The Internet Battlefield: Working to Support Online Safety

Kamal Hassan, Director, The South-East Asia Group, and Director, The Empire Club of Canada; James Gibbons, Grade 11 Student, North Toronto Collegiate Institute; Reverend Vic Reigel, Honorary Assistant, Christ Church, Brampton; Steven Heck, Chief Privacy Officer, Microsoft Canada; Jeff Green, Chief Privacy Officer, RBC Financial Group; Lou Natale, Director of Sales, RedKnee Inc., and Director, The Empire Club of Canada; Al Saplys, Director, Government Affairs, Microsoft Canada; and Dr. Ann Cavoukian, Information and Privacy Commissioner, Province of Ontario.

Introduction by William Whittaker

Microsoft Corporation is the world's largest software corporation, with 2005 global annual sales of almost $40 billion and 64,000 employees in 85 countries and regions. Headquartered in Redmond, Washington, Microsoft develops, manufactures, licenses, and supports a wide range of software products for computing devices. Its most popular products are the Microsoft Windows operating system and the Microsoft Office suite of productivity software, each of which has achieved near ubiquity in the desktop computer market. Microsoft's name is a portmanteau for "microcomputer software" and was founded in Albuquerque, New Mexico in 1975 by Bill Gates and Paul Allen. I note that Microsoft Canada is a significant company in its own right with annual sales of $1 billion and 1,000 employees.

Mr. Gates, in his speech to our club almost 10 years ago, was remarkably prescient on how the personal computer industry would develop. I quote: "...computers, multimedia and networking technologies will be used by tens of millions of people worldwide: to manage and operate their businesses, to educate and entertain their children and to communicate with each other over vast distances... You'll have a computer in your car and you'll have something that you carry around in your pocket that hooks up to the wireless network...You can even have hundreds of thousands of pictures of your kids to show other people."

Mr. Gates last comment was made before he became a father so perhaps he was a bit more enthusiastic than a parent would be!

Microsoft Corporation is the engine behind Mr. Gates's personal fortune, which funds the activities of the Gates Foundation. In its six-year existence, the Gates Foundation has helped save at least 700,000 lives in poor countries through its investments in vaccinations and health care. In the United States, its library project has brought computers and Internet access to 11,000 libraries. It has sponsored the largest privately funded scholarship program in history, sending 9,000 high-achieving minority students to college. It is the largest foundation in the world, with an endowment of $29 billion and is the reason why Bill and Melinda Gates were named Time Magazine's 2005 Persons of the Year along with Bono.

Microsoft has become an urban legend subject to rumour and speculation, one example of which was the claim by the Seattle Post-Intelligencer in April 2003 that Microsoft was bringing Internet access to the portable toilet world. Microsoft's iLoo was to be equipped with a wireless keyboard and an extensible, height-adjustable plasma screen located directly in front of the seated user.

There was also to be an external "Hotmail station" consisting of a waterproof keyboard and plasma screen on the outside of the iLoo so people could do something useful while they queue. The newspaper also claimed Microsoft was in talks with toilet-paper makers to produce special paper imprinted with URLs that users may not have tried. It quoted a Microsoft marketing manager as saying, "The Internet's so much a part of everyday life now that surfing on the loo was the next natural step. People used to reach for a book or mag when they were on the loo, but now they'll be logging on! It's exciting to think that the smallest room can now be the gateway to the massive virtual world."

If the announcement touting Microsoft's supposed latest innovation in consumer computing convenience had been issued on April 1, it would have been taken for a gag, but since it was issued on April 30, everyone from the Wall Street Journal to the Associated Press ran it as straight news. After a few weeks of increasing media comment, Microsoft finally announced the iLoo was a hoax.

As Chief Privacy Strategist for Microsoft Corporation, Peter Cullen is directly responsible for managing the development and implementation of programs, which enhance the privacy of Microsoft products, services, processes and systems. It is interesting to note that Mr. Gates, in his speech to us, foresaw the importance of computer security and privacy.

Mr. Cullen is a regular speaker at conferences, both in the U.S. and internationally. He is a founding member of the Association of Corporate Privacy Officers, is on the Board of the International Association of Privacy Professionals, and also serves on the board of TRUSTe, a group dedicated to privacy and trust on the Internet.

Prior to joining Microsoft, Mr. Cullen served as the corporate privacy officer of the Royal Bank of Canada responsible for influencing initiatives respecting RBC Financial Group's strategic approach to privacy. He has a Master of Business Administration degree from the Richard Ivey School of Business at the University of Western Ontario.

Please join me in welcoming Peter Cullen, Chief Privacy Strategist for Microsoft Corporation, to our podium today.

Peter Cullen

Thank you for such a kind welcome. I appreciate the opportunity to address a key business group such as the Empire Club on a topic that impacts every business.

It's a subject that inspires hype, fear, and distrust.

In the words of the Music Man, "There's Trouble in River City." In a connected world, we cannot assume that everyone's computers and vital information are safe. Much as the good citizens of River City felt they were waging a war against sin, we are all engaged today in fighting a different war on a new battlefield, shaped by the Internet and its increasingly vital role in all aspects of business and personal life.

The bad news: the very real damage incurred by businesses and customers are having a definite impact on the issue of trust. A recent study by industry analyst firm Gartner indicated that 77 per cent of on-line banking consumers log in less frequently as a result of fears around security and 14 per cent stopped paying their bills on-line. For on-line shoppers, 33 per cent of those surveyed by Gartner were buying less than they otherwise would.

This lack of trust affects everyone in the Internet value chain. Businesses like yours increasingly use information technology to create value for your customers and your shareholders. Breaking that trust disrupts that chain and has a real and negative impact. Just how big? The FBI 2005 Computer Crime Survey estimated $67 billion in U.S. computer-related hacks, attacks and cyber crime.

The good news: the key stakeholders in creating a safe and trusted computing experience--the PC industry, business and consumer groups, and government--are taking real steps to raise awareness, deliver new technologies and provide legislation and enforcement that can better protect computer users while ensuring the continued growth and business opportunity for companies involved in on-line commerce and communications. It's a tough, on-going battle, but we are bringing a lot of forces to bear on behalf of our customers--people like you.

My role as Chief Privacy Strategist is to ensure that the trust of information flows is optimized in a very broad and holistic way: from how Microsoft manages user information, the way our technology provides protection and the capability to protect and how we work in the overall Internet, technology and policy ecosystem. This work often covers both privacy and security, as in many ways these two issues are intertwined for users.

My hope today is to:

Briefly paint a picture of the privacy and security landscape--how this impacts all of us;
Describe the forces that comprise what I call the Internet Battlefield, and threats to information flows;
Touch on Microsoft's three-pronged approach to building online safety;
Discuss in some detail how public and private partnerships represent the operational framework for delivering on-line safety and security;
Perhaps give you and your business some ideas as to how you can contribute to closing the "trust gap."

The Changing Landscape

First, I'd like to make a couple of comments about the implications of the PC revolution--a movement that has grown from a small group of trusted users to a global network that reflects an incredible convergence of devices and information.

It's hard to believe sometimes, but in less than three decades, the PC has evolved from a toy for hobbyists and enthusiast users into the quintessential productivity tool for business and personal use. I would venture to say that no other single technology has so completely and so quickly transformed the world of business.

At the same time, the way in which PCs are used has dramatically changed--from a small group of trusted users, where everyone knows everyone else, to devices that are connected virtually anonymously on a global basis. It's almost quaint now to talk about what we used to call "sneaker networks," where people would literally take a floppy disk and walk it down to their colleague's computer and insert it. That was the network of 1981. Today, the concept of a non-connected PC is an oxymoron. Everyone's connected, and everyone fully expects to have the world at their fingertips with a click of a mouse or a couple of strokes on the keyboard. This complexity is now exponentially increasing by virtue of the increasing adoption and use of mobile devices that connect back to PCs, and to various information and communication networks. The sheer volume of data that gets moved around voice and data networks is staggering, particularly when you consider that in the developing world cell phones function as multi-mode devices--for gaming, multimedia, and computing--not just for voice.

If it wasn't hard enough just managing security between PCs on a local network in one company, now we have to deal with how to keep vital information secure and private between smart cell phones, PDAs, MP3 players, laptops, desktops, and servers. Devices that connect and share data are proliferating on a global basis.

The Increasing Threat

While all of this connectivity gives users unprecedented opportunities to stay linked in wherever they are, and on whatever device they might have, it also has increased the opportunity for bad guys to attack computer networks for a variety of nefarious purposes.

At the same time, while the range of threats has broadened, the nature of the typical computer hacker has also changed. In the early days of computer hacks, the goal was often just to prove that the security of a given system could be breached...bragging rights. Now, hacks are done with not only malice but with criminal intent--to steal information and identities, and defraud consumers and businesses. The severity has increased along with the potential ways in which security attacks take place. Organized crime is increasingly becoming a player in this space since information is both the currency of value and the currency of crime. This is much like the response of famous bank robber Willie Sutton when he was asked, "Why do you rob banks? His answer was appropriate: "Because that's where the money is."

The Internet Battlefield

In a real sense, security and privacy have become a battlefield, with consumers and legitimate businesses having to protect themselves both at the front-end--when they connect to the Web or log on to their PC or other device--and on the back-end, where the bad guys harvest data sent from unsuspecting users once they have been the victim of an attack. We call it the Internet (or Trust) Battlefield.

The modes of software attack, regardless of what form they take, are all surreptitious, global and anonymous. Anyone can be targeted--whether it's a PC user at home or a business computer user on a network.

Spam--most people are familiar with this one--is all about unsolicited e-mails. Some estimates say spam increased from about 60 per cent of overall e-mail traffic in 2003 to 85 per cent in 2005. Spam will cost businesses $50 million globally in 2005 according to industry analyst firm Ferris Research. Anyone that thinks spam is merely annoying, but harmless, e-mail is sadly mistaken.

Related to spam, but even more malevolent, is phishing--a deliberate attempt to illegally gain access to personal information. Of course, even in pre-Internet days, phone scam artists would try to get people to give them personal and private information. PCs and the ubiquity of the Web has given these scam artists new tools. More than two million individuals have lost money via phishing fraud; there are over 3,000 unique phishing sites at last count, and the number is growing at a 5X rate per year.

This increasing sophistication in cyber crime techniques means that users are often not even aware that their PC has been hijacked or that their personal information has been compromised. As government agencies and e-mail providers such as Microsoft have cracked down on ways of exploiting consumer and business PCs, many computer criminals have turned their attention to creating zombies. "Zombies" are PCs that have been taken over by the bad guys to be used for malicious purposes. They gain control of PCs by tricking people into loading malicious code by hiding it in e-mail attachments or in music, video or other files that people download online--or even within data transferred when clicking on an infected Web site. Zombie computers can then be used to launch attacks.

As a result, illegal spam sent by zombie computers has increased dramatically in recent months and as of this summer now accounts for more than half of all spam, according to studies conducted by industry groups. In addition, computer criminals can use zombie computers to launch phishing attacks that try to steal personal information, such as Social Security and credit card numbers. To create an even larger scale of attack, so-called "botnets" are a network of "bots" or zombies--armies of hijacked computers--all connecting to a control server awaiting the commands of the hijacker. They are used for illegal purposes, including spreading malware, distributing spam, harvesting personal information such as credit card data and launching denial-of-service attacks.

And cyber criminals have other ways to fool unsuspecting users. Pharming is the more sophisticated cousin of phishing. It happens when criminal hackers redirect Internet traffic from one Web site to a different, identical-looking site, in order to trick someone into entering their user name and password into the database on their fake site. Banking or similar financial sites are often the target of these attacks, in which criminals try to acquire personal information in order to access your bank account, steal your identity, or commit other kinds of fraud. Pharming is even more insidious than phishing, since you can be redirected to a false site without any participation or knowledge on your part.

What Is the Impact of All This?

Where does this impact business? Earlier in my remarks, I cited the recent FBI study on $67 billion in financial damages cause by cyber crime. And that's just one study that shows how computer crime directly affects the business community in terms of bank and credit card fraud. But it also inhibits the entire growth of e-commerce. A recent Consumer Reports survey revealed that 90 per cent of U.S. Internet users over the age of 18 have changed their on-line behaviour because of potential identity theft concerns. In that same survey, 30 per cent said they had reduced their Internet usage and 25 per cent said they had stopped using the Internet for e-commerce.

The result--even as industry has made significant strides in consumer education and in enhanced tools and technologies to help protect users against attack--is that we have a growing crisis of confidence among PC users. If the Internet is to fulfill its long-term potential as a source of communication and commerce, we need to re-kindle that customer confidence--all of us.

Another key challenge, and one that we can attack, comes from data breaches from within both public and private sectors. This happens when companies don't keep close track of employees with password access, or have not implemented a comprehensive set of internal controls around data access and privacy. As a result, we are seeing increasing numbers of insider crimes in terms of leaking key financial and sensitive information.

Probably the most recent and noteworthy example of this is Choicepoint. Through a malicious attack involving social engineering, criminals were able to extract sensitive personal information on hundreds of thousands of individuals with the result being at least 800 incidents of ID Theft. These types of incidents are also contributing the "trust gap" that consumers are experiencing which contributes to the change in their behaviour. As a side note, Choicepoint shaved off $910 million of shareholders' value when this incident first became public and was just fined a total of $15 million by the FTC. That's what I would call a substantial impact.

Solutions Will Take Time

Clearly this is a problem that will not be solved quickly. There's no silver bullet, and it will require a co-ordinated, multi-pronged approach. It truly takes a village to make itself safe; everyone has a stake.

For Microsoft, we approach online safety holistically across three pillars: technology, education, and partnerships with both the public and private sectors.

Clearly technology is the front line, in terms of what customers tend to experience--the patches, downloads and new products that address emerging and identified threats. Since we launched our Trustworthy Computing effort in 2002, we have focused on delivering not just specific products in responding to attacks and threats, but also on thinking more systemically about security. The latest example is what we call the Security Development Lifecycle, which focuses on security from initial design of products, through delivery to customers. We're starting to see the first products shipped that have been designed from the ground-up using that process, and we'll eventually extend it to all future products.

The second bucket of activity for Microsoft--and I believe the industry--around security is in educational outreach to consumers, IT professionals, software developers and industry partners. This can be done by individual companies, but there's a lot of value in partnering with key consumer and government bodies to help spread the word around tips and tricks and basic precautions that users can take today to protect themselves. We've partnered with the Federal Trade Commission and the National Consumers League, for example, to help provide guidance to users. We need to do much more of this as an industry, and view education as a continuing, long-term process.

The third bucket--partnerships--offers all stakeholders an opportunity to collaborate on the problem and the need for a comprehensive approach to winning the battle. These partnerships involve stakeholders across the security spectrum, from industry alliances to trade associations and consumer groups, government and law enforcement authorities around the world. I'd like to talk a bit more about the issue of partnerships because it is so relevant to the need to build trust.

Public/Private Partnerships--Building a Framework for Safety

Microsoft is currently involved in a number of industry associations and collaborations, all with the goal of sharing information and collaborating on solutions that benefit customers; that's the litmus test for us in terms of whether a partnership is effective. This includes groups like the Secure IT Alliance, the Virus Information Alliance and the Global Infrastructure Alliance for Internet Safety.

We also believe that partnership can focus on specific areas of attack, like spam and phishing, and we work with groups dedicated to combating those specific threats.

As I mentioned before, the emergence of privacy, in the context of security, has begun to focus attention on Data Governance--compliance activities catalyzing security and privacy activities within the enterprise. For a variety of reasons, there is a need to monitor, manage, and protect data in a manner that complies with corporate policy, industry standards and regulatory requirements. This applies not only to private enterprise but to educational institutions, non-governmental organizations and the like.

Compliance requires planning and design across multiple dimensions: development of detailed policies and procedures; the need to educate staff and employees in regard to these policies and procedures; maximizing the use of products that enhance protection capabilities; on-going monitoring to improve compliance and governance procedures as needed, and most importantly, to think about Information Security from a 360-degree perspective.

Overall, this requires a multi-layered approach; both top-down and bottom-up. We need to continue to improve inherent system capabilities--software that is secure by design at the operating system and application levels.

As I just mentioned, businesses need to define, implement and monitor procedures and policies. And lastly, we need to focus on legislation and enforcement efforts where appropriate. Microsoft has aggressively pursued illegal software attacks and has worked closely with law enforcement agencies on a global basis. But more work remains to be done, particularly around comprehensive legislative approaches to balancing the needs of security and privacy. Let me talk about that in more detail.

A Comprehensive Legislative Approach

Microsoft's overarching goal for privacy and security continues to be to create a trusted environment for Internet users. While we will continue to pursue work along the three pillars of technology, education and partnerships, there is a growing need to look at a comprehensive legislative approach in the U.S. as well.

I believe there are three key factors that have led us at Microsoft to support a comprehensive legislative response at this time:

First, an increasingly complex patchwork of federal and state laws--certainly in the U.S. --around data and financial privacy;
Secondly, growing concerns among consumers about privacy and identity theft;
Lastly, we see an increasing need for comprehensive measures to improve not just security, but also consumers' understanding and control over their personal information.

With regard to the first issue, the current convoluted legal environment not only hampers and confuses businesses, but also does not serve the interests of consumers. Too many local policy makers have passed stop-gap measures that are confusing at best and contradictory at worse when considering the ability of e-commerce to transcend local and national geographic boundaries. A national legislative framework that encompasses the core components of data privacy and security would obviate the need for a proliferating array of issue-specific, stop-gap measures.

On the second point, as I noted earlier, consumers and business are more than just concerned about security and privacy issues. They are taking action by either limiting their on-line activities, or opting out entirely and not using the Internet for banking and commerce. Even as the economic and social benefits of the Internet are unchallenged, if individuals will not take full advantage of the Internet because they believe that their information or data could be compromised or disclosed in unexpected ways, that hurts us all.

The third factor--increasing consumer demands for a comprehensive legislative solution for both security and for greater consumer disclosure--springs from the increasingly aggressive tactics of computer criminals around data and identity theft. While many state and local lawmakers have proposed or enacted privacy and notification requirements in the aftermath of highly publicized identity theft, we still have a lack of transparency in how companies are collecting, using and disclosing information in the first place.

Microsoft believes there are four core principles that should be the foundation of any federal legislation on data privacy:

The first principle is to create a baseline standard across all organizations and industries, for both off- and on-line data collection and storage. This federal standard should be enforceable by both the national and local levels and as much as possible, be consistent with privacy laws around the world.

The second core principle is to increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and permitting individual access to personal information.

Thirdly, any legislative approach must provide meaningful levels of control over the use and disclosure of personal information. Any legislative approach must balance what we believe is a requirement for organizations to obtain individual consent before using and disclosing information, with the need to make the requirements flexible for businesses, all the while avoiding bombarding consumers with excessive and unnecessary levels of choice.

The fourth principle for any approach must be to ensure a minimum level of security for personal information in storage and transit. Within that baseline, individual industries and organizations should have the discretion to implement the most appropriate technologies and procedures around storage and transit for their respective markets and customers.

In closing, I just want to reiterate that we see the Internet and Trust Battlefield as very complex, with many points of attack and many opportunities for the bad guys to create harm for businesses and consumers. I also firmly believe that the increased awareness around security and privacy is driving the industry, government and customers toward a common goal of making the Internet a safer and more trusted environment. Certainly it is a foundational commitment for those of us at Microsoft.

I hope that my remarks have given you a better understanding of how Microsoft thinks about these critical issues, and perhaps provided you with an initial model of how your business can play a part in closing that gap of trust that we see within the statistics today. Thank you.

The appreciation of the meeting was expressed by Lou Natale, Director of Sales, RedKnee Inc., and Director, The Empire Club of Canada.