An Interview With Microsoft's Claire Bonilla
The Microsoft Disaster Management initiative was created in July 2007. Can you give us an overview of this initiative and why it was created?
Microsoft has been responding to disasters for over 20 years. Our local subsidiaries have a history of self-organizing to assist government, inter-government, non-government organizations and citizens in the wake of disasters, applying information and communication technology skills, as well as, innovative solutions to enhance response and recovery efforts. In 2005, corporate leadership created a centrally coordinated group that could provide a deeper, more comprehensive level of support to external preparedness, response and recovery efforts, as well as apply product innovations to an area in need of integration, collaboration and communication structures.
Our primary focus areas in the disaster management space are on research and product development, application development through our network of global partners, policy and standards, citizenship & humanitarian efforts focused on building capability and capacity of GOs, IGOs and NGOs around prevention, preparedness, response & recovery from an Information and Communication Technology (ICT) perspective.
As the world's largest software company, what unique capabilities and resources does Microsoft bring to a disaster response and recovery effort?
In today's world, responding to a disaster without information technology is next to impossible. Humanitarian support, logistics, alerts and notifications, information sharing - all of it depends on information technology that assists an information worker in both day to day operations and in times of stress and crisis.
Microsoft's focus on innovation in IT can provide a foundation for three necessities required by the mass of constituents involved in responding to and impacted by disasters - integration, collaboration and communication. Capabilities like Microsoft's geospatial technology will help revolutionize how FEMA and others respond to disasters, and how citizens prepare and respond for themselves. Partnering with FEMA, Microsoft is prepared to address on the ground priorities like laptops prepared for harsh conditions and designed with multiple levels of security, such as two-factor authentication, hard drive encryption for data at rest, or rights management for data in transit. Next generation alerts and information sharing tools to enhance situational awareness and response will soon be commonplace - and mobile. Preconfigured forms and applications that citizens may need will be available in a disconnected world, stored and transmitted when connectivity is established, even if only for a few moments.
The company also has IT resources in cities across the nation, prepared to partner with FEMA and provide ITC expertise in the wake of disasters.
The U.S. Department of Homeland Security (DHS) recently completed Cyber Storm II, the largest cyber security exercise ever conducted. What was Microsoft's role in this event and how are you partnering with the federal government to strengthen both the public and private sectors against mounting cyber security threats?
Microsoft worked closely with both its industry partners and DHS to design and conduct a realistic exercise that could identify current strengths and challenges in national and international response capabilities. Cyber Storm II exercised 5 countries (Australia, Canada, New Zealand, United Kingdom, United States); 18 federal cabinet-level agencies (Department of Defense, State Department, Department of Justice, etc.); 9 states (Pennsylvania, Colorado, California, Delaware, Texas, Illinois, Michigan, North Carolina, and Virginia ); and over 40 private sector companies (Juniper Networks, Microsoft, McAfee, Cisco, NeuStar, The Dow Chemical Company, Inc., PPG Industries, ABB Group, Air Products & Chemical Inc., Nova Chemical, and Wachovia). The exercise provided a unique opportunity for players to evaluate their cyber response capabilities to a multi-day coordinated attack and to gauge the cascading effects of cyber disasters on other critical infrastructures. Microsoft runs a 24/7 global response center which it exercises regularly. However, Cyber storm provided a unique view into how key partners and critical infrastructure sectors prioritize cyber challenges. By understanding how different communities triage and run their response processes, we are better able to make decisions about how we prioritize and respond to events.
Exercises build trust. Microsoft and the Cyber Storm players were able to gain a powerful insight into how 4 infrastructure sectors - chemical, information technology, communications and transportation - organized a response to a multi-sector coordinated attack through, and on, the global cyber infrastructure. The exercise underscored the importance of public private partnerships and the growing importance of information sharing and analysis centers.
Cyber threats continue to increase in stealth, severity, and controllability. The best way to prepare for such attacks is to collaboratively assess risk, develop plans and exercise to ensure that sufficient response mechanisms are in place.
Most individuals would assume that cyber security is a corporate responsibility but what can the average computer user do to help protect against a cyber attack?
It seems like the news is constantly reporting on identity theft and computer attacks. Consumers can protect themselves by taking 4 simple steps to prepare themselves and their families from common Internet risks: (1) keep the firewall turned on, (2) keep your operating system up to date, (3) use anti-virus software, and (4) employ up to date anti-spyware technologies.
Microsoft Corporate Headquarters are located in Redmond, WA, an area susceptible to earthquakes. What has Microsoft done to ensure business continuity in case a major disaster affects your campus?
Business continuity planning at Microsoft Corporation is carried out at various levels and in diverse groups across the company with coordination provided by a Corporate Oversight Team composed of representatives from IT, Security, Real Estate & Facilities, Risk Management, Human Resources, Public Relations, Legal, Corporate Records and various Business Units.
Business continuity plans at Microsoft fall into four major categories that are discussed below:
1. Emergency response plans for life safety and physical asset protection;
2. IT disaster recovery plans for global networks, data centers and applications;
3. Business unit recovery plans for resumption of critical business functions.
4. Crisis management
What type of emergency preparedness education does Microsoft offer to its employees?
Microsoft's efforts focus on preparing its employees to assist with both internal, as well as external response efforts.
Internally our goal is to engage our employees in the safety and sustainability of our internal assets in times of incidents and disasters, The company has a Global Education and Awareness Program that covers a wide range of topics, from personal safety to man-made disasters. Our awareness campaign is "Smart, Safe and Secure". There are several resources for the employees such as on-line training, security websites, marketing campaigns, hotlines, and quick reference guides in every office and conference room. We continue to update our materials to stay fresh with the changing global events.
Externally, we are in the process of preparing to train designated employees as part of Disaster Assistance Response & Recovery teams in key subsidiaries that are highly prone to natural disasters. These teams are focused on reaching out to communities in times of crisis to build ICT capability and capacity for Government, Inter-government and Non-government organizations responding to local disasters.
Microsoft, also engages in broader industry training efforts around ITC. For example, in the United States, Microsoft participates in FEMA ESF-2 training and response efforts through its membership in the Information Technology Information Sharing and Analysis Center (IT-ISAC).
Planning for a possible Avian Flu outbreak has become a higher priority for many businesses and government agencies. How is Microsoft designing response plans for a potential pandemic?
In 2005, a first step in our Pandemic planning efforts we assembled a cross group team of subject matter experts from across the company which included groups such as Security, Facilities, Human Resources, Benefits (global representation), Business Continuity, Communications, and many more. We also engaged experts on the Pandemic topic from our local health department and International SOS, our Worldwide Emergency Assistance vendor, who is a leader in consulting on pandemic planning.
The structure of our plan is such that the triggers to implement elements of our plan are based on factors which indicate an increasing risk of a pandemic. Our triggers will come from The World Health Organization (WHO) "phases". The transition from one phase to the next, triggers the next stages of pandemic preparedness and response in our plan. However, even though one country may be at a certain Phase, this does not mean that all countries are affected. Therefore, our plan is divided into 'affected' and 'non-affected' region scenarios which we believe will help us guide the actions of the company and managers in responding to pandemic influenza if it moves phases.
Elements of our plan include social distancing measures such as telecommuting. For those critical employees who must come to the work site, methods such as maintaining distance (as recommended by health authorities), split and alternate shifts will be used. We will also minimize or eliminate in-person meetings (depending on phase and outbreak situation) by utilizing tele-conferencing and VTC methods. We are considering masks for our critical workers. Daily cleaning of facilities with special emphasis on areas with suspected or confirmed pandemic case has been put in place. Travel restrictions will be put in place according to expert authority advice.
Our plan also includes an internal Pandemic Preparedness website for employees, employee and manager FAQ's, a guidance document for managers and pandemic-specific time off/leave of absence policies
Other efforts underway from a business continuity perspective are increasing our capacity for employees to work from home. Additionally, we are examining bench strength for the business processes we consider critical to the survival of our business. The skill sets are being evaluated for the personnel that perform these processes, and then we determine whether we have backup personnel locally and/or globally taking advantage of our geo diverse campuses.
Microsoft has followed the Department of Homeland Security's pandemic flu planning efforts, through DHS's outreach and awareness efforts and through DHS's coordination with the Information Technology Information Sharing and Analysis Center (IT-ISAC).
Since your company and your products touch so many aspects of society, you are in a unique position to influence outcomes. How does Microsoft view its role and responsibility in leading the IT industry in disaster preparedness and response?
Our role as an industry leader is to strive for innovative solutions that can help solve the complexity of issues that arise within disaster management. We engage with policy leaders to ensure that information technology related decisions support key public safety concerns such as security, accessibility, privacy and interoperability. We have R&D efforts underway to dramatically improve ICT capabilities, and are working globally with technology and communications partners to continue to advance solutions in this space.
We also have an expanded view of corporate social responsibility, one that is not divorced from the technologies we produce. Microsoft is evolving an active citizenship related initiative in the disaster management arena, focused primarily on enhancing the preparedness of GO, IGO and NGOs, as well as supporting response and recovery efforts through structured Disaster Assistance Response & Recovery Teams positioned world-wide. In a highly interdependent market, Microsoft realizes the importance of private and public sector partnerships with those involved across all phases of a disaster. Our company is proactively creating engagement models with key organizations like FEMA, and encouraging our network of partners in the industry to begin equal efforts in this regard.
Microsoft's Humanitarian Systems team is leading the way with innovative solutions that have been directly germinated in live complex humanitarian emergencies where we have gathered new requirements in-situ. The goal is to advance and verify collaboration tools and approaches, through a field based, "learn by doing" model. The team partners with humanitarian groups around the world to tackle vexing humanitarian collaboration problems.
How does Microsoft envision partnering with the federal government in the future? How does this differ from the past? And what is the value in this partnership?
Microsoft has been a long-standing member of the Public Private Partnership, working with Homeland Security and many of the other critical infrastructures, private sector initiatives, and Federal agencies. These partnerships are critical, because in today's interconnected world, we are all dependent upon each other to improve disaster preparedness, response and recovery efforts. Microsoft participates in the Information Technology Information Sharing and Analysis Center (IT-ISAC) and supports FEMA's ESF-2 through its membership in the IT-ISAC. We are also in working partnerships with FEMA, DHS, BCLC and other international response agencies to ensure as new plans and missions evolve, such as FEMA's recent focus on recovery, our team is providing their expertise to ensure ICT capabilities are being incorporated with a current and future perspective.
Claire Bonilla is Senior Director of Disaster Management at Microsoft Corporation
For more information on how to protect your computer:
http://www.microsoft.com/protect/default.mspx
For more information on cyber security and safety resources:
http://www.staysafeonline.info/
Last Modified: Thursday, 10-Apr-2008 15:44:06 EDT