Can Microsoft help government agencies improve IT security?

Microsoft's Institute for Advanced Technology in Governments is helping federal, state, and local agencies devise software solutions. I wanted to know if that included improving IT security.

Microsoft's Institute for Advanced Technology in Governments is helping federal, state, and local agencies devise software solutions. I wanted to know if that included improving IT security.


Keeping up with new technology is a full-time job, a luxury most public and private organizations do not have. Case in point, U.S. intelligence agencies hired a defense contractor to create a specialized ($250,000 US) touch table. Mr. Lewis Shepherd, CTO of Microsoft's Institute for Advanced Technology in Governments realized the custom system is similar to Microsoft's Surface. He worked with the agencies and software developer, creating an equivalent solution that costs around $10, 000 US.

Some background

That was not just a fortunate break. Mr. Shepherd (profile) has significant experience working with enterprise organizations. That includes government agencies, as Mr. Shepherd spent four years at the Defense Intelligence Agency (DIA) before joining Microsoft.

While at DIA, Mr. Shepherd was in charge of research and development for the defense intelligence community. One of his challenges was information management and improving the exchange of data between agencies. That part of his job caught my attention. Intelligence agency databases tend to be secure and private. That's something the private sector and other agencies need help with according to 2010 IT security predictions.

I contacted Mr. Shepherd hoping that he might share his thoughts about how best to preserve security and maintain the privacy of databases. Mr. Shepherd was more than willing, providing answers to the following questions: TechRepublic: You currently are Chief Technology Officer for Microsoft's Institute for Advanced Technology in Governments. If you Bing or Google the organization, not much shows up (not even a Web site), could you tell us about the group? Mr. Shepherd: The Institute may seem quiet because it is relatively small and new within Microsoft, in the Advanced Research and Strategies division. The Institute's purpose is to provide government customers with the opportunity to create unique, but scalable solutions based upon Microsoft's platforms, products and services, in part by combining Microsoft's technologies in unique and innovative ways.

Our Institute also draws upon Microsoft's advanced research and development activities to help solve intractable problems for the public sector. Microsoft has one of the largest corporate R&D budgets, this year at $9.5 billion. For comparison, that's about three times the budget of DARPA over at the Department of Defense.

So, we have a lot of depth, which we believe can be brought to bear in helping government officials and technologists think about the future of information work and society's challenges. TechRepublic: During one of your talks with Mr. Jon Udell you mentioned that the group's name ends in governments not government, further explaining that Microsoft is interested in helping all tiers of government. Could you expand on what you meant? Mr. Shepherd: The Institute has offices in the United States and the United Kingdom and is involved with national and local governments, as well as non-governmental organizations (NGO) around the globe. We have several projects in the works with state governments in the U.S.

Here and abroad, we have been consulting on solutions for large-scale problems with governmental coordinating groups. Many times, the challenges faced by the public sector are not clearly defined in the "job-jar" of solely one governmental agency or level of government.

As an example, who owns the problem of improving public education in America? All levels of government must cooperate on this issue along with NGOs, so we work with them all. TechRepublic: While at the DIA, one of your goals was to get all 16 intelligence agencies sharing data securely and accurately. With the number of data breaches in the private sector climbing, securing information is a big concern for CIO/CSOs. Is what you learned at DIA something Microsoft can bring to the private sector? Any examples? Mr. Shepherd: Yes, in fact there has been a bidirectional-information flow, sharing best-practices between government and Microsoft for several years. For example, Microsoft has a cryptographic research unit which works on improving algorithmic and mathematical approaches for encryption and information security. That group's research work is in many cases published and openly available to the U.S. government.

Our Institute has spent quite a bit of time working with federal government agencies sharing appropriate information about best practices in securing enterprise data with modern systems. On the other end, the federal government has been eager to work closely with Microsoft in architecting secure solutions for many of their most challenging data security problems.

One thing that being involved in defense intelligence after 9/11 taught me was that our nation and any modern state depends enormously on a vibrant and entrepreneurial private sector for innovative technologies. Those aren't developed in government labs by and large; even the notable exceptions like ARPANET and GPS relied on government's partnership with defense contractors.

I joined the government after 9/11 from the Silicon Valley start up culture. So, I know first hand the role that the Valley and the technology industry play in providing our government with innovative solutions.

While I was in government, I was very impressed with the critical importance of Microsoft systems to the daily work of DIA and other agencies involved in the Afghanistan and Iraq wars. I admired the dedication that Microsoft brought to creating specialized software solutions for unique government problems.

TechRepublic: Usability and security/privacy are at odds when considering data management. That truism concerns many people, considering the push to consolidate health records into a national database. What do you feel it will take to achieve a workable balance? Mr. Shepherd: I probably have a slightly different take on this because of my private-sector experience. I skew a bit toward the importance of usability. Perhaps counter-intuitively, I believe that government agencies currently place an enormous amount of importance on the protection of privacy. But we must not let that always remain a binary choice. Great architecture with innovative software design can achieve a remarkable balance of each TechRepublic: The CIA is one of the partner agencies with DIA in the intelligence community. It recently came under question for monitoring social networks. It seems citizens are wondering about the value. Your opinion on this would be appreciated. Mr. Shepherd: I'm a proponent of our intelligence community stepping up its efforts in collecting and analyzing "all-source intelligence," meaning data and information garnered from across the spectrum, as allowed by law.

We shouldn't rely only on signals intelligence (overseas phone calls) or on human intelligence (overseas spying). We need to incorporate a look at the entire digital and real-world spectrum of activities which our adversaries engage in. Today that needs to include their digital traces across social networks.

Since we know that terrorists and their support networks are active in international social networks, it would be suicidal for us not to take that into account in trying to develop an accurate picture of their intentions and malevolent plans. We do the same for the hacker community, and we should be doing it with our national adversaries as well.

There's another aspect to this that never gets reported on: the intelligence community is not only charged with developing real-time warning and predictions of terrorist activity or national-level military attack. They are also charged with providing our national leadership with the best possible assessments of international long-term trends and social activity which may have some bearing on the United States and its economic, social, or political systems in future. TechRepublic: Your work at the DIA certainly elevated your understanding of IT security. Has Microsoft been receptive to implementing what you learned at DIA? If so, could you provide some examples? Mr. Shepherd: I've been fortunate to be in a group aligned with what we internally call Trustworthy Computing, Microsoft's effort to help ensure secure, private, and reliable computing experiences for everyone.

As part of this effort, the Trustworthy Computing team works with business groups throughout the company to ensure their products and services adhere to Microsoft's security and privacy policies. It also engages with governments, industry partners, and computer users on important security and privacy issues such as critical infrastructure protection, software assurance, and identity management.

That myriad of activities, internal to the company for our own development practices, external to our partner tech firms, and to our customers globally, exactly mirrors the complexity of secure relationships which we relied upon at DIA.

We developed software and built Information Assurance into each product and system, relying on robust and authoritative security certification; and we simultaneously collaborated with the other intelligence agencies such as Homeland Security, FBI, and coalition partners to try to optimize the sharing of information.

Final thoughts

As shown in the touch-table example, the best decisions are made from an informed position. That, plus Microsoft products being pervasive indicate the working relationship between the Institute for Advanced Technology in Governments and government agencies is a logical step.

I would like to extend a special thanks to Mr. Shepherd for answering my many questions.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks