survey.
A similar number have heard of the cloud.
But trust isn’t as high, with 40% concerned about the safety of their personal data held by public cloud-based services.
Ms Johnson says that situation is changing rapidly though.
“When I started in Microsoft three-and-a-half years ago, I was still getting questions, ‘oh, is the cloud secure?’,” she said.
“Just the opposite (now). I’ve customers coming to me today saying, ‘look, I want to go to the cloud because I believe you can keep me more secure. You have the people, you have the tools. You have the global intelligence, you have the learnings. You can actually keep my infrastructure more secure than I can keep it myself’.”
That’s a big responsibility for any person or corporation to carry. But Ms Johnson said it isn’t necessarily the biggest risk Microsoft has to deal with, with the global economy and physical risks also looming in the background too.
“I never want to be an alarmist. I think we are doing an okay job,” she said.
“For everything you see on the news we have prevented 100 things. So I want people to know we are actually doing an okay job in the world of cyber-security today.”
“One thing we are seeing an increase in is the sophistication of cyber-crime gangs. So not nation states, but actually cyber-crime attacks.”
“They are increasing globally and they are pretty sophisticated and they are widespread. So there will always be a different kind of attack or a new actor coming in that we need to be thinking about and we need to be predictive about and build the right defences in advance,” added Ms Johnson.