Microsoft hosts a closed security summit? How transparent • The Register

op-ed Microsoft will host a security summit next month with CrowdStrike and other “key” endpoint security partners joining the fun — and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item. 

We won’t know for sure, however, because the summit will be held behind closed doors. It won’t be live-streamed, and Redmond has said members of the press aren’t welcome.

“This event will not be open to press, and the company has nothing else to share at this time,” a Microsoft spokesperson told The Register.

In announcing the September 10 Windows Endpoint Security Ecosystem Summit to take place at its Redmond, Washington headquarters, Microsoft Corporate VP Aidan Marcuss said participants will discuss steps that vendors can take to “improve security and resiliency for our joint customers.” 

Marcuss cited the July CrowdStrike fiasco and the “important lessons” learned from that disaster. “Our discussions will focus on improving security and safe deployment practices, designing systems for resiliency and working together as a thriving community of partners to best serve customers now, and in the future.”

While he didn’t specify what these measures might involve, we’d bet that booting security vendors off of the Windows kernel is one of them, and it’s likely to be met with a great deal of pushback from providers.

In addition to its fellow software manufacturers, Microsoft will also “invite government  representatives to ensure the highest level of transparency to the community’s collaboration to deliver more secure and reliable technology for all.”

US Senator Ron Wyden (D-OR), who has been very critical of Microsoft’s shoddy security performance while raking in billions of dollars in government contracts, didn’t get an invite, we’re told.

So…some friendly government officials and security vendors but no press or members of the public ensure “the highest level of transparency” in Microsoft’s book?

We shouldn’t be surprised. Redmond follows a very specific playbook following all of its security snafus. Transparency about what happened, along with concrete measures to actually fix the problem, isn’t part of it.

Granted, this latest fiasco is a CrowdStrike — not Microsoft — blunder. But the Windows giant is facing mounting criticism of its own security practices following years of breaches by Chinese and Russian nation-state hackers and teenage Lapsus$ hoodlums alike.

Earlier this summer, Microsoft president Brad Smith testified before Congress about his company’s repeated security failings. This was in response to a Homeland Security report blasting the IT giant for allowing Beijing-backed cyberspies to steal tens of thousands of sensitive emails from the Microsoft-hosted Exchange Online inboxes of high-ranking US government officials.

In most of these major mishaps, Microsoft rolls out a shiny new security initiative such as its Secure Future Initiative after the most recent Cozy Bear attack.

With this, and all of its carefully cultivated wordy efforts, Redmond promises transparency and accountability. But at the same time, it pushes back against things like minimum cybersecurity standards for government technology vendors, as Wyden has previously suggested, and independent audits, which also go a long way in trying to prove transparency and openness.

So do open summits, like the one happening next month. Instead of talking about transparent — or security, for that matter — simply doing it would be a welcome change. ®