Cyber Resilience in Government

with Tom Burt

Tom Burt is the Corporate Vice President of Customer Security and Trust at Microsoft. On the first episode of our Cybersecurity mini-series, Tom tells Alvaro Vitta about how public sector organizations can be better prepared for future attacks.

Episode 36: Cyber Resilience in Government

Public Sector Future

Episode summary

Tom Burt is the Corporate Vice President of Customer Security and Trust at Microsoft. On the first episode of our Cybersecurity mini-series, Tom tells Alvaro Vitta about the trends he’s seeing, working with the government in Ukraine on cyber defense, and how public sector organizations can be better prepared for future attacks.

Download the episode transcript

Listen to this episode on any of these podcast platforms:

Spotify

Apple Podcasts

Google Podcasts

Deezer

Libsyn

What does cyber resilience in government really mean?

Tom Burt is the Corporate Vice President of Customer Security and Trust at Microsoft. On the first episode of our Cybersecurity mini-series, Tom tells Alvaro Vitta about the trends he’s seeing, working with the government in Ukraine on cyber defense, and how public sector organizations can be better prepared for future attacks.

Introducing Alvaro Vitta

October is Cybersecurity awareness month and we’re dedicating a set of Public Sector episodes to exploring this topic. You’ll hear from Alvaro Vitta, Microsoft’s Worldwide Public Sector lead for cybersecurity, who will be hosting these interviews.  

Vitta shared a bit about his background and what led him to his current role:

“I’ve been in the cybersecurity industry for the last 18 years in a variety of roles in security, including security architecture, consulting, strategy and other areas. Throughout my career I’ve helped private and public sector organizations at the regional, national and global levels with the planning, design, implementation and operationalization of security programs.”

Customer Security and Trust

Alvaro’s first guest is Tom Burt, the Corporate Vice President (CVP) of Customer Security and Trust at Microsoft.

“That means I have in my organization teams that are responsible for doing what we can, what Microsoft can uniquely do to improve the security of the digital ecosystem. So, I have a digital diplomatic team that works with government officials around the world to advocate for enforceable rules of nation-state conduct in cyberspace. We have teams that work on our cybersecurity policy. But we also have teams that work to disrupt nation-state actors, through both technical and legal means.”

Burt added, “I have our Digital Crimes Unit, which really leads the world in combating digital crime online, and a number of other teams that in other ways contribute to the security and safety of the digital ecosystem. But most specifically, over the last six months, we’ve been directly engaged in assisting the Ukrainian government in its efforts to defend against the cybersecurity parts of the hybrid war that they are fighting with Russia.”

Microsoft’s Digital Defense Report

“The Microsoft Digital Defense Report is something we started two years ago and we’re continuing to issue annually. And what it is, is our effort to assemble from across the entire company, everything that we have seen in cybersecurity over the prior year and see what insight we can draw from pulling all that information together, communicate to our customers, to officials, government officials, policymakers, as to the threats we’ve seen across the entire ecosystem,” Burt said.

The Microsoft Digital Defense Report also includes the best advice about what to do to be prepared for and defend against the cyberattacks that Burt’s team has seen in the prior year.

We have the tools to be more secure

“The thing that we’ve seen over the last couple years, and I think you’ll see again when we publish this year, is that, unfortunately, the scope, the volume of cyberattacks, the sophistication of cyberattacks, the impact of cyberattacks, both in terms of cybercriminal activity, as well as nation-state activity, continues to increase over time, and that the work that we all need to do across the ecosystem to better defend against this, against cyberattacks of all kinds, we need to do better.”

There are encouraging signs as well. Burt says he’s seen a continued investment in improving cybersecurity capabilities and building new tools and systems to help customers be secure.

“But we still need to do better as an ecosystem in terms of policy, in terms of how governments react, and right down to the basic cybersecurity hygiene that every individual and every corporation and every organization needs to practice to make sure that the entire ecosystem is safe and secure. We have the tools we need today to be much more secure and to prevent a significant volume of cyberattacks, both – and especially cybercrime, but we aren’t utilizing those tools to the extent that we need. think it’s a trend in part because we see incredibly sophisticated actors behind the cybercrime attacks and behind the nation-state attacks. And so, they continue to evolve and expand the techniques and the practices they use,” Burt concluded.

How can we defend against these attacks?

Burt outlines several steps organizations can take to increase security against cyberattacks. 

“There are some basic cybersecurity hygiene practices, like patching your system with the most up-to-date security patches from every vendor. And that’s true for Microsoft, as well as all of our competitors.  We all work to keep our systems as secure as possible. And that means you need the most up-to-date technology, which we all provide through security update packages,” Burt said.

The number one priority is applying those patches.

“We see the bad guys; they see the new patches coming out, so they know there’s a vulnerability, and they exploit those vulnerabilities, the ones for which there are patches, because they know that most people in the ecosystem are not applying the patches. Typically, only about 30% of the devices in the ecosystem are actually having up-to-date security patches applied, and that’s just not good enough.”

The second thing you can do is turn on your device’s multifactor authentication.

“We need everyone to use multifactor authentication on every account. You know, Microsoft Teams published a blog, now it’s almost three years old, where our study determined that over 99% of all attacks in the prior year that was studied would have been prevented if multifactor authentication had been present.”

Burt added, “And then the third part is, move to the cloud. Every vendor, and especially at Microsoft, our most innovative defense, our best security services are the ones that we are innovating for in the cloud.”

The very best security experts

“At Microsoft, we get 47 trillion signals a day that come into our environment from our global ecosystem. And our teams are increasingly using those signals, using our ability to hunt in those signals for adversary activity, and increasingly utilizing AI and ML technologies to look through that data for anomalous activity or for indications or hints of action by an adverse actor”. 

Burt says his team has the capability, using that data system from their hyperscale cloud, to detect and see and protect customers against attacks.

“We had that happen in one specific instance, in the war in Ukraine, where most of the customers in Ukraine have not migrated to the cloud. An exception is government. They changed the law a week after the war started, so that they could move to the cloud. And we immediately jumped in and helped provide, for free, a range of services to help move the Ukrainian government. We moved I think it’s 16 of 17 government ministries have moved their data or their compute to the cloud, to help provide greater resilience against the Russian attacks.”

Burt continued, “In one instance, one of our private sector customers that was utilizing one of our cloud security services, that cloud security service, that Defender for Endpoint detected an attack from Russia… and the service detected it, blocked it and stopped the attack, all with no human intervention at all, utilizing the algorithms that we had in place in that service to detect that kind of activity. 

“So that’s the kind of thing that we can do in the hyperscale cloud that customers can’t possibly do on-premises. One of my colleagues referred to trying to defend against the attacks coming from criminals and from nation-states on-premises as hand-to-hand combat. And you don’t need to engage in hand-to-hand combat. You can come to our cloud, and we can use the technology, the expertise, and the data that we have, to help protect you in a much more robust way.”

Working with the Ukrainian government

“Not only do you gain cyber resilience and cybersecurity by moving to the cloud; you also gain physical security by moving to the cloud. We learned from one of the Ukrainian government officials that we’ve been working with, that one of the first missiles launched by Russia, when they began the physical attack in Ukraine, one of the very first missiles targeted the government data center. And at that time, all of the Ukrainian government workloads were kept on-premises and operated from that data center.”

“And so, when you’re engaged in a conflict, in a hybrid war, like we see happening in Ukraine, you are physically more secure, because your adversary can’t actually go in and destroy the data center where you are housing your compute.”

Burt says that insight is why it’s so important to think about the physical security of where data resides, as well as the cybersecurity. “Both of those things are significantly improved by moving to the hyperscale cloud,” Burt added.

Microsoft Threat Intelligence Center information

A common theme that we hear in almost every episode of Public Sector Future is how important transparency is; sharing what you’re doing and how you’re doing it. Burt says he has two motivations for publishing the work his team and others at Microsoft do.

“One is to provide the indications of compromise, and the other threat intelligence that helps customers that are working to defend against these attacks, to observe these attacks, to be prepared. And we often provide information about how to defend against them, or how to recover if you are attacked, in those publications.” 

Burt added, “In addition to that, we do publish this information, especially about nation-state attackers, because our view is that, as I mentioned earlier, we need a much more robust set of international rules governing how nation-states act in cyberspace, restricting attacks on civilians and civilian enterprises, in requiring governments not to look the other way when they know cybercriminal activity is being engaged in by actors operating from their geography.”

“Rules like that need to be established by the international community. They need to have enforcement, even if that enforcement are things like economic sanctions and the like, the same kinds of things that the international community does to enforce a wide range of rules that we have, whether they are formally international law, or customary practices that nation-states engage in, so that when those are violated, other nation-states take action to punish the actor who isn’t abiding by those established rules of nation-state conduct. We need those rules in cyberspace, and we don’t have them.”

But how do we get there?

“One way to get there is to be public, to talk about what we’re seeing, to do attribution. Because we think it is critical for the international community to be aware of what is happening in the cybersecurity space, so that action can be taken, and these international conversations can occur,” Burt mentioned.

Examples that can benefit others

Burt was asked to share examples of cybersecurity work done by a government organization or a public sector organization that has inspired him. Here’s what he had to say:

“Years ago, Estonia was the target of Russian cyberattacks. And that country recognized the importance of having cyber resilience and adopted a range of practices across their public sector and private sector workloads and became incredibly resilient to cyberattacks. What we saw was that while the other Baltic countries were being successfully attacked by Russian actors, and we provided them notification and threat intelligence to help them defend themselves, there were no similar attacks against Estonia, zero. That is consistent with what we’ve seen over the years, which is that nation has done a remarkably good job in establishing resilience.”

Estonia is taking the steps they need to take to defend against cyberactivity and that includes moving to the cloud. Another country taking those necessary steps to protect themselves is the United States.

“I’d point to the United States, where over the last several years, with new leadership in place that understands the critical importance of cybersecurity to our government and to our critical infrastructure, we’ve seen a number of steps taken, whether it’s the leadership of the CISA organization in the Department of Homeland Security that is publishing regular alerts to the community and to segments of the economy saying, here’s a specific threat or a character or a type of threat, and here’s the steps you should be taking to protect against those threats. That’s one organization that’s active,” Burt said.

“We saw the adoption by the President of the Cybersecurity Executive Order, which was really targeted at government agencies, but more broadly, was we’re going to require the technology industry to take steps to enable those government agencies to comply with that Executive Order by building in the concept of a software bill of materials, for example, with every product, and by taking other steps to help government move to the cloud.”

“There’s work to be done still to get that Executive Order in place and operative, but we’re working with government to see what we can do to move that forward quickly, because each of the steps required by that Executive Order would significantly improve the security of government agencies. That’s a great model for the public sector to look to for the kinds of steps that should be taken to secure the public sector against these kinds of attacks.”

For these crucial steps to work, you need tools to make them possible. And as we’ve already established, those tools are readily available.

“We actually do have the tools in place today that would remarkably improve the security of the ecosystem, if we could get them deployed, you know, moving to the cloud, patching your endpoints, deploy multifactor authentication; where you have on-premises networks that for whatever reason, you can’t move to the cloud, or you can’t move yet, you know, applying zero trust principles to how you administer your on-premises network.”

Burt added, “These tools are known, they’re well developed, they’re easily accessible. Will they take time and effort? Yes, of course, they will. But they would greatly improve the security of the ecosystem. If we could get 80, 90, 100% of the ecosystem to apply these tools and these practices, we would almost stop cybercrime in its tracks.”

To find out more:

Cyber Resiliency in Government: Key Actionable Insights from the 2022 Microsoft Digital Defense Report

Episode 38: Cybersecurity, Compliance and Cloud: Lessons from Singapore

Episode 37: Military Lessons on Cyberdefense

Accelerating Security Innovation for Governments with the Intelligent Cloud