Microsoft In A Fight To Stop Cyber War

The tech industry is becoming more worried about a cyberwar arms race. But are the right people listening? 

Two days last year finally woke the world up to the dangers of cyberwarfare, according to Microsoft's President Brad Smith (pictured).

The WannaCry ransomware attack created havoc by encrypting PCs across the world, forcing the UK's NHS to cancel appointments and operations, and costing billions to repair the damage. 

Just over a month later on 16 June the NotPetya malware caused more damage, again costing billions to fix. Western governments have blamed WannaCry on North Korea, and NotPetya on Russia, it probably was designed as an attack on Ukraine which then got out of hand.

"One of the things we see is that tools we've created, the tools you've created have been turned by others into weapons. 2017 was a wakeup call, it was a wakeup call about how people unfortunately in some nation states and some governments are using our tools as weapons," said Smith, speaking on stage at the Web Summit conference last month.

In his talk, Smith drew a parallel between the run-up to the First World War and the burgeoning cyberwar arms race today.

"I'm not here to say the next world war is imminent but I am here to say that there are lessons from a century ago we can learn and apply, that we need to apply, to our own future," said Smith.

His argument is that technology was advancing at an enormous pace in the first decades of the twentieth century -- just as it is now -- but human institutions failed to keep up.

"The technology revolution requires a moral revolution as well. That is the challenge for our time," Smith said.

Smith's answer is that governments should stand up for the protection of the civilians and civilian infrastructure, and safeguard the internet in general from cyber-attacks. Indeed, over the last couple of years, Microsoft has been increasingly vocal about its concerns that cyber-attacks are spilling over and affecting businesses and consumers. In February last year Smith, who has been the most visible Microsoft exec on the issue, outlined his concept of a digital Geneva Convention, a version of the rules that protect civilians in wartime, but for the online world.

It asks, among other things, that states do not target tech companies, the private sector or critical infrastructure with cyber-attacks, that they should report vulnerabilities to vendors rather than stockpile them, that they make sure that cyber weapons are limited and precise in their effect, and to commit to non-proliferation of such weapons.

In April this year Microsoft was one of the companies behind the Cybersecurity Tech Accord, signed by 34 companies, which promises not to help governments launch cyberattacks against innocent citizens and enterprises.

Microsoft has also been a major supporter of the Paris Call for Trust and Security in Cyberspace, launched by French President Emmanuel Macron last month.

The 370 signatories include all 28 members of the European Union and 27 of the 29 NATO members. Also signed up are companies including Microsoft, Google, Facebook, Intel and financial services companies such as Citigroup and Visa. 
They pledged to "condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection".
Notably missing from the countries signed up to the Paris Call are the US, the country with the most powerful cyberwarfare capabilities, and Israel, as well as countries that have been regularly accused by the West of using cyberwarfare techniques, including Russia, China, North Korea and Iran.

Microsoft has also been backing something called the Digital Peace Petition. At Web Summit in Lisbon, the petition even had its own booth emblazoned '#stopcyberwarfare' and a technofied version of the peace symbol along with panels with 'There is no peace without digital peace' etched on them. As they wandered past, conference attendees were encouraged to sign up.
"In our digital world we create, connect, express ourselves and improve our lives and the lives of others. Our online community must not be a battlefield," the petition says. Last month Microsoft said that more than 100,000 people across 130 countries had signed its petition.

In many ways, it's hard to disagree with Microsoft's prognosis. Many states do see hacking and cyberwarfare as a low-cost, low-risk way of meddling in the affairs of others.

Arguably the US kicked off this modern age of state-backed hacking with Stuxnet a decade ago, but since then a number of countries including Russia, Iran and North Korea have experimented with using hacking and malware as a cheap way of exerting some influence on the world stage.

Russia's interference in the 2016 US presidential elections made clear how a spot of well-timed hacking could have huge consequences; North Korea's WannaCry showed how even the most isolated state can cause chaos with a few well-chosen lines of code. Tech companies have good commercial reasons to want to discourage cyberwarfare. It drives up costs for them if they have to constantly defend their own networks and their customers' networks from attack and can undermine confidence in their products. 

A cyber-attack by a nation-state is usually met with a response from another nation-state, but impacts private citizens and companies, Microsoft argues.

"When we are talking about cyberspace, fundamentally we are talking about space that is private property, we're talking about datacenters and undersea cables and laptops and phones and devices and services that we create. Like it or not, and I don't think we should like it, the reality is inescapable; we have become the battlefield," Smith said in Lisbon.

Worse, to fight a cyberwar you need cyber weapons, which means governments and others spend a lot of time looking for (and buying up information about) flaws in all sorts of commercial software.

Sometimes governments tip-off tech companies about these flaws, but other times they keep them quiet. Once a promising flaw is discovered, they can then develop tools to exploit the weakness, either to spy on other governments or businesses, or to damage an aggressor's systems should a conflict ever occur.

Tech companies themselves bear some responsibility for where we are now. They need to spend more time on making sure their products are more secure when they are sold, not scrambling to fix the problems later on when a flaw is discovered. But it's also true that as they make their software more robust, governments become more keen to poke holes in it.

Last year's ransomware crisis is an example of how all these factors can combine to create a perfect cyber storm. WannaCry was such a potent piece of malware because it exploited a known flaw in Microsoft's own software. So how did the (most likely) North Korean developers of WannaCry find such a juicy flaw?

In a twist worthy of a spy novel, the flaw had earlier been used by the NSA, most probably for cyber espionage, before it was somehow stolen or lost and released onto the Internet, and after which was reused by North Korea to supercharge the WannaCry ransomware. While Microsoft had released a fix for the flaw before WannaCry hit, many organisations failed to apply it in time.

This is not a one-off, either. The UK's GCHQ intelligence agency recently admitted that it does not always hand over to software vendors the flaws it finds in their products. It also recently admitted it would have to spend more time hacking into computer systems to gain the information it needs. All of which means that more potentially serious flaws in the software used around the world will go unfixed.

The campaigns by Microsoft and others in the tech industry no doubt aim to turn up the pressure on Western governments. Since cyberwarfare emerged from the world of espionage, there is little public understanding of what it is, and what the risks involved are. As modern societies are almost entirely underpinned by computer systems now, allowing spies and the military to pursue secret online wars could put us all at risk. However, the influence of the US tech industry is unlikely to reach as far as it needs to, like the Kremlin or Pyongyang, to make much of an impact on this digital arms race.

Cyberwarfare has proved to be an extremely useful instrument of policy for many nations and regardless of the risks to the rest of us they will be extremely unwilling to give up on it.

ZDNet

You Might Also Read:

Microsoft Chief Says N. Korea Was Behind 'WannaCry':

 

 

« AI Will Solve Marketing Problems
Charities Falling Victim To Cybercrime »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Proofpoint

Proofpoint

Proofpoint provide the most effective cybersecurity and compliance solutions to protect people on every channel including email, the web, the cloud, social media and mobile messaging.

Advenica

Advenica

Advenica develops, manufactures and sells innovative cybersecurity solutions for encryption and secure information exchange.

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity

Rohde & Schwarz Cybersecurity provide solutions for Secure Networks, Secure Communications, Network Analysis, and Endpoint Security.

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

T-ISAC Japan coordinates information sharing and activities related to ISP/telecommunications network security in Japan.

Careers in Cyber Security (CiCS)

Careers in Cyber Security (CiCS)

CareersinCyberSecurity is a leading global job board and career resource for Cyber Security, IT Audit, Technology Risk and Data Protection professionals.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

Cyber Security Courses

Cyber Security Courses

Cyber Security Courses was formed to help students in the UK find cyber security courses online.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

US Army Cyber Command (ARCYBER)

US Army Cyber Command (ARCYBER)

US Army’s Cyber Command (ARCYBER) is engaged in the real-world cyberspace fight today, against near-peer adversaries, ISIS, and other global cyber threats.

Airtel Secure

Airtel Secure

Airtel Secure’s multi-layered, full service cybersecurity offerings are designed to safeguard enterprises against threats of various kinds and origins.

DH2i Company

DH2i Company

DH2i is a leading provider of multi-platform Software Defined Perimeter and Smart Availability software enabling customers to create an entire IT infrastructure that is always-secure and always-on.

NAK Consulting Services

NAK Consulting Services

NAK is helping organisations to create Secure, Agile IT Environments. Our goal is to be the trusted advisor and managed service partner for our clients.

Telit Cinterion

Telit Cinterion

Telit Cinterion is a global enabler of the intelligent edge providing highly secure IoT solutions, modules and services.

Pango

Pango

Pango is a leading provider of digital consumer security solutions.

Upwind Security

Upwind Security

Upwind delivers comprehensive cloud security, precisely when and where it’s most critical.