Technology & Innovation

Author: anonymDate: 2024-11-20 17:49:53

Microsoft commits another $4M to bolster cloud and AI defenses in a comprehensive security upgrade

Prioritizing security: will Microsoft's keynote address reflect this commitment? Facing intense scrutiny to enhance its defenses against cyber threats, Microsoft will address this directly by featuring its top security leaders prominently at its annual Ignite conference in Chicago on Tuesday. A key announcement: a $4 million expansion to its bug bounty program, offering additional rewards to researchers identifying vulnerabilities in its cloud and AI infrastructure. This forms part of a broader initiative and a planned 2025 hacking event in Redmond—the Zero Day Quest. Microsoft has announced it will immediately double the payouts for uncovering AI security flaws, adding to its existing annual $16 million bug bounty. "This significant increase will be a strong motivator," said Charlie Bell, Microsoft's executive vice president of security, in a pre-Ignite interview. Bell will share the stage with Vasu Jakkal, corporate vice president of Microsoft Security, during CEO Satya Nadella's opening remarks. The program's origins stem from weekly meetings between Microsoft's senior leadership and Nadella, examining and resolving security concerns as part of the Secure Future Initiative. Nadella challenged the team to "embrace the red," meaning he wanted to hear about problems, not just successes. "It was actually liberating," Bell remarked. The decision to enlarge the bounty arose from one of these meetings. Microsoft, claiming its existing program is the industry's largest, asserts this $4 million addition represents the highest potential rewards of any industry hacking event. However, questions arise regarding the sufficiency of the funding. With billions in reserves—$78.5 billion at last check—Microsoft has the means for greater investment to shape the economics of security research. Bell's response: "We could invest trillions, but would the returns justify it? We aim to incentivize responsible conduct." Microsoft will also deploy its "AI Red Team," internal security experts mimicking hackers, to train external researchers on identifying AI vulnerabilities, enhancing their program participation. Confronting cyberattacks and vulnerabilities: Bell, a former Amazon Web Services executive, joined Microsoft three years ago to guide its security initiatives.

Microsoft's Secure Future Initiative, launched in November 2023 following a major breach, aims to address substantial security concerns. Earlier that year, the Chinese hacking group Storm-0558 compromised over 500 individuals' and 22 organizations' Microsoft Exchange Online accounts globally, including high-ranking US officials. In January, a Russian state-sponsored actor, Nobelium or Midnight Blizzard, infiltrated Microsoft's internal systems and executive email, accessing source code repositories and internal systems. A March Cyber Safety Review Board (CSRB) report on Storm-0558 deemed Microsoft's security culture "inadequate," pointing to "a series of preventable errors enabling the breach." The CSRB urged Microsoft to prioritize security. The following month, Nadella declared security as the top priority. Microsoft expanded its Secure Future Initiative in May, linking executive compensation to security performance, appointing deputy chief information security officers to each product group, and consolidating teams across platforms and products in "engineering waves" for comprehensive security overhauls. Besides removing hundreds of thousands of obsolete applications and millions of cloud tenants, the company is simplifying and standardizing security practices, creating "paved paths" to automate tasks, rather than relying on individual employee methods. Microsoft states that about 34,000 full-time engineers are working on the Secure Future Initiative, terming it the "largest cybersecurity engineering project in history."

The inherent tension between business and security persists, with Microsoft facing ongoing criticism over profiting from security products while its own vulnerabilities contribute to wider cybersecurity issues. A November 15th ProPublica report described Microsoft's 2021 cybersecurity assistance offer to the US government as a calculated business strategy to increase revenue, outmaneuver competitors, and strengthen its federal market position. Microsoft countered that its primary motivation was to supply top-tier cybersecurity tools to combat escalating nation-state cyber threats. The company's statement further emphasized that the aim was to promptly respond to a critical government request to enhance federal agencies' security against sophisticated attacks; Microsoft worked alongside other tech giants (Google, Amazon, Apple, IBM) to provide free enhanced tools to raise the security baseline. Agencies were not obligated to buy Microsoft licenses and could use other vendors.

Nadella previously regularly shared security product revenue figures with investors, exceeding $20 billion the previous year. This practice has since ceased, with emphasis shifted towards the Secure Future Initiative and cultural, development practice reforms.