Interview with Edward Gibson, Chief Security Advisor at Microsoft UK

Mr. Gibson is the Chief Security Advisor for Microsoft in the UK. This role comes on the heels of his retirement from a 20-year career as a Supervisory Special Agent with the Federal Bureau of Investigation. During this period, Gibson was a recognized expert in investigating complex, international money laundering schemes, asset identification and confiscation, and intellectual property theft. From early 2000 – mid 2005, Mr. Gibson was assigned to the FBI’s Legal Attache office, US Embassy London, as an Assistant Legal Attaché. There, he was responsible for all FBI cyber, hi-tech, cyber-terrorism, and infrastructure investigations in the UK. His leadership resulted in the creation of a model cyber program adopted by all Legal Attache offices around the world.

What has been your biggest challenge in the role of Chief Security Advisor for Microsoft? Has your background expertise helped shape your role in the company?
Most people only know of “criminality’ on the Internet through anecdotal reports. Until someone is personally affected by identify theft, social engineering, auction fraud, or other type fraudulent e-commerce activity, it is something for someone else to deal with. This should not be a surprise, as this is generally how people behave in the bricks and mortar world. However, the rules by which we live in the bricks and mortar world are sometimes largely ineffective in the cyber world. The Internet is global, and criminals are not bound by jurisdiction, political relations, or other restrictions due to anonymity and ability to hide in plain sight.

Yes, my background has been a key driver in shaping my role in the company. I know criminals, how they behave and the tools they use, particularly in internationally complex cyber criminality. As the single point of contact for all UK law enforcement and security services at the US Embassy London in relation to cyber investigations and laws related thereto, I had many opportunities to work with a variety of agencies in a number of countries. And each success was due to an understanding of the different cultures, laws, and priorities. This understanding was bolstered by having been a lawyer in the US prior to my appointment as a Special Agent, FBI, and qualification as a Solicitor in England / Wales, and the truly exceptional law enforcement and government representatives, without whom success would have been hard fought. With this background, I am better able and proud to represent Microsoft UK in my role as Chief Security Advisor.

As Windows Vista was released Microsoft has already announced the Vista Service Pack 1. Some see this as a sign that Microsoft knowingly released the OS with security problems while others believe it to be a step forward in security awareness and applaud Microsoft for starting work on a collection of patches this early. What’s your take on this situation?
Microsoft’s operating systems / platforms, applications, and processes are used by millions of people in nearly every country on this planet. It’s software products are used in mission critical devices and processes (in the UK, the NHS is a prime example), defence industry, manufacturing, finance, and government to name a few. Knowing what I do about the kinds of attacks against its applications, operating systems, and processes, by ruthless organized crime groups and people using every conceivable method to steal, compromise, extort, blackmail, or otherwise make life miserable for their own personal gain, we all can be mighty proud of the extraordinary efforts Microsoft has and continues to put into making all computer users more safe on the Internet. But remember, criminal attacks against systems is an Industry-wide problem, which is why Microsoft is working with industry partners, government, and educational institutions to help ensure understanding of the problems and develop better solutions.

It’s important to remember that no software is 100% secure. We’re working to keep the number of security vulnerabilities that ship in our products to a minimum. Trustworthy Computing is a long-term initiative and those changes do not happen overnight. We’ve made progress and our efforts are resulting in significant improvements in the security of our software. We have every confidence that – together with our industry partners – we’ll continue to meet the constantly evolving challenge of security to help our customers and the industry become more secure.

Did Microsoft use a different approach to testing security while developing Windows Vista?
The release of Windows Vista is the first Microsoft operating system to use the Security Development Lifecycle (SDL) from start to finish and was tested more prior to shipping than any previous version of Windows.

Building on the significant security advances in Windows XP Service Pack 2, Windows Vista includes fundamental architectural changes that will help make customers more secure from evolving threats, including worms, viruses, and malware. These improvements minimize the operating system’s attack surface area, which in turn improves system and application integrity and helps organizations more securely manage and isolate their networks.

Too often software is developed by bolting security technology onto an application and declaring it secure. The SDL was developed to provide a step-by-step process integrating secure development into the entire software lifecycle from start to finish. We have already seen the benefits of this process as it was first used for Windows Server 2003 and resulted in a 56% decrease in the number of security bulletins, compared to Windows Server 2000.

By having the most deployed OS in the world, Microsoft is always under the microscope and has to tackle a myriad of security challenges. What are the ones that you expect to cause problems in the near future and what strategies does Microsoft use to fight them?
As I always say, it’s about people, process and technology and at Microsoft our security strategy is very much aligned to these three areas. The threat landscape is continually evolving and challenges appear in the form of malware, inappropriate security policies and the regulatory environment. Our security efforts are therefore focussed on the area of partnerships, innovation and prescriptive guidance. Microsoft is working in partnership with Government and industry groups to thwart security threats. So for example, in the UK, we are an active member of the Government backed Get Safe Online program, which aims to educate consumers and businesses on the importance of security.

We are continually developing our products to protect computer users and stay one step ahead of the cyber criminal. So for example, as I’ve already mentioned, our Security Development Lifecycle is used to ensure rigorous testing of software code in products such as Windows Vista. In addition, our MSN Hotmail service blocks 3.4 billion spam messages per day.

Finally, at Microsoft, we’re committed to providing guidance to help businesses and consumers act and secure their digital lives. In the UK alone, according to recent figures from APACS (the UK payments association), online banking fraud alone cost £22.5m in 2006. Therefore we are deeply engaged in customer education programs such as our partnership with GSOL. In fact, a big part of my role is to liaise between customers and our internal development teams, finding out what the problems are and seeing how they can be resolved. My number one message is that prevention is the best defense! You don’t need to wait to protect yourself today. There are numerous resources available (both from Microsoft and across the industry) to help protect against the growing severity of information security threats.

When discussing Windows Vista, Microsoft is emphasizing that it is the most secure Windows ever. Do you believe you’ll be able to stand behind that in a year or two? What makes you so certain of Vista’s security features? After all, we live in a world of constant evolving threats. Does ‘more secure’ = ‘secure’?
As mentioned previously, whilst no software is 100% secure, we are confident that Vista is the most secure and thoroughly tested version of Windows we have ever produced. Our customers expect and deserve a computing experience that is safe, private and reliable. Trustworthy Computing has fundamentally changed the way we develop and help our customers manage Microsoft software and services. Threats to security and privacy constantly evolve and the holistic nature of Trustworthy Computing highlights Microsoft’s commitment to facing this changing landscape. Microsoft cannot do this alone, and we will continue to partner and collaborate with industry, government and academia to better protect customers and adapt to evolving security threats.

In the past, Microsoft’s security headaches were coming from full disclosure lists where researchers publicly disclosed vulnerabilities in Microsoft products without reporting them to the company. Today, the threat landscape is changing with 0-day vulnerabilities in Windows Vista being sold to the highest bidder and not reported at all. How does Microsoft deal with this problem?

Due in part to recent reports of security vulnerabilities in a wide range of software, security is a growing concern for more and more computer users every day.

The industry is responding in part by seeking new opportunities to improve the way that security information is gathered and shared to protect customers while not aiding attackers.

Microsoft is aware of iDefense offering compensation for information regarding security vulnerabilities. Microsoft does not offer compensation for information regarding security vulnerabilities and does not encourage that practice. Our policy is to credit security researchers who report vulnerabilities to us in a responsible manner.

Since its inception, Microsoft Patch Tuesdays have been successful. Yet, many critical vulnerabilities are announced shortly after the batch of monthly patches. Shouldn’t there be more frequent patch releases?
We investigate each security vulnerability report thoroughly to determine its impact to our customers. In combination with that investigation we also take a look at our engineering processes to help determine how we can best deliver a quality update to our customers within the consistent time frame that our customers have requested, which is currently on a monthly cycle.

There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update.

Every vulnerability presents its own unique challenges. We’ve been clear that bulletins can be released out-of-cycle, if necessary, to help protect customers if a level of awareness and malicious activity puts customers at risk in any way. In this case, the level of awareness and malicious activity around a vulnerability may prompt Microsoft to move to a release schedule that would deliver a fix as soon as one could be built and thoroughly tested.

Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once they know the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe. In some instances, multiple vendors are affected by the same or similar issue, which requires a coordinated release.

Internet Explorer has been hit by a variety of vulnerabilities in the past and many patches have been released. Now that IE 7 out, does Microsoft plan a better security strategy for the most used browser?
Security is an industry wide issue and although there is no one solution, our approach to security spans across both technological and social aspects.

In technology, we’re focused on designing software that is resilient in the presence of malicious code threats (such as worms and viruses) and that isolate the potential impact of contamination.
In the interest of helping to better protect our customers, we delivered Windows XP SP2 in 2004, which included a major security upgrade to Internet Explorer. Building on that release, Internet Explorer 7 has been redesigned and includes new security features to help protect end users against spyware and phishing attacks. A variety of new security enhancements have been added to provide end users with a host of new capabilities to make everyday tasks even easier, including dynamic security protection to help keep them safe online.