Written evidence submitted by Microsoft
(Malware 17)
0. Introduction
0.1 Thank you for this opportunity to submit
a written response to the House of Commons Science & Technology
Committee on Malware & Cybercrime. Bill Gates founded
our Trustworthy Computing (TwC) initiative in an open letter in
January 2002, focussing Microsoft's increasing strides to protect
its customers from the impact of malware and the cybercrime it
can enable. Microsoft continues to address these issues through
updated and improved products, better software engineering, customer
guidance and collaboration with partners across industry, government,
law enforcement and academia around the world. In particular,
Microsoft works closely with government and law enforcement bodies
in the UK to improve our response and defences against malware
and cybercrime.
0.2 Malware and cybercrime are two overlapping
but distinct concerns addressed by Microsoft. As Scott Charney,
Microsoft's Vice President of TwC, referenced in the paper Rethinking
the Cyber Threat, "For more than two decades, people
have struggled to understand the cyber threat, evaluate the risks
to individuals and organisations (including nation-states) and
craft appropriate responses." Threats from malware range
from cybercrime to cyber espionage to cyber warfare. Given this
range, Rethinking the Cyber Threat proposes that malware
threats should be collectively addressed by several national and
international initiatives combining industry and government capabilities.
Scott Charney's speech on the matter and the paper are available
here: http://www.microsoft.com/presspass/exec/charney/2011/02-15RSA2011.mspx.
The remainder of this response will focus on the cybercrime impacts
of malware and our collaborations to reduce cybercrime.
0.3 Microsoft provides multiple defences against
malware and cybercrime such as: monthly and as-required updates
across our software products, including but not limited to Windows
and Office; Microsoft Forefront, which provides anti-malware solutions
for business; Microsoft Security Essentials, which is free to
the UK consumer; malicious website and phishing protection in
our browser, Internet Explorer 9; malicious website screening
in our search engine, Bing; and spam-filtering in our email products
for business (Outlook) and consumers (free Windows Live mail).
0.4 Through automatic settings worldwide, Microsoft
updates over 600 million computers monthly and receives information
from its Malicious Software Removal Tool on the state of infection.
We also implement malware screening on almost 300 million consumer
email accounts, enable screening of billions of business emails
per year, and scan billions of webpages per month with Bing. These
data-streams are collated twice a year to produce Microsoft's
Security Intelligence Report, which has been published since 2005.
Further information is available here: http://www.microsoft.com/security/sir/default.aspx
0.5 This response has been compiled by Microsoft
drawing from our experience and available information at the time
of publication around the world and across cyberspace, focused
upon the concerns and issues of Her Majesty's Government of the
United Kingdom. A comprehensive portal of resources for cyber
security policy is available here: http://www.microsoft.com/about/twc/en/us/Policymakers.aspx
1. What proportion of cyber-crime is associated
with malware?
1.1 Microsoft does not possess statistical information
that associates malware with cybercrime. Although Microsoft's
Security Intelligence Reports provide information on the geographic
variation in malware prevalence, cybercrime is referenced by example
only.
1.2 Microsoft is aware on a case-by-case basis
of vulnerabilities in its software being exploited by malware
to perpetrate cybercrime and has responded in specific instances
to the appropriate law enforcement bodies. Much of the malware
that enables cybercrime does not exploit vulnerabilities in the
software but in the human psyche. Known as "social engineering"
or phishing attacks, these types of malware exploit the users
of software and their information or assets, rather than compromise
the operation of the PC.
1.3 In the past two years, through Project MARS
(Microsoft's Active Response for Security), Microsoft has taken
specific actions against botnets ("robot-networks" enabled
by malware and operated by cybercriminals). Specifically, we took
action against the botnets Waledac and Rustock through our operations
named "b49" and "b107" respectively. Anecdotally,
operation b107, carried out in March 2011, indicated that one
million PCs were infected and controlled by the Rustock botnet,
generating an estimated 30 billion spam emails every day, accounting
potentially for 40-60% of global spam.
1.4 Microsoft is also concerned with cybercrime
not primarily perpetuated through malware but taking criminal
advantage of online technology, especially in the area of child
protection. Microsoft has supported the UK's Child Exploitation
and Online Protection (CEOP) centre since its inception, providing
resources and software. Microsoft has provided its CETS (ChilD
Exploitation Tracking System) solution and donated PhotoDNA technology
developed in coordination with the U.S. National Center for Missing
& Exploited Children to the UK and many other counties around
the world. Further information is available here: http://www.microsoft.com/presspass/presskits/dcu/materials.aspx
2. Where does the malware come from? Who is creating
it and why?
2.1 Microsoft is aware of malware from many sources
around the world and across the internet, although correlating
geographical and cyber locations is difficult due to the fact
that origin information in cyber-communications can be modified
through technical means. However, our Security Intelligence Report
provides a broad analysis on the geographic origin and impact
of the major malware families based on monthly feedback from over
600 million PCs and our other data sources. Only case-based analysis
of specific malware, as in our Project MARS, can identify the
malware origins and victim locations; in these cases, we work
with appropriate judicial and law enforcement organisations to
reach a resolution.
2.2 Microsoft is not normally aware of the creators
of malware and their purpose. We see distinctions between: 1.
"Finders," who identify vulnerabilities in software,
2. "Exploiters," who prove that the vulnerability can
be accessed and exploited against the user's wishes and/or without
their knowledge; 3. "Malware Coders," who develop malicious
software to exploit the vulnerability by infecting PCs; and 4.
"Botnet Herders," who manipulate the malware and infected
PCs in organised networks across the internet. The Finders and
Exploiters can and usually do have benign intent, pursuing the
pure research aspect, so we work with this community to protect
our customers. Generally our information comes from these security
researchers, both inside Microsoft and across the cyber security
community, who identify vulnerabilities in our software and likely
exploitation mechanisms. However, the Malware Coders and Botnet
Herders predominantly have a criminal intent. Our analysis may
reveal the location of criminal activity; in these situations,
we will provide appropriate information to the primary national
law enforcement agency. In the UK we have a good working relationship
with the London Metropolitan Police and the Serious and Organised
Crime Agency (SOCA). Microsoft does not work with perpetrators
of malware or exploiters with criminal intent.
2.3 We have seen increasing sophistication and
replication of malware over the past decade. The threat actors
range from highly sophisticated pioneers testing new areas of
software to "script kiddies" simply repurposing tools
that are available on the internet for their advantage. It is
also apparent that the cybercrime activity ranges from highly
organised enterprises to opportunistic individuals. Malware and
the tools to build it are widely available and do not disappear
over time: once a piece of malware has been released onto the
internet it will be reused by others, and the cost of access,
development and deployment is continually diminishing. Malware
has become the multi-purpose tool of the criminal in cyberspace.
Therefore, we focus on systematic defence of our customers.
3. What levels of resources are associated
with combating malware?
3.1 Microsoft continues to commit several hundred
engineer-years per annum to combatting the impact of malware across
our product-base though triage, response, updates, better engineering
and new product architectures. Our security engineers use this
expertise to develop tools to enable our customers and partners
defend themselves. For example, !exploitable helps developers
identify and assign an "exploitability" rating to program
crashes.
3.2 Since 2003, we have invested significant
engineer-years developing and delivering the Security Development
Lifecycle (SDL), to ensure that all of our engineers are up-to-date
with the latest security coding practices. We share this valuable
resource for free with our customers and partners around the world.
More information is available here: http://www.microsoft.com/security/sdl/default.aspx.
3.3 Over the past decade, Microsoft has built
arguably the best incident response team in the software industry.
The Microsoft Security Response Centre (MSRC) coordinates product
team engineers across the company to update software at least
monthly, providing guidance in almost 30 languages and coordinate
field engineers in over 100 countries. In addition, the MSRC collaborates
with national Computer Emergency Remediation Teams (CERTs) around
the world, each in turn committing substantial resources to combatting
malware and cybercrime.
3.4 Microsoft provides leadership in an ecosystem
of industry, governments, and academics working continuously around
the world to mitigate the threats and protect customers and citizens.
In order to nurture and evolve this ecosystem, we have created
or collaborated with others to develop numerous programmes, including:
MAPP, the Microsoft Active Protection Programme to share information
and coordinate software updates with partner companies; MSVR,
the Microsoft Vulnerability Research programme to work with partners
to identify and mitigate vulnerabilities across the software ecosystem;
ICASI, the Industry Consortium for the Advancement of Security
on the Internet to collaborate with partner companies in response
to systemic threats; and SAFECode, Security Assurance Forum for
Excellence in Code to work with partners to improve security in
engineering.
3.5 Microsoft has also committed resources to
working with law enforcement around the world. Since the inception
of the Botnet Task Force, we have partnered with over 40 national
law enforcement agencies, and we continue to address malware and
cybercrime through training and analysis tools provided through
our Law Enforcement Portal.
3.6 Microsoft also commits resources to take
specific legal and technical action in our Project MARS, as illustrated
by our actions to neutralize the Waledac and Rustok botnets.
3.7 Over the past decade we have provided monetary
rewards for information leading to the arrest and prosecution
of cybercriminals launching or exploiting malware. Most recently,
we offered US $250,000 in July for information leading to the
identification and prosecution of the Rustock botnet controllers.
4. What is the cost of malware to individuals
and how effective is the Industry in providing protection to computer
users?
4.1 The costs of malware to individuals are manifold
and more than monetary: they can include identity theft, data
loss, necessary changes in behaviours and resources spent procuring
updated and additional software products to protect against malware.
Malware has the potential to cause severe impacts to users of
compromised computers. In addition to the risk of data loss, some
malware seeks to steal users' financial and identity information.
Additionally, the current prevalence of malware on the internet
requires users to change their behaviours online. This includes
not visiting risky sites, not reusing passwords, and having the
knowledge to keep their device up to data and protected. Users
must also spend time and resources obtaining up-to-date software
to protect against current malware threats. While some vendors
make effective anti-virus software available at no cost, there
are a number of products that are available only with purchase.
Because malware threats evolve so quickly, users must have up
to date software on their devices. Out-dated operating systems
and web browsers cannot adequately protect users from today's
malware threats. Consumers must be prepared to invest in current
technology in order to enjoy the benefits of a digital society
without being placed at undue risk.
4.2 As the world's leading provider of software
and services, Microsoft makes great efforts to protect its customers
from the effects of malware. Our Security Development Lifecycle
has led to measurable improvements in the security of our software:
fewer pieces of malware now exploit operating system vulnerabilities,
relying instead upon social engineering tricks to obtain access
to a computer. When there is software vulnerability Microsoft
is able to rapidly mobilize a response and, if necessary, deliver
updates to over 600 million customers quickly and at no cost through
our Windows Update service. Further, as part of this servicing
process the Microsoft Malicious Software Removal Tool (MSRT) is
run on each computer that connects to Windows Update. MSRT scans
for and removes many of the most prevalent malware families and
has been used more than 20 billion times since 2005. Finally,
for enhanced protection against malware we offer Microsoft Security
Essentials (MSE), an anti-virus solution, free to users of genuine
Windows PCs. MSE's more than 30 million users report millions
of malware removals per year.
4.3 Beyond our product efforts, Project MARS
works with academic and industry experts, and utilizes technical
and legal efforts in an attempt to defeat botnets. For example,
the Waledac and Rustock botnets were shut down through successful
legal action, and then Microsoft began working with ISPs and national
CERTs to help customers remove the Waledac infection from their
computers.
4.4 There are also numerous international, national
and private sector efforts to promote or use collective defence
that have had varying degrees of effectiveness. Microsoft has
called for greater collaboration between government and industry
on collective defence in its paper on the subject by Scott Charney
and referenced in his recent RSA speech,(see Introduction above).
The Collective Defence paper (attached) highlights several successful
examples of government and industry collaboration to improve cyber
security.
5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
5.1 Several members of industry, including Microsoft
in our Collective Defence paper of 2010, have proposed looking
at the public health model to address the issue of malware. Malware
does share several characteristics with human disease in that
it can spread host to host, morph rapidly and even exist asymptomatically.
However, human disease is not a perfect analogue for malware.
Human diseases are not sponsored by malicious actors, for example.
5.2 The public health model provides a very useful
inspiration to solving the malware problem while not being the
solution itself. Looking at the public health model prompts consideration
of several important functions required to address the malware
problem. First, we should strive for a trusted system with clear
roles and responsibilities just like we have for doctors, paramedics
and epidemiologists in human health. Second, computer users need
to know who and where to get help with a malware issue. Just as
individuals can recognize a hospital or pharmacy, it must be clear
to them who can be trusted to provide assistance with malware
prevention and remediation. Prevention or wellness is another
topic that should be adopted from human health. To do so, we must
begin with an understanding of what it takes to keep a system
healthy and develop the social and technical norms to encourage
the healthy state of all devices. Finally, as with epidemic preparedness,
industry and government must be prepared for a potential malware
outbreak in a way that leverages the trusted system and roles
outlined above.
5.3 Governments around the world and the ICT
industry share a responsibility to deal with malware both individually
for their constituencies and collectively. Microsoft has invested
significant effort over the past decade working on its own products
and with partners to make the customer experience more secure.
The currently broadening appreciation of the malware threat is
an opportunity for reinvigorated effort to take action corporately,
nationally and internationally to provide better protection to
customers and citizens alike.
6. How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
6.1 Microsoft works with CESG, the National Technical
Authority, CPNI, OCSIA and other government agencies concerned
with cyber security to ensure the protection of UK citizens. These
collaborations have been successful for many years in the mitigation
and containment of cyber-attacks. These organisations are skilled
and effective in their mitigation of the impact of malware on
HMG and the Critical Infrastructure.
6.2 Microsoft also works with the London Metropolitan
Police, SOCA and many other law enforcement organisations to address
malware-based cybercrime in the UK. These organisations are generally
under-resourced and differently prioritised to pursue cybercrime,
which means that the people are concerned and committed to fighting
cybercrime but unable to have broad impact. The citizen continues
to be at a loss when it comes to reporting cybercrime, other than
to his or her bank or ISP, who are generally effective at remediation
but can take no further action to neutralize cyber threats.
6.3 Microsoft has noted and welcomes the substantial
efforts by the current Government to collaborate with industry
to address all aspects of cyber security including cybercrime.
We will continue to work towards making the UK a national exemplar
of best practice in fighting malware-based cybercrime.
6.4 Microsoft has been a clear advocate of the
Council of Europe's Convention on Cybercrime and welcomes the
UK's recent ratification. We are also aware that malware and cybercrime
respect no national boundaries and there is a need for international
collaboration between governments to improve and align legislation
and regulation and eventually establish treaties to pursue and
prosecute cybercrime effectively. We support the work of the US
and UK in the development and promulgation of acceptable norms
of behaviour in cyberspace and a first step to improving international
legal cooperation against cybercrime.
7. Declaration of Interests
7.1 Microsoft provides products and services
to UK citizens that can be impacted by malware and cybercrime
and continues to develop mitigation and protection mechanisms
in each new release.
7.2 Microsoft also provides updates to its products
and services at least monthly free of charge to all customers.
We also provide Microsoft Security Essentials anti-malware software
free of charge to UK consumers. Our anti-malware facilities in
our Internet Explorer 9 browser, Bing search engine and Windows
Live email are all provided free of charge. Microsoft also offers
security products commercially in the UK market, including Microsoft
Forefront, and will continue to provide innovative and security-enhancing
technologies for citizens of the UK and worldwide.
7 September 2011
|