'If there is an initial question for the incoming Biden-Harris Administration and America’s allies, it is this: Is the sharing of cybersecurity threat intelligence today better or worse than it was for terrorist threats before 9/11? .. we need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important international norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps and continue to develop clear and binding legal obligations for cyberspace.
This should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the continued development of rules to expressly forbid the type of broad and reckless activity used against SolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader software supply chain. The international community has been moving in this direction, building on a 2015 report by a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as multi-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law.''The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.
The first is the continuing rise in the determination and sophistication of nation-state attacks....
As we have now seen repeatedly, Silicon Valley is not the only home of ingenious software developers. Russian engineers in 2016 identified weaknesses in password protection and social media platforms, hacked their way into American political campaigns, and used disinformation to sow divisions among the electorate. They repeated the exercise in the 2017 French presidential campaign. As tracked by Microsoft’s Threat Intelligence Center and Digital Crimes Unit, these techniques have impacted victims in more than 70 countries, including most of the world’s democracies. The most recent attack reflects an unfortunate but similarly ingenious capability to identify weaknesses in cybersecurity protection and exploit them.
These types of sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape.
Thankfully, there is a limited number of governments that can invest in the talent needed to attack with this level of sophistication. In our first Microsoft Digital Defense Report, released in September, we reviewed our assessment of 14 nation-state groups involved in cybersecurity attacks. Eleven of the 14 are in only three countries.
All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.
One illustrative company in this new sector is the NSO Group, based in Israel and now involved in U.S. litigation. NSO created and sold to governments an app called Pegasus, which could be installed on a device simply by calling the device via WhatsApp; the device’s owner did not even have to answer. According to WhatsApp, NSO used Pegasus to access more than 1,400 mobile devices, including those belonging to journalists and human rights activists.
..
There is a third and final sobering development worth noting from what has obviously been a challenging year. This comes from the intersection between cyberattacks and COVID-19 itself...
Put simply, we need a more effective national and global strategy to protect against cyberattacks...
To be successful, this coalition will need to do three things more effectively in the future:
First, we need to take a major step forward in the sharing and analysis of threat intelligence. In a new year that will mark the 20th anniversary of 9/11, we should remember one of the lessons from the tragic day that the 9/11 Commission called “a shock but not a surprise.” A recurring theme of the commission’s findings was the inability across government agencies to build collective knowledge by connecting data points together. The commission therefore focused its first recommendation on “unifying strategic intelligence” and moving from the “need to know” to the “need to share.”
If there is an initial question for the incoming Biden-Harris Administration and America’s allies, it is this: Is the sharing of cybersecurity threat intelligence today better or worse than it was for terrorist threats before 9/11?
In the wake of this most recent attack, perhaps no company has done more work than Microsoft to support agencies across the federal government. As much as we appreciate the commitment and professionalism of so many dedicated public servants, it is apparent to us that the current state of information-sharing across the government is far from where it needs to be. It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy. While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.
One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down.
It will be critical for the incoming Biden-Harris Administration to move quickly and decisively to address this situation. One ready-made opportunity is to establish a national cybersecurity director as recommended by the Solarium Commission and provided for in the National Defense Authorization Act.
Effective progress will also require a second realization that goes beyond anything the 9/11 Commission needed to confront. Cybersecurity threat intelligence exists in even more disconnected silos than more traditional information about national security threats. This is because it is spread not only among different agencies and governments but across multiple private sector companies as well. Even within a large company like Microsoft, we have learned that it is critical for our Threat Intelligence Center to aggregate and analyze data from across our data centers and services. And when there is a major threat, we need to share information and collective assessments with other tech companies.
Recent years have brought several important steps to better share cybersecurity information, and we greatly appreciate the dedication and support of many key people across the U.S. government. But we still lack a formal and cohesive national strategy for the sharing of cybersecurity threat intelligence between the public and private sectors. While there need to be important safeguards to protect government secrets and private citizens’ privacy, the time has come for a more systemic and innovative approach to the sharing and analysis of threat intelligence with those best positioned to act.
Second, we need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important international norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps and continue to develop clear and binding legal obligations for cyberspace.
This should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the continued development of rules to expressly forbid the type of broad and reckless activity used against SolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader software supply chain. The international community has been moving in this direction, building on a 2015 report by a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as multi-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law.
We need similar strong and effective endorsements of rules that put attacks on health care institutions and vaccine providers off limits. (The recently convened Oxford Process has done important work to highlight the protections existing international law affords in this context.) And international rules should include stronger protections of democratic and electoral processes, as reflected in the principles of the Paris Call for Trust and Security in Cyberspace, which now has more than 1,000 signatories – the largest multi-stakeholder group ever assembled in support of an international cybersecurity-focused agreement.
In addition, governments should take new and concerted steps to thwart the rise of private sector offensive actors. As described above, these companies in effect have created a new ecosystem to support offensive nation-state attacks. The sooner governments take action to put this ecosystem out of business, the better.
..
Finally, we need stronger steps to hold nation-states accountable for cyberattacks. Governments and private companies have taken stronger steps in recent years to hold nation-states publicly accountable for cyberattacks. We need to build on this course and continue to press forward with it, with governments ensuring that there are greater real-world consequences for these attacks to promote stability and discourage conflict.
The world’s democracies took important steps in 2017 and 2018, led by the United States. With public statements about WannaCry and NotPetya, multiple governments attributed these attacks publicly to the North Korean and Russian governments, respectively. These types of coordinated public attributions have become an important tool to respond to nation-state attacks. The United States followed with stronger deterrent steps to protect the 2018 mid-term elections, and an even more concerted effort to successfully deter foreign tampering with voting in the 2020 Presidential elections.
In the private sector, circumstances have also changed dramatically since the early days in 2016 when we at Microsoft took legal action to thwart Russian cyberattacks on American political campaigns but were reluctant to speak publicly about it. In the years since, companies such as Microsoft, Google, Facebook and Twitter have all acted and spoken directly and publicly when responding to nation-state cyberattacks. Moreover, a coalition of more than 145 global technology companies have signed on to the Cybersecurity Tech Accord – committing themselves to upholding four principles of responsible behavior to promote peace and security online, including opposing cyberattacks against innocent civilians and enterprises.
The coming months will present a critical test, not only for the United States but for other leading democracies and technology companies. The weeks ahead will provide mounting and we believe indisputable evidence about the source of these recent attacks. It will become even clearer that they reflect not just the latest technology applied to traditional espionage, but a reckless and broad endangerment of the digital supply chain and our most important economic, civic and political institutions. It is the type of international assault that requires the type of collective response that shows that serious violations have consequences.
If there is a common lesson from the past few years, it’s the importance of combining ongoing learning with new innovations, greater collaboration, and constant courage. For four centuries, the people of the world have relied on governments to protect them from foreign threats. But digital technology has created a world where governments cannot take effective action alone. The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks. As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.'
-
A moment of reckoning: the need for a strong and global cybersecurity response, December 17, 2020
ContextUS officials scramble to deal with suspected Russian hack of government agencies, December 14, 2020
'..Political Warfare .. Increased espionage and subversion against NATO and the EU, directed by Russian special services..''..limitations on nuclear weapons and for developing a more comprehensive arms control regime..''An unprecedented amount of fraud may have occurred during Russia’s weeklong vote to change the Constitution..' - '..Russia's 750,000-strong police force have openly challenged the authorities..''Russia is waging a political war campaign of active measures intended to divide, distract, and dismay European states.''..effective counter-intelligence services, proper oversight over the flow of funds and serious policing of corruption at home, media awareness for a new generation of citizens .. to increase the effectiveness .. of existing political structures.''..Moscow and Beijing are single-minded in their identification of democracy as a threat to their oppressive regimes..'(Ethics) - '..fighting corruption, defending against authoritarianism, and advancing human rights .. strengthening .. our middle class. .. It is past time to end the forever wars .. zero emissions by 2050 .. liberty.' - Biden