Microsoft office sign showing security initiatives to counter cyber threats

Microsoft Announces “Secure Future” Security Initiative Expansion, Calls Cyber Threats Company’s “Top Priority”

A Microsoft Security blog post has proclaimed that cyber threats are now the company’s top priority, and that its Secure Future Initiative is being expanded to include a range of new internal security and response upgrades. The security initiative was first announced in November 2023, as the company was coming off of an unusually damaging string of attacks by state-sponsored hackers that had some in the US government questioning if it could still be trusted as a supplier for critical systems.

Microsoft security initiative expansion includes stronger authentication systems, isolation for production and engineering, financial penalties to executives

The initial security initiative announcement in 2023 focused on software development and shoring the company’s defenses up with AI tools. While it was pitched as a response to changes in the landscape of cyber threats, the move was likely a necessary bit of PR after the Exchange cloud email breach exposed government accounts and led to serious questions about the company’s overall security posture. This was followed by another security incident in early 2024.

The new security initiative update promises more sweeping changes. This move is also likely tied directly to the company’s security woes and issues with cyber threats in 2023 and early 2024, coming about a month after the publication of a Cyber Safety Review Board (CSRB) report that was far from favorable to Redmond. That report included general recommendations from the CSRB to all cloud service providers, which Microsoft has included in the new security initiative. But it has also gone beyond those bullet points to include some surprising new policies.

The entire security initiative is now centered on three principles: security by design, protections by default (both with automatic enabling and no opt-out for users), and secure internal operations that put a strong focus on improved monitoring and controls. This concept is further divided into six “pillars,” or more specific goals for the company to deter cyber threats: quantum-ready information security methods, faster remediation of vulnerabilities, isolation of tenants and production systems, automated detection of threats to production, isolation of customer resources, and code security.

Initially this points to big internal changes. For example, the company is instituting new weekly and monthly security meetings for all members of management as well as senior individual contributors. But the security initiative also mentions tying executive bonuses to defensive performance; if cyber threats break through, decision-makers could see a hit to their compensation.

Seeming single-minded focus on cyber threats raises some consumer concerns

Microsoft seems to have taken the central theme of the CSRB report, the criticism that it has “drifted away from its ethos” as regards security, as a direct order from the government. But this has left some question as to what this means for the future of product features and the user experience, particularly the new commitment to not allowing end users to opt out of anything deemed necessary to curb cyber threats.

Many of the changes in the security initiative are beyond question or reproach, however. Microsoft led off the blog post list by announcing that it will now rapidly rotate infrastructure signing and platform keys and to ensure only “secure, managed, healthy devices” are granted access to Microsoft tenants, two factors that directly played a role in some of its recent incidents. It also announced that 100% of engineering systems and source code will be protected from cyber threats by Zero Trust architecture, and 100% of applications will be protected with system-managed credentials, among other changes worthy of applause.

However, a note from CEO Satya Nadella on the security initiative indicated that employees should “do security” and consider cyber threats above all other priorities, including “releasing new features or providing ongoing support for legacy systems.” Recent versions of Windows have already raised ire for taking liberties with user systems, with the “forced updates” of Windows 10 and 11 sometimes unexpectedly removing software, resetting user preferences, or simply hogging system resources at inopportune and seemingly random times. That statement has raised some questions about whether the company plans to have an even heavier hand in reaching into customer systems in the name of “security,” particularly with the still heavily-used Windows 10 slated for deprecation in October 2025. A similar company policy toward the sudden removal or alteration of features in its products has raised similar complaints, for example frustrating regular Outlook and Office 365 users with unexpected tweaks that disrupt their established work patterns.

And while the security initiative’s ambitious terms look good on paper, actually hitting all of these “100%” benchmarks is certain to be a serious challenge. But Jake Williams, former US National Security Agency (NSA) hacker and Faculty member at IANS Research, sees reasons to be optimistic about this aspect.

“Microsoft has some really ambitious goals in their Secure Future Initiative. Most organizations have neither the will nor the technical ability to achieve these goals, but any organization that does will be in a prime position to repel most intrusions. Microsoft certainly has the technical ability to implement these, but that’s always been the case. It appears they now have the political will to do so as well. There are plenty of details about significant technical security enhancements Microsoft is making. The hardest part of most of these is getting to 100%. Anything less than 100% leaves a residual attack surface that threat actors will exploit. These efforts follow the old 80/20 rule where most of the effort is expended getting the last holdouts onboarded into the new security regime. The thing that gives me the most confidence that Microsoft will get there is the emphasis that engineer SVPs are holding regular operational meetings with all levels of management and senior ICs. That’s how you reinforce cultural change and make sure that it sticks,” noted Williams.