Microsoft, which saw a Chinese threat group hack into its M365 cloud platform and steal hundreds of thousands of government and corporate emails, is saying it will use AI and automation technologies to improve and accelerate cybersecurity protections in its broad portfolio of products and services.

The IT giant’s Secure Future Initiative, announced this week, is the largest in-house cybersecurity effort in almost two decades, since then-CEO Bill Gates introduced the Security Development Lifecycle (SDL) effort in 2004.

The new program is aimed at using AI to enhance capabilities in such areas such as threat intelligence and cloud services as well as to change the way Microsoft engineers design, build, test, and runs its software and services.

Such moves are necessary in an increasingly connected and rapidly evolving world that is grappling with changes brought on by advanced technologies like AI, according to Microsoft President and Vice Chair Brad Smith.

“Advances in artificial intelligence are accelerating innovation and reshaping the way societies interact and operate,” Smith wrote in a blog post. “At the same time, cybercriminals and nation-state attackers have unleashed opposing initiatives and innovations that threaten security and stability in communities and countries around the world.”

He added that “in recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response. Therefore, we’re launching today across the company a new initiative to pursue our next generation of cybersecurity protection.”

The Nation-State Threat

This comes months after the attack by advanced persistent threat (APT) group Storm-0588, a China-linked gang that stole a Microsoft signing key and hacked into Microsoft 365 and Exchange Online accounts, breaking emails from government and corporate accounts.

Sen. Ron Wyden (D-OR) soon after called on the Justice Department, Cybersecurity and Infrastructure Security Agency (CISA), and Federal Trade Commission to hold Microsoft responsible for what he called its “negligent cybersecurity practices.” The Department of Homeland Security’s Cyber Safety Review Board is investigating.

Microsoft also has found itself involved in other high-profile cybersecurity cases, including the software supply-chain attack on SolarWinds in 2020.

In his post, Smith focused on what he said is a changing threat landscape that includes nation-state actors targeting critical infrastructure in sophisticated attacks, similar threats against cloud platforms – including Microsoft’s – and a growing number of ransomware and other threats. Microsoft estimates that 40% of nation-state attacks have targeted critical infrastructure, including power grids, water systems, and healthcare facilities.

The vendor also has seen a 200% increase in ransomware attempts since September 2022 and that its Digital Crimes Unit is tracking 123 ransomware-as-a-service affiliates.

“While firms with effective security can manage these threats, these attacks are becoming more frequent and complex, targeting smaller and more vulnerable organizations, including hospitals, schools, and local governments,” Smith wrote. Adding that “more than 80% of successful ransomware attacks originate from unmanaged devices, highlighting the importance of expanding protective measures to every single digital device.”

Bring in AI and Automation

Microsoft has been among the leaders in adopting AI, investing more than $10 billion in ChatGPT-maker OpenAI and integrating AI capabilities throughout its broad portfolio, including the early-access release last month of its Security Copilot technology.

AI will play a central role in the new Future Security Initiative to build what he called an “AI-based cyber shield that will protect customers and countries around the world. Our global network of AI-based datacenters and use of advanced foundation AI models puts us in a strong position to put AI to work to advance cybersecurity protection.”

One way will be to improve threat intelligence, with Microsoft’s Threat Analysis Center using AI tools and techniques to better and more quickly detect and analyze threats and getting similar capabilities out to organizations through its products. AI will be key in helping sort through the massive amount of data being generated by Internet of Things (IoT) and other connected devices.

Microsoft receives more than 65 trillion signals from devices and services worldwide every day. AI is helping security professionals better track cyberthreats through all the information.

“While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles,” Smith wrote.

AI-based tools like Security Copilot coupled with other products like Defender for Endpoint also will help make up for the widespread shortage of cybersecurity professionals, he wrote. Microsoft also will apply its safety and security principles to its AI technologies.

Focusing on the Code

The company also will apply AI and automation to how it builds and operates its software, according to Charlie Bell, executive vice president of Microsoft Security.

“The sheer speed, scale, and sophistication of the attacks we’re seeing is a reminder for our industry and the world on how advanced digital threats have become,” Bell wrote. “As computing has evolved from packaged software to cloud services, from waterfall to agile development, and with the new advances in AI, we must also evolve how we do security.”

That includes injecting more security into the CI/CD processes, automate threat modeling, use CodeQL for code analysis for all commercial products, and expand its use of memory-safe programming languages, like C#, Python, Java, and Rust. Such languages take memory allocation and garbage collection away from the developer and handling them in the languages themselves, increasing the automated security in the development process.

Microsoft also will make security capabilities available by default. For example, Azure’s tenant baseline controls – 99 of them across nine security domains – automatically will be implemented by default, which will reduce the time engineers spend on configuration management and improve security. Bell wrote that the company learned the benefits of security by default over the last year by making multifactor authentication on by default.

Addressing a weakness exploited by the Storm-0588 threat group, Microsoft is moving identity signing keys to an integrated and hardened Azure Hardware Security Module (HSM) and confidential security infrastructure, where they will be encrypted at rest, in transit, and while in use.

In addition, the company will leverage its work in AI, automation, and other areas to cut the time it takes to mitigate cloud vulnerabilities by half.