Why Microsoft is fighting to stop a cyber world war

Source: Vsoft, 13/12/2018

On 12 May the WannaCry ransomware attack created havoc by
encrypting PCs across the world -- forcing the UK`s NHS to cancel
appointments and operations -- and costing billions to repair the
damage. Just over a month later on 16 June the NotPetya malware
caused more damage, again costing billions to fix. Western
governments have blamed WannaCry on North Korea, and NotPetya on
Russia -- it probably was designed as an attack on Ukraine which
then got out of hand.
`One of the things we see is that tools we`ve created, the tools
you`ve created have been turned by others into weapons. 2017 was a
wakeup call, it was a wakeup call about how people unfortunately
in some nation states and some governments are using our tools as
weapons,` said Smith, speaking on stage at the Web Summit
conference last month.
In his talk, Smith drew a parallel between the run-up to the First
World War and the burgeoning cyberwar arms race today.
`I`m not here to say the next world war is imminent but I am here
to say that there are lessons from a century ago we can learn and
apply, that we need to apply, to our own future,` said Smith.
His argument is that technology was advancing at an enormous pace
in the first decades of the twentieth century -- just as it is now
-- but human institutions failed to keep up.
`The technology revolution requires a moral revolution as well.
That is the challenge for our time,` Smith said.
Smith`s answer is that governments should stand up for the
protection of the civilians and civilian infrastructure, and
safeguard the internet in general from cyber attacks. Indeed, over
the last couple of years, Microsoft has been increasingly vocal
about its concerns that cyber attacks are spilling over and
affecting businesses and consumers.
In February last year Smith, who has been the most visible
Microsoft exec on the issue, outlined his concept of a digital
Geneva Convention -- a version of the rules that protect civilians
in wartime -- but for the online world.
It asks, among other things, that states do not target tech
companies, the private sector or critical infrastructure with
cyber attacks, that they should report vulnerabilities to vendors
rather than stockpile them, that they make sure that cyberweapons
are limited and precise in their effect, and to commit to non-
proliferation of such weapons.
And in April this year Microsoft was one of the companies behind
the Cybersecurity Tech Accord, signed by 34 companies, which
promises not to help governments launch cyberattacks against
innocent citizens and enterprises.
Microsoft has also been a major supporter of the Paris Call for
Trust and Security in Cyberspace, launched by French President
Emmanuel Macron last month.
The 370 signatories include all 28 members of the European Union
and 27 of the 29 NATO members. Also signed up are companies
including Microsoft, Google, Facebook, Intel and financial
services companies such as Citigroup and Visa.
They pledged to `condemn malicious cyber activities in peacetime,
notably the ones threatening or resulting in significant,
indiscriminate or systemic harm to individuals and critical
infrastructure and welcome calls for their improved protection`.
Notably missing from the countries signed up to the Paris Call are
the US -- the country with the most powerful cyberwarfare
capabilities -- plus Australia and Israel, as well as countries
that have been regularly accused by the West of using cyberwarfare
techniques, including Russia, China, North Korea and Iran.
Microsoft has also been backing something called the Digital Peace
Petition. At Web Summit in Lisbon, the petition even had its own
booth emblazoned `#stopcyberwarfare` and a technofied version of
the peace symbol along with panels with `There is no peace without
digital peace` etched on them. As they wandered past, conference
attendees were encouraged to sign up.
`In our digital world we create, connect, express ourselves and
improve our lives and the lives of others. Our online community
must not be a battlefield,` the petition says. Last month
Microsoft said that more than 100,000 people across 130 countries
had signed its petition.
In many ways, it`s hard to disagree with Microsoft`s prognosis.
Many states do see hacking and cyberwarfare as a low-cost, low-
risk way of meddling in the affairs of others.
Arguably the US kicked off this modern age of state-backed hacking
with Stuxnet a decade ago, but since then a number of countries
including Russia, Iran and North Korea have experimented with
using hacking and malware as a cheap way of exerting some
influence on the world stage.
Russia`s interference in the 2016 US presidential elections made
clear how a spot of well-timed hacking could have huge
consequences; North Korea`s WannaCry showed how even the most
isolated state can cause chaos with a few well-chosen lines of
code.
Tech companies have good commercial reasons to want to discourage
cyberwarfare. It drives up costs for them if they have to
constantly defend their own networks and their customers` networks
from attack and can undermine confidence in their products. A
cyber-attack by a nation-state is usually met with a response from
another nation-state, but impacts private citizens and companies,
Microsoft argues.
`When we are talking about cyberspace, fundamentally we are
talking about space that is private property, we`re talking about
datacenters and undersea cables and laptops and phones and devices
and services that we create. Like it or not, and I don`t think we
should like it, the reality is inescapable; we have become the
battlefield,` Smith said in Lisbon.
Worse, to fight a cyberwar you need cyber weapons, which means
governments and others spend a lot of time looking for (and buying
up information about) flaws in all sorts of commercial software.
Sometimes governments tip-off tech companies about these flaws,
but other times they keep them quiet. Once a promising flaw is
discovered, they can then develop tools to exploit the weakness,
either to spy on other governments or businesses, or to damage an
aggressor`s systems should a conflict ever occur.
Tech companies themselves bear some responsibility for where we
are now. They need to spend more time on making sure their
products are more secure when they are sold, not scrambling to fix
the problems later on when a flaw is discovered. But it`s also
true that as they make their software more robust, governments
become more keen to poke holes in it.
Last year`s ransomware crisis is an example of how all these
factors can combine to create a perfect cyber storm. WannaCry was
such a potent piece of malware because it exploited a known flaw
in Microsoft`s own software. So how did the (most likely) North
Korean developers of WannaCry find such a juicy flaw?
In a twist worthy of a spy novel, the flaw had earlier been used
by the NSA, most probably for cyber espionage, before it was
somehow stolen or lost and released onto the internet, and after
which was reused by North Korea to supercharge the WannaCry
ransomware. While Microsoft had released a fix for the flaw before
WannCry hit, many organisations failed to apply it in time.
This is not a one-off, either. The UK`s GCHQ intelligence agency
recently admitted that it does not always hand over to software
vendors the flaws it finds in their products. It also recently
admitted it would have to spend more time hacking into computer
systems to gain the information it needs. All of which means that
more potentially serious flaws in the software used around the
world will go unfixed.
The campaigns by Microsoft and others in the tech industry no
doubt aim to turn up the pressure on Western governments. Since
cyberwarfare emerged from the world of espionage, there is little
public understanding of what it is, and what the risks involved
are. As modern societies are almost entirely underpinned by
computer systems now, allowing spies and the military to pursue
secret online wars could put us all at risk.
However, the influence of the tech industry is unlikely to reach
as far as it needs -- to the Kremlin or Pyongyang -- to make much
of an impact on this digital arms race.
Cyberwarfare has proved to be an extremely useful instrument of
policy for many nations and -- regardless of the risks to the rest
of us -- they will be extremely unwilling to give up on it.