The Washington PostDemocracy Dies in Darkness

Microsoft: U.S. government is a potential security threat

( <a href=""></a> )

Microsoft is trying to change the terms of the NSA debate — literally.

The company is labeling any government effort to spy on its online communications as evidence of an "advanced persistent threat," a term that's so far been reserved to describe foreign espionage units such as the one allegedly operated by the Chinese military.

"We are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data," Microsoft's top lawyer, Brad Smith, wrote Wednesday in a blog post.

An advanced persistent threat is somebody who gains access to an actor's network and hides there while stealing sensitive information for a long period of time. Any old hacker can attempt a break-in and set off alarm bells in the process. But it takes a sophisticated attacker to infiltrate a network without anyone knowing.

The NSA's attempt to snoop on Microsoft's data center traffic, undetected, reasonably fits this description. Since former NSA contractor Edward Snowden exposed the government surveillance earlier this summer, tech companies have generally refrained from using the term — mostly because of the NSA's use of legal, if controversial, secret court orders. But it now appears that, at least in Microsoft's case, the rhetorical gloves have come off.

Americans were first introduced to the term "advanced persistent threat," or APT, in February when The New York Times reported on a Chinese unit's infiltration of its own network. Mandiant, the external security firm that the Times hired to investigate the intrusion, gave it the codename APT1. The report came just as the White House was preparing an executive order on the nation's vulnerability to cyberattacks.

While Silicon Valley has spent weeks demanding more transparency from the NSA — perhaps in part to deflect attention from its cooperation with government data requests — Microsoft's change in terminology is also a shift in tone. Until now, the surveillance debate has been framed as a matter of legal compliance. Tech companies universally disavow granting direct server access to the NSA but have defended their responsibility to cooperate with law enforcement. The government's bulk metadata collection has also raised questions about the practice's constitutionality and about whether Congress was fully briefed as the law requires.

But the term "advanced persistent threat" is uniquely associated with the realm of online espionage and cyberwarfare, not law. It implicitly brands the NSA's data-stream snooping as criminal behavior, and is remarkably strong language.

In an environment where superior technical ability often trumps politics, however, it's far from clear that Microsoft's pivot will create the public pressure it's seeking.