Microsoft: US government is an 'advanced persistent threat'

Microsoft: US government is an 'advanced persistent threat'

Summary: Microsoft's EVP of Legal and Corporate Affairs outlined the company's new data protection strategy on the basis that the US government is an "advanced persistent threat" — a label used for cyber criminals.

SHARE:

While Microsoft's recent move to encrypt user data made the most headlines, the reasoning underlying its new data protection strategies classify the US government in the same category as a cyber-criminal group.

Microsoft advanced persistent threat

Brad Smith, Microsoft's EVP of Legal and Corporate Affairs, labeled the American government as an "advanced persistent threat" in a December 4 post on The Official Microsoft Blog.

The term advanced persistent threat (APT) refers to an attacker, usually an organized group of malicious attackers, that should be considered harmful and dangerous — and an overall method of attack that plays a "long game."

Microsoft's explosive post begins by stating, "Many of our customers have serious concerns about government surveillance of the Internet."

Smith wrote in Protecting customer data from government snooping:

(...) Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.

In particular, recent press stories have reported allegations of governmental interception and collection – without search warrants or legal subpoenas – of customer data as it travels between customers and servers or between company data centers in our industry.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.

While the writing is cautiously couched in terms of "some governments" it's crystal clear that Microsoft's "advanced persistent threat" is referring to the ongoing revelations of US government surveillance activities (in leaks by Edward Snowden), and the concerns of Microsoft's American customers.

Cybersecurity firm Mandiant has tracked security breaches by advanced persistent threats since 2004; in February 2013 Mandiant reported that the most prolific APT in the world was "One of China's Cyber Espionage Units."

To see one of America's biggest companies say it must protect itself from its own government as it would from a group of malfeasant Chinese cyber-spies is a moment for the history books.

But security professionals worldwide may not be quite so surprised.

Not because hackers issued tinfoil bonnets at birth — most security pros and researchers understand that the same APT techniques used by cybercriminals to steal data from businesses and individuals for financial gain are the same used by nation-states.

advanced persistent threat

Microsoft and its Skype product have been named, alleged (and ridiculed) as having some kind of role in this year's unending, terrifying NSA scandal; namely, that products have been massaged with backdoors to which US government entities have access.

Only Americans need to worry about search warrants and subpoenas — in that exact terminology, as written in Mr. Smith's text. 

The Microsoft legal exec explained,

In light of these allegations, we’ve decided to take immediate and coordinated action in three areas:

-  We are expanding encryption across our services. 

-  We are reinforcing legal protections for our customers’ data. 

-  We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors.

Springboarding from its "persistent threat" categorization, Microsoft then explains its new encryption efforts — putting America's government and malicious hackers in the same category.

For many years, we’ve used encryption in our products and services to protect our customers from online criminals and hackers. While we have no direct evidence that customer data has been breached by unauthorized government access, we don't want to take any chances and are addressing this issue head on.

In Microsoft legal's official post, it continues to describe legal concerns relevant only for its American users and customers, and what it will now do to reinforce legal protections for its customers' data.

Microsoft said that as part of fighting this advanced threat, it will now fight gag orders "head on."

In its new Reinforcing Legal Protections initiatives,

(...) we are committed to notifying business and government customers if we receive legal orders related to their data.

Where a gag order attempts to prohibit us from doing this, we will challenge it in court.

We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data.

And we’ll assert available jurisdictional objections to legal demands when governments seek this type of customer content that is stored in another country.

And if anyone was still skeptical about whether Microsoft meant the US government when it said the words "advanced persistent threat," the post concludes:

Ultimately, we’re sensitive to the balances that must be struck when it comes to technology, security and the law. We all want to live in a world that is safe and secure, but we also want to live in a country that is protected by the Constitution.

We want to ensure that important questions about government access are decided by courts rather than dictated by technological might.

Leaving us all to wonder just what kind of mess we're in when one of the largest, richest and most visible American companies in the world openly categorizes the US government as an "advanced persistent threat" to both itself, and its customers.

Topics: Security, Government US, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

44 comments
Log in or register to join the discussion
  • Piffle.

    No matter what Microsoft does will fix the problem.

    All it takes is a single NSL and they will hand over any encryption keys asked for.

    Everything else is just hot air.
    jessepollard
    • And then Microsoft gave the NSA the key

      Microsoft has put tough encryption on its products.

      But then, Microsoft gave the NSA the master key.
      http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

      Microsoft has put out a welcoming mat for the NSA to come and rummage through all your private documents to see what you might have.
      Vbitrate
      • They even put 3D camera on the

        new SpyBox One so that the NSA can be in everyone's livingrooms.

        MS is just another branch of the NSA at this point. The only thing you can trust is open source, just make sure you keep your eye on the source code. Fortunately, there thousands of eyes across the world doing exactly that helping to keep us Linux users safe.
        T1Oracle
  • Microsoft: US government is an 'advanced persistent threat'

    Microsoft may see the U.S. Government as a threat but there is little they can do about it. The government is going to access the data one way or another either through asking for it or just tapping into the servers. This isn't going to be limited to just Microsoft. They already intercepted Google's data.
    Loverock.Davidson
    • True that.

      Considering the NSA already has the keys to the encryption Microsoft uses, this is a pointless gesture meant to reassure Microsoft customers rather than actually accomplish anything. It could also be seen as a carefully worded public protest to the thuggery perpetrated by the U.S. government. Even if Microsoft changed its keys and buried them where the NSA can't find them, the NSA has custom designed, massively parallel, dedicated cracking hardware that is an order of magnitude faster than any super computer at cracking keys. If they want your data, they get it. NSLs were created in order to attempt to legitimize what they've already been doing for 20+ years. Even if the Patriot Act gets repealed, they'll continue their illegal activities indefinitely. The U.S. government is out of control, and they don't care what U.S. citizens or the rest of the world thinks about their actions.
      BillDem
    • That's why you should switch to Linux

      No NSA backdoors in public open source code. It's about time you upgraded LD.
      T1Oracle
      • They don't need it in the code

        They don't need it in the code they just need it in the hardware or access to the fiber backbone - no OS is safe
        DougAlder
        • Open source hardware exists too

          Furthermore, unless its firmware it's not really secret. You can't hide much in hardware.
          T1Oracle
  • Encrypted encryption?

    :-(
    kd5auq
  • The Problem

    The real problem is customers will migrate away from MS' products because the customers believe the NSA has access to their data. Whether this is true does not matter. If sufficient customers believe they must abandon MS for something else MS is in trouble. MS is trying to avoid mass customer defections particularly overseas. I suspect MS has seen a spike in customer interest to migrate to something non-MS since the scandal broke.

    The real concern for all US tech companies is that customers will look for other alternatives in an attempt to avoid NSA spying.
    Linux_Lurker
    • the problem you mention doesn't exist

      people in business that buy computers are smart enough to know what's true and isn't so I really doubt they'll just take so guy on the street's word on it and switch to Linux.
      you don't give computer buyers enough credit.

      plus there is no mass customer defections overseas or here, and web usage stats and sales figures every month back that up, so there is no spike to be seen because non exist.

      but your name shows why you desperately want to believe that.
      Challenger R/T
      • Timeline

        MS is not worried too much about the next quarter. The damage is long term and will take time to surface. The key metric to watch is how many customers announce plans to migrate away from MS in the next several quarters.

        The key phrase is "If sufficient customers believe". The issue is not about facts but about customer perceptions and concerns. MS should be worried about this. Customer perception and loyalty are fickle beasts and strong negative opinion shifts could destroy any company. The truth of what MS did or did not do is immaterial.

        The broader issue is the all US based companies have been tarred by the NSA scandal whether they are individually involved or not.
        Linux_Lurker
      • No mass defections

        You need to look at Germany 1st to see you're wrong, East Europe will do the same. The only ms customers will be American, British, and Australian governments and public bodies though if they do go to court and publicise it they may stop if not reverse the rot
        Kevin Morley
    • RE: "The Problem"

      This is hillarious! Didn't M$FT put back doors into their OSs because the US government WANTED THEM? Sheesh--you can't even make this stuff up.

      BTW...there on a recent Max Keiser report (E531) was a discussion between Max Keiser and "futurist, IT architect and Free Software advocate, Arjen Kamphuis, about the internet in a post re-architected NSA world in which the free network is disintegrating but against which the likes of Google, Oracle and Microsoft are leveraged. They add up the costs to US corporations in lost revenue as nations across Europe and Latin America divorce themselves from industrial espionage on an industrial scale from America." He said the EU is very alarmed by the NSA's spying actions and is considering that ALL American software use is fraught with security problems. He advocated open source solutions, and just dump the likes of M$FT...especially since open source solutions work quite well.
      http://www.youtube.com/watch?v=O2rsQhsTTbE&feature=player_embedded#t=769

      Perhaps this announcement by M$FT is to try and herd the horse back into the barn??

      Too late BABY! You jumped head first into the cowpie!!
      tekybeky1
  • Brad Smith is my hero

    So few corporate types are willing to go up against the US government out of justifiable fear that there will be retribution (and there has been *much* retribution for companies that have spoken out about Obamacare). Kudos to Brad and Microsoft for this willingness.
    FDanconia
    • Heroism

      I agree. No matter what Microsoft can do, speaking out is an act of heroism.
      kouzen
    • Why not go after the root cause?

      The tech companies can band together and mobilize their customers, including consumers, students/teachers and enterprises, to make it known to their representatives in Washington, D.C., that they want the U.S.A. Patriot Act repealed.

      Non-profit organizations can be enlisted (and funded) to organize mass demonstrations across the country, especially in Washington, D.C., along with phone and email campaigns to their U.S. Congress members, including the Speaker of the House and Senate Majority Leader, along with the President of the U.S.

      The major search engines, Google Search, Microsoft Bing and Yahoo! Search, can add a link to their search pages that users can click to get more information and get involved.
      Rabid Howler Monkey
    • Obamacare

      What retribution has their been against companies that spoke out against Obamacare?
      x I'm tc
      • IRS

        They get audited by the IRS. They're the current favorite method of retribution against American Citizens.
        John L Bowles
        • IRS

          Ya funny that they targeted more Progressive/Democratic 401c orgs in the last election cycle than the single Tea Party one isn't it
          DougAlder