National Defence committee  In the shared responsibility model in which we operate for cloud services, there's a security responsibility for both the cloud provider and for the actual end-user or the customer. In a case where we see attacks against identities, meaning that people are trying to access someon

National Defence committee  In the vast majority of cases, because these systems are massive and at scale, the tooling has been empowered so that there are alerts generated. It's the responsibility of the end-user, the end customer, to monitor those alerts and that suspicious activity themselves.

National Defence committee  I would like to agree with Mr. Dupont in that regard. I think the area where there is an ethical line is in the security research community. The security researchers who are looking for vulnerabilities can do basically one of two things. They can provide that back to the vendor

National Defence committee  Unfortunately, they are very creative in finding ways to monetize data that's been stolen from organizations. In the case of ransomware—I'm sure it's a term most people are familiar with—there's the traditional encryption of your files and holding them for ransom with the inten

National Defence committee  I would say that Microsoft has quite extensive experience in this particular topic. We'd certainly be happy to consult and to inform some views on that particular topic following this committee meeting. We certainly encourage confidential vulnerability disclosure. We work with a

National Defence committee  Yes, absolutely. I would say that the techniques being used most predominantly are twofold. One, attackers are using vulnerabilities or exploiting vulnerabilities in software that for the most part have been patched by the vendor, but the customer or organization or agency just h

National Defence committee  I would reinforce Microsoft's position that we certainly do not support cyber-offensive activities, primarily for a number of reasons. We have seen that cyber-weapons are typically very difficult to target, and the potential for collateral damage to spill beyond the intended ta

National Defence committee  I could maybe start with that one and Mr. Dupont could follow. Certainly in our digital defence report we outlined some of the activity we have seen and detected, which includes espionage by some of the nation-state adversaries that I mentioned previously. These actors, quite f

National Defence committee  Maybe I can take a crack at that.

National Defence committee  “Cybersecurity” is really about protecting your computer infrastructure or your identity in the digital context, on the Internet or connected to a network. It's those security protections extended to the cyber domain. A “vulnerability” is a problem within a piece of software cod

National Defence committee  Number one is that cybersecurity basics matter more than ever now. When I say the “basics”, I mean keeping systems up to date, using modern technology and enabling things like multifactor authentication. In our view of all of the attacks and customer compromises that we see, doi

National Defence committee  I'm sorry, I'm not aware of the term “threat emanation technology”.

National Defence committee  Threat emulation technology.... No, I'm sorry, I'm not aware of that term either.

National Defence committee  I think it's really difficult to predict a future in this space, and it's why we've seen a theme of needing to work together on sharing intelligence and looking at different ways to combat these threats, not just from the defensive perspective, but advocating for things such as w

National Defence committee  I'm sorry. We do not have any information on that particular situation.