Microsoft In A Fight To Stop Cyber War

The tech industry is becoming more worried about a cyberwar arms race. But are the right people listening? 

Two days last year finally woke the world up to the dangers of cyberwarfare, according to Microsoft's President Brad Smith (pictured).

The WannaCry ransomware attack created havoc by encrypting PCs across the world, forcing the UK's NHS to cancel appointments and operations, and costing billions to repair the damage. 

Just over a month later on 16 June the NotPetya malware caused more damage, again costing billions to fix. Western governments have blamed WannaCry on North Korea, and NotPetya on Russia, it probably was designed as an attack on Ukraine which then got out of hand.

"One of the things we see is that tools we've created, the tools you've created have been turned by others into weapons. 2017 was a wakeup call, it was a wakeup call about how people unfortunately in some nation states and some governments are using our tools as weapons," said Smith, speaking on stage at the Web Summit conference last month.

In his talk, Smith drew a parallel between the run-up to the First World War and the burgeoning cyberwar arms race today.

"I'm not here to say the next world war is imminent but I am here to say that there are lessons from a century ago we can learn and apply, that we need to apply, to our own future," said Smith.

His argument is that technology was advancing at an enormous pace in the first decades of the twentieth century -- just as it is now -- but human institutions failed to keep up.

"The technology revolution requires a moral revolution as well. That is the challenge for our time," Smith said.

Smith's answer is that governments should stand up for the protection of the civilians and civilian infrastructure, and safeguard the internet in general from cyber-attacks. Indeed, over the last couple of years, Microsoft has been increasingly vocal about its concerns that cyber-attacks are spilling over and affecting businesses and consumers. In February last year Smith, who has been the most visible Microsoft exec on the issue, outlined his concept of a digital Geneva Convention, a version of the rules that protect civilians in wartime, but for the online world.

It asks, among other things, that states do not target tech companies, the private sector or critical infrastructure with cyber-attacks, that they should report vulnerabilities to vendors rather than stockpile them, that they make sure that cyber weapons are limited and precise in their effect, and to commit to non-proliferation of such weapons.

In April this year Microsoft was one of the companies behind the Cybersecurity Tech Accord, signed by 34 companies, which promises not to help governments launch cyberattacks against innocent citizens and enterprises.

Microsoft has also been a major supporter of the Paris Call for Trust and Security in Cyberspace, launched by French President Emmanuel Macron last month.

The 370 signatories include all 28 members of the European Union and 27 of the 29 NATO members. Also signed up are companies including Microsoft, Google, Facebook, Intel and financial services companies such as Citigroup and Visa. 
They pledged to "condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection".
Notably missing from the countries signed up to the Paris Call are the US, the country with the most powerful cyberwarfare capabilities, and Israel, as well as countries that have been regularly accused by the West of using cyberwarfare techniques, including Russia, China, North Korea and Iran.

Microsoft has also been backing something called the Digital Peace Petition. At Web Summit in Lisbon, the petition even had its own booth emblazoned '#stopcyberwarfare' and a technofied version of the peace symbol along with panels with 'There is no peace without digital peace' etched on them. As they wandered past, conference attendees were encouraged to sign up.
"In our digital world we create, connect, express ourselves and improve our lives and the lives of others. Our online community must not be a battlefield," the petition says. Last month Microsoft said that more than 100,000 people across 130 countries had signed its petition.

In many ways, it's hard to disagree with Microsoft's prognosis. Many states do see hacking and cyberwarfare as a low-cost, low-risk way of meddling in the affairs of others.

Arguably the US kicked off this modern age of state-backed hacking with Stuxnet a decade ago, but since then a number of countries including Russia, Iran and North Korea have experimented with using hacking and malware as a cheap way of exerting some influence on the world stage.

Russia's interference in the 2016 US presidential elections made clear how a spot of well-timed hacking could have huge consequences; North Korea's WannaCry showed how even the most isolated state can cause chaos with a few well-chosen lines of code. Tech companies have good commercial reasons to want to discourage cyberwarfare. It drives up costs for them if they have to constantly defend their own networks and their customers' networks from attack and can undermine confidence in their products. 

A cyber-attack by a nation-state is usually met with a response from another nation-state, but impacts private citizens and companies, Microsoft argues.

"When we are talking about cyberspace, fundamentally we are talking about space that is private property, we're talking about datacenters and undersea cables and laptops and phones and devices and services that we create. Like it or not, and I don't think we should like it, the reality is inescapable; we have become the battlefield," Smith said in Lisbon.

Worse, to fight a cyberwar you need cyber weapons, which means governments and others spend a lot of time looking for (and buying up information about) flaws in all sorts of commercial software.

Sometimes governments tip-off tech companies about these flaws, but other times they keep them quiet. Once a promising flaw is discovered, they can then develop tools to exploit the weakness, either to spy on other governments or businesses, or to damage an aggressor's systems should a conflict ever occur.

Tech companies themselves bear some responsibility for where we are now. They need to spend more time on making sure their products are more secure when they are sold, not scrambling to fix the problems later on when a flaw is discovered. But it's also true that as they make their software more robust, governments become more keen to poke holes in it.

Last year's ransomware crisis is an example of how all these factors can combine to create a perfect cyber storm. WannaCry was such a potent piece of malware because it exploited a known flaw in Microsoft's own software. So how did the (most likely) North Korean developers of WannaCry find such a juicy flaw?

In a twist worthy of a spy novel, the flaw had earlier been used by the NSA, most probably for cyber espionage, before it was somehow stolen or lost and released onto the Internet, and after which was reused by North Korea to supercharge the WannaCry ransomware. While Microsoft had released a fix for the flaw before WannaCry hit, many organisations failed to apply it in time.

This is not a one-off, either. The UK's GCHQ intelligence agency recently admitted that it does not always hand over to software vendors the flaws it finds in their products. It also recently admitted it would have to spend more time hacking into computer systems to gain the information it needs. All of which means that more potentially serious flaws in the software used around the world will go unfixed.

The campaigns by Microsoft and others in the tech industry no doubt aim to turn up the pressure on Western governments. Since cyberwarfare emerged from the world of espionage, there is little public understanding of what it is, and what the risks involved are. As modern societies are almost entirely underpinned by computer systems now, allowing spies and the military to pursue secret online wars could put us all at risk. However, the influence of the US tech industry is unlikely to reach as far as it needs to, like the Kremlin or Pyongyang, to make much of an impact on this digital arms race.

Cyberwarfare has proved to be an extremely useful instrument of policy for many nations and regardless of the risks to the rest of us they will be extremely unwilling to give up on it.

ZDNet

You Might Also Read:

Microsoft Chief Says N. Korea Was Behind 'WannaCry':

 

 

« AI Will Solve Marketing Problems
Charities Falling Victim To Cybercrime »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

A10 Networks

A10 Networks

A10 Networks is a leader in application networking, helping organizations of all sizes to accelerate, optimize and secure their applications.

Ioetec

Ioetec

Ioetec's mission is to connect users to their IoT devices securely, ensuring these devices remain safe to use in our increasingly connected world.

SEEK

SEEK

SEEK create world-class technology solutions to address the needs of job seekers and hirers across multiple sectors including cybersecurity.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

CybrHawk

CybrHawk

CybrHawk is a leading provider of information security-driven risk intelligence solutions focused solely on protecting clients from cyber-attacks.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Kontex

Kontex

Kontex is a Cyber Security consultancy creating resilient solutions. From Strategy, Advisory and Implementation to Management and everything in between.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

RecoLabs

RecoLabs

Reco’s proprietary AI technology dynamically maps business interactions within your collaboration tools to identify sensitive assets shared and uncover incidents that are relevant to your business.

Factmata

Factmata

Factmata is an social and news media monitoring and analytics product that uses AI to identify and track narratives online, highlighting those most likely to cause brand harm or misinform the public.

RubinBrown

RubinBrown

RubinBrown LLP is a leading accounting and professional consulting firm. The RubinBrown name and reputation are synonymous with experience, integrity and value.

Arelion

Arelion

Arelion is a leading light in global connectivity and we've been keeping the world connected for nearly three decades.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

Beacon Technology

Beacon Technology

Beacon Technology offers a comprehensive platform consisting of XDR, VMDR, and Breach and Attack simulation tools.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.