RSAC16: Microsoft’s chief legal officer Brad Smith champions encryption

Information security requires a comprehensive approach including strong encryption, says Microsoft chief legal officer Brad Smith

There is no technology more important than encryption, Microsoft’s president and chief legal officer told the RSA Conference 2016 in San Francisco.

In these “tumultuous” and “turbulent” times, Brad Smith said, cyber attacks like the one on US retailer Target – that exposed 110 million customer records in December 2013 – opened the world’s eyes to the importance of information security.

This was further underlined in November 2014 by the cyber attack on Sony Pictures Entertainment, which was not only an issue of IT security, but also “geopolitics”, he said.

At the time, US president Barack Obama said that, if Sony had consulted him first, he would have told them not to get into a pattern of being intimidated by these kinds of criminal attacks

“This shows how much the world has changed for our customers as an industry,” said Smith, with IT administrators finding their work can be a topic of discussion at a presidential press conference.

The world has changed in other ways, too, he said, witnessed by the attacks in Paris on 13 November 2015 and in San Bernardino on 2 December 2015.

“Immediately those issues connected with our issues, as people went to work debating whether new steps were needed to be taken for technology, for surveillance and for encryption,” he said.

With the dawn of the internet, Smith said people talked about cyber space as if it were disconnected from the world we all live in. “But we have learned that if people want to shape or impact what happens in the real world, they go to the internet,” he said.

Read more about encryption

Snowden's NSA revelations

This has made governments realise, said Smith, there is no security unless there is cyber security and people will not use technology they do not trust.

“Trust is the foundation for our entire industry, and it needs to remain that way,” he said.

However, Smith said trust has been under threat and questioned ever since whistleblower Edward Snowden revealed the mass internet surveillance programme by the US National Security Agency.

The path to hell starts at the backdoor, and we need to ensure that encryption technology remains strong
Brad Smith, Microsoft

“This all leads to the fundamental question about what is to be done,” he said, adding that this needs to begin with recognising that no one person or organisation has all the answers.

“Microsoft does not have the answers, but we have done a great deal of thinking about this – and one conclusion we have come to is a point that our CEO Satya Nadella made to employees two years ago, that technology needs to advance, but timeless values need to inform,” said Smith.

Reflecting on those timeless values, he said Microsoft has drawn up four principles to guide the company’s decisions.

“That security is paramount and we need to keep people’s data secure, that when people entrust their data to us we need to protect their privacy, that we need to manage people’s data in accordance with the law, and that we need to be transparent,” said Smith.

Comprehensive approach to security

For two decades, the security industry has talked about protecting, detecting and responding to security threats – but, as important as that foundation is, there is a need to evolve beyond that. To that end, Microsoft is investing $1bn a year to develop security technologies and practices, he said.

Smith said Microsoft believes that a comprehensive approach is required that starts with identity, but also considers devices, applications, infrastructure and data.

“As we think about all of this, we need to keep in mind that, when it comes to security, there is no technology more important than encryption, which is why we need to stand up, be thoughtful – but also be vocal.

“Despite the best intentions, one thing is clear: the path to hell starts at the backdoor, and we need to ensure that encryption technology remains strong,” he said, but added that, although encryption is important, it is not the only thing that matters.

Microsoft’s approach, he said, includes focusing on strengthening its platforms – Windows, Azure and Office 365 – and recognising that big data is a “game changer” and the ability to gain insight and take action based on the data coming in from billions of endpoints can make all the difference.

Smith said the information security industry has a role and obligation to keep the public safe, which he said is one of the points Apple is making at the Congressional hearing into the company’s refusal to help hack into an iPhone owned by San Bernardino gunman Syed Rizwan Farook.

No progress in a social vacuum

“When things go wrong, people often call tech companies,” he said, revealing for the first time that Microsoft received 14 lawful data access requests in connection with the Paris attacks.

“In all 14 of those cases, we were able to respond, determine that the orders were lawful, pull the content and turn it over with an average response time of under 30 minutes,” said Smith, adding that this underlines the role that Microsoft and other technology firms play in keeping the public safe.

However, he said technology firms also need to stand up for customers, which is why Microsoft is joining other tech companies in supporting Apple.

Smith said, they need to keep in mind that they have a responsibility not just to the people of one country, but the people of every country.

“That’s why we as a company took the step of raising a lawsuit when the US government sought to take a unilateral search warrant to pull email data out of our datacentre in Ireland, and we are continuing to argue as this case goes up to the appellate ladder that governments actually need to respect each others’ borders and respect each others’ laws,” he said.

Microsoft has challenged all attempts to force it to hand over email data stored in its Dublin datacentre, on the grounds that the data is stored overseas where the US government’s search powers do not apply.

In conclusion, Smith said technology needs to keep moving forward, but this cannot be done in society in a vacuum.

“We need to connect with the world and we need to engage in public debate because the world is going to trust technology only if the law can catch up.”

 PQ: The path to hell starts at the backdoor, and we need to ensure that encryption technology remains strong - Brad Smith, Microsoft


Read more on Privacy and data protection