Today, with the launch of the CyberPeace Institute, the world will gain an important new ally in understanding the impact of cyberattacks, in working to develop rules for proper conduct in cyberspace and in helping the most vulnerable victims of cyberattacks become more resilient.
Today’s news is important because cybersecurity is one of the more critical issues of our time. The escalating attacks we’ve seen in recent years are not just about computers attacking computers – these attacks threaten and often harm the lives and livelihoods of real people, including their ability to access basic services like health care, banking, and electricity. In May 2017 it took the WannaCry attack just hours to impact more than 300,000 computers in 150 countries including systems that supported the National Institute of Health in Great Britain. Six weeks later, NotPetya disabled an estimated 10 percent of all computers in Ukraine, crippling businesses, transit systems, and banks there before halting the systems of multinational corporations around the world and suspending operations of one of the world’s leading shipping companies. At Microsoft, we track cyberattacks by dozens of nation-state actors, and activity continues to increase.
It will take a multi-stakeholder effort to address these issues. The internet is the creation of the private sector, which is primarily responsible for its operation, evolution, and security. But governments have an important role to play in observing and enforcing norms for conduct in cyberspace and in deterring damaging attacks by other nations. Governments, the private sector, civil society and academia must be part of discussing solutions and taking concrete steps to protect people. Badly needed in the fight against cyberattacks is a credible source of research and analysis about the impact of cyberattacks around the globe on world citizens. Another important gap is the need for immediate help and advocacy for the most vulnerable victims of these attacks. For years, nongovernmental organizations around the world have provided on-the-ground help and vocal advocacy for victims of wars and natural disasters, and have convened important discussions about protecting the victims they serve. It’s become clear that victims of attacks originating on the internet deserve similar assistance, and the CyberPeace Institute will do just that.
For these reasons, Microsoft has joined the Hewlett Foundation, MasterCard and other leading organizations as initial funders of the institute. The institute will be independent, and we anticipate it will have a significant impact on the three core areas where it will function:
Assistance: Coordinating recovery efforts for the most vulnerable victims of cyberattacks and helping vulnerable communities and organizations become more resilient to attacks.
Accountability: Facilitating the collective analysis, research, and investigation of cyberattacks, including by assessing their harm, and bringing greater transparency to the problem so everyone has better information to inform action.
Advancement: Promoting responsible behavior in cyberspace and advancing international laws and rules.
We believe customers have a right to know when law enforcement requests their email or documents, and we have a right to tell them. The reason is simple – we believe our customers own their data and have the right to control it. Absent extraordinary circumstances, government agents should seek data directly from our enterprise customers, and if they seek our customers’ data from us, they should allow us to tell our customers when demands are made. We believe strongly that these fundamental protections should not disappear just because customers store their data in the cloud rather than in file cabinets or desk drawers.
When a law enforcement agency presents Microsoft with a legally valid warrant, court order or subpoena requesting data that belongs to one of our enterprise customers, we seek to redirect that request to the customer. And in the vast majority of cases, that is exactly what happens. There are times, however, when the government comes to us for data and prevents us from telling our enterprise customers that it is seeking their data. We agree that there are some limited circumstances in which law enforcement must be able to operate in secret to prevent crime and terrorism and keep people safe. And while we agree that secrecy orders that prevent us from notifying our customers may be appropriate in those limited circumstances, we also believe there are times when those orders go too far. In those cases, we will litigate to protect our customers’ rights.
Curbing the overuse of secrecy orders
We filed a lawsuit in late 2018 to protect these rights, which was recently unsealed by a U.S. District Court. This legal challenge follows our prior litigation to curb the overuse of secrecy orders and highlight the growing need for principles to govern law enforcement access to data in the United States and internationally. This is an important fight we take on out of principle, and it is a fight we will continue to mount.
We take this responsibility seriously and have repeatedly called for principles to govern law enforcement access to data in the United States and internationally. The first such principle is the universal right to notice — i.e., absent narrow circumstances, users have a right to know when the government accesses their data, and cloud providers must have a right to tell them. Moving into the 21st century should not mean a brand-new rule that allows the government to execute a warrant without any notice to the target of that warrant.
What I find coincidental about this posting on the same day history-making news was announced surrounding national political events. The announcement of impeachment inquiries has in part been a result of insecure voting. As the great national security philosopher, Malcolm Nance, once stated: Coincidences take a lot of planning.
In May, Microsoft CEO Satya Nadella announced ElectionGuard, a free open-source software development kit (SDK) from our Defending Democracy Program. ElectionGuard is accessible by design and will make voting more secure, verifiable and efficient anywhere it’s used in the United States or in democratic nations around the world. Today we’re announcing that ElectionGuard is now available on GitHub so that major election technology suppliers can begin integrating ElectionGuard into their voting systems.
The ElectionGuard resources available on GitHub today extend across four GitHub repositories, or storage spaces, each described below.
ElectionGuard specification. The ElectionGuard specification includes both “informal” and “formal” road maps for how ElectionGuard works. The informal spec is authored by Dr. Josh Benaloh of Microsoft Research and provides the conceptual and mathematical basis for end-to-end verifiable elections with ElectionGuard. The formal spec contains detailed guidance manufacturers will need to incorporate ElectionGuard into their systems, including a full description of the API – which is the way voting systems communicate with the ElectionGuard software – and the stages of an end-to-end verifiable election.
Software code. This repository contains the actual source code vendors will use to build their ElectionGuard implementations. It is written in C, a standard language commonly used by open-source software developers and includes a buildable version of the API. This documentation is also viewable here. This code was built together with our development partner Galois.
Reference verifier and specification. As we announced in May, ElectionGuard enables government entities, news organizations, human rights organizations, or anyone else to build additional verifiers that independently can certify election results have been accurately counted and have not been altered. The resources available on GitHub today include a working verifier as well as the specifications necessary to build your own independent verifier.
The dialogue at this year’s United Nation’s Climate Summit has a refreshing air of sober reality. The urgency of the climate crisis has by now fully been absorbed, and the conversation has turned to the practical matter of what needs to be done to mitigate the worst impacts of a rapidly changing climate and adapt to that which we cannot avoid.
This means that the time of raised ambitions and grand announcements without clear action plans is also past. That is why we are focusing this week on new and specific contributions both inside and outside our four walls that have the potential to meaningfully impact environmental outcomes. We have been doing this work for more than a decade and, in April of this year, we doubled down on our ambitions with a clear focus on doing more where it makes the most difference — beyond operational changes and increasingly on how we put technology to work for the planet. With that in mind, I’m sharing several concrete developments and markers of progress, including:
Aligning our operations with a 1.5C climate scenario: It’s clear, given the science, that targets should be even more ambitious than the Paris Accord targets, which mapped to a 2-degree rise. Today, we’re pleased to say that our renewable energy target has been certified by the Science-Based Target Initiative (SBTi) as aligned to a 1.5-degree Celsius future. The certification is meaningful for two reasons — first, we believe that actions should be driven by the best available science, and SBTi uses that as a core criterion for approval and second, because what is most important is not just setting targets — it’s meeting them. Science-based targets offer important measurement and accountability that is critical to assess if we’re making the progress the world needs, in the time frame we have available.
Extending carbon reduction work into our supply chain: Today, we’re setting a target reduction for our value and supply chain via our new SBTi-certified target, which will see us cut these emissions by at least 30 percent by 2030. Our supply chain referred to in carbon accounting as Scope 3 emissions as indirect carbon emissions associated with anything from manufacturing to customer use of devices to employee airline travel, are far larger than our operational footprint. This is true for many companies and nearly all technology companies. We have already worked to drive transparency in this space, with more than 105 of our top suppliers reporting through the CDP (formerly the Carbon Disclosure Project), and will look to continue to do more in this space in the coming year.
Going from carbon-neutral operations to carbon-neutral products: Microsoft’s business operations have operated carbon neutral since 2012. Today we are beginning the journey of extending that to our products and devices with a pilot to make 825,000 Xbox consoles carbon neutral. These are the first gaming consoles to be carbon neutral. While just a pilot, we’re already looking at what we can do to further reduce and neutralize carbon across devices in the future.
Putting technology in the hands of others for the good of the planet: The investments we’ve made to make our devices and datacenters and supply chain greener are good for the planet but have an exponential impact when the world is using these greener computing resources to power new AI breakthroughs for the planet. That’s why we’re continuing to expand our AI for Earth program with new grant partners like Conservation X Labs, National Geographic Society, and World Resources Institute. We now have more than 430 grantees in 71 countries and just released our first APIs and code on our website and GitHub. The newest members of AI for Earth include the young leaders who participated in the Youth Summit’s Summer of Solutions.
…But progress is indeed possible. That’s not a naïve hope but one based on evidence: technology breakthroughs over the past few years, new work underway across our business, and a growing appetite from customers to digitally transform their businesses with sustainability in mind. We’re celebrating today in New York, and tomorrow we get back to work. I hope you’ll join us.
Today, as part of Microsoft’s Defending Democracy Program, we are announcing that we will provide free security updates for federally certified voting systems running Windows 7 through the 2020 elections, even after Microsoft ends Windows 7 support. I would like to share more on why we help customers move away from older operating systems and why we’re making this unusual exception.
We launched Windows 7 in 2009, the same year the Palm Pre launched, Twitter took off, mobile phone navigation was just coming to market, and floppy disks were still selling by the millions. Software built for that era cannot provide the same level of security as a modern operating system like Windows 10. When we released Windows 7, we committed to supporting it for 10 years, and we’ve honored that commitment. We’ve also reminded customers about this along the way including, most recently, in January and again in March. This process is similar to how we’ve ended support for other operating systems in the past, and the majority of our customers have already made the move to Windows 10.
As we head into the 2020 elections, we know there is a relatively small but still significant number of certified voting machines in operation running on Windows 7. We also know that transitioning to machines running newer operating systems in time for the 2020 election may not be possible for a number of reasons, including the lengthy voting machine certification process – a process we are working with government officials to update and make more agile.
Since we announced our Defending Democracy Program, we’ve focused on bringing the best of Microsoft’s security products and expertise to political campaigns, parties, the election community, and democracy-focused nongovernmental organizations. This includes our AccountGuard service, which we offer at no additional cost, and ElectionGuard, which we’re making available for free and open-source…
“The EBA framework is a great step forward to help modernize regulation and take advantage of cloud computing,” writes Microsoft Assistant General Counsel Dave Dadoun in a post on Transform.
“Because this is such an important milestone for the financial sector, we wanted to share our point-of-view on a few key aspects of the guidelines, which may help firms accelerate technology transformation with the Microsoft cloud going forward,” he says.
By Andrea Erickson-Quiroz, Managing Director, Water Security at The Nature Conservancy
As astronomists look out further into the vast expanse of space, it’s increasingly clear how unique our blue planet is. Our oceans and rivers separate Earth from every other planet we’ve discovered so far. But in our daily lives, we don’t always appreciate how precious this natural resource really is.
In fact, water insecurity is a growing threat around the world, and it will get worse if we don’t arrive at some immediate innovative solutions. And while technological innovation shapes nearly every other aspect of our lives, we’ve been slow to apply tech solutions toward one of the greatest challenges of our time.
As our changing climate puts more stress on the availability and quality of water worldwide, we urgently need a shift in perspective with a new focus on innovative solutions to water security.