In response to the “increasing speed, scale, and sophistication of cyberattacks,” Microsoft has announced its Secure Future Initiative. 

“The past year has brought to the world an almost unparalleled and diverse array of technological change,” Brad Smith, vice chair and president of Microsoft, wrote in a blog post.  “Advances in artificial intelligence are accelerating innovation and reshaping the way societies interact and operate. At the same time, cybercriminals and nation-state attackers have unleashed opposing initiatives and innovations that threaten security and stability in communities and countries around the world.”

The Secure Future Initiative consists of three main pillars: defenses that use AI, advances in software engineering, and international norms to protect civilians from cyber threats. 

Using AI in security

On the AI front, the company hopes to build an “AI-based cyber shield” to protect customers and countries. It is expanding the capabilities it uses internally to protect its own services so that these technologies can be used to protect customers directly. 

It is also going to be taking advantage of AI to address the cybersecurity skills shortage, which it says is currently at about 3 million people. Microsoft Security Copilot will be important in this effort, as it uses AI to detect and respond to threats. Microsoft Defender for Endpoint will also use AI detection to better protect devices. 

And finally, it will work to secure AI using its own Responsible AI principles so that the technology can move forward with safeguards in place. 

“As a company, we are committed to building an AI-based cyber shield that will protect customers and countries around the world,” Smith wrote. “Our global network of AI-based datacenters and use of advanced foundation AI models puts us in a strong position to put AI to work to advance cybersecurity protection.”

Advancing security in software engineering

The second pillar of the Secure Future Initiative is to take advantage of improvements in software engineering to set a new standard for security. It is committed to protecting against emerging threats through all steps of the development process: code, test, deploy, and operation. 

Microsoft plans to strengthen its security posture for identity-based attacks by improving the verification process for users, devices, and services across its portfolio. It plans to migrate to a new key management system that uses an architecture that makes keys inaccessible when underlying security processes are compromised.

The final aspect of this pillar is its goal to reduce the time spent mitigating vulnerabilities by 50% and encouraging more transparent reporting of events across the industry. 

“We no doubt will add other engineering and software development practices in the months and years ahead, based on learning and feedback from these efforts. Like Trustworthy Computing more than two decades ago, our SFI initiatives will bring together people and groups across Microsoft to evaluate and innovate across the cybersecurity landscape,” Smith wrote.

Addressing threats internationally

Finally, it will work to push for greater adoption of security measures around the world. This follows the company’s Digital Geneva Convention in 2017, which laid out a set of “principles and norms that would govern the behavior of states and non-state actors in cyberspace.” The company believes that many governments have made progress since then, but that moving forward there needs to be a broader commitment. 

It recommends everyone coming together to condemn nation-state efforts that install malware or  create other exploits in critical infrastructure, such as energy, water, food, or medical care. It also recommends that cloud services be considered critical infrastructure. Microsoft says states should not allow people in their jurisdiction to do things that could compromise the security, integrity, or confidentiality of cloud services; not compromise cloud security for espionage; and construct cyber operations while not imposing costs on those who aren’t the target of that operation. 

The company also believes governments should be acting together to establish greater accountability for governments that cross those red lines. 

“The year has not been lacking in hard proof of nation-state actions that violate these norms. What we need now is the type of strong, public, multilateral, and unified attributions from governments that will hold these states accountable and discourage them from repeating the misconduct,” said Smith.