14 December 2018

Why Microsoft is fighting to stop a cyber world war

By Steve Ranger

The tech industry is becoming more vocal about its worries about a cyberwarfare arms race. But are the right people listening?

On 12 May the WannaCry ransomware attack created havoc by encrypting PCs across the world -- forcing the UK's NHS to cancel appointments and operations -- and costing billions to repair the damage. Just over a month later on 16 June the NotPetya malware caused more damage, again costing billions to fix. Western governments have blamed WannaCry on North Korea, and NotPetya on Russia -- it probably was designed as an attack on Ukraine which then got out of hand.

"One of the things we see is that tools we've created, the tools you've created have been turned by others into weapons. 2017 was a wakeup call, it was a wakeup call about how people unfortunately in some nation states and some governments are using our tools as weapons," said Smith, speaking on stage at the Web Summit conference last month.


In his talk, Smith drew a parallel between the run-up to the First World War and the burgeoning cyberwar arms race today.

"I'm not here to say the next world war is imminent but I am here to say that there are lessons from a century ago we can learn and apply, that we need to apply, to our own future," said Smith.

His argument is that technology was advancing at an enormous pace in the first decades of the twentieth century -- just as it is now -- but human institutions failed to keep up.

"The technology revolution requires a moral revolution as well. That is the challenge for our time," Smith said.

Smith's answer is that governments should stand up for the protection of the civilians and civilian infrastructure, and safeguard the internet in general from cyber attacks. Indeed, over the last couple of years, Microsoft has been increasingly vocal about its concerns that cyber attacks are spilling over and affecting businesses and consumers.

In February last year Smith, who has been the most visible Microsoft exec on the issue, outlined his concept of a digital Geneva Convention -- a version of the rules that protect civilians in wartime -- but for the online world.

It asks, among other things, that states do not target tech companies, the private sector or critical infrastructure with cyber attacks, that they should report vulnerabilities to vendors rather than stockpile them, that they make sure that cyberweapons are limited and precise in their effect, and to commit to non-proliferation of such weapons.

And in April this year Microsoft was one of the companies behind the Cybersecurity Tech Accord, signed by 34 companies, which promises not to help governments launch cyberattacks against innocent citizens and enterprises.

Microsoft has also been a major supporter of the Paris Call for Trust and Security in Cyberspace, launched by French President Emmanuel Macron last month.

The 370 signatories include all 28 members of the European Union and 27 of the 29 NATO members. Also signed up are companies including Microsoft, Google, Facebook, Intel and financial services companies such as Citigroup and Visa.

They pledged to "condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection".

Notably missing from the countries signed up to the Paris Call are the US -- the country with the most powerful cyberwarfare capabilities -- plus Australia and Israel, as well as countries that have been regularly accused by the West of using cyberwarfare techniques, including Russia, China, North Korea and Iran.

Microsoft has also been backing something called the Digital Peace Petition. At Web Summit in Lisbon, the petition even had its own booth emblazoned '#stopcyberwarfare' and a technofied version of the peace symbol along with panels with 'There is no peace without digital peace' etched on them. As they wandered past, conference attendees were encouraged to sign up.

"In our digital world we create, connect, express ourselves and improve our lives and the lives of others. Our online community must not be a battlefield," the petition says. Last month Microsoft said that more than 100,000 people across 130 countries had signed its petition.

In many ways, it's hard to disagree with Microsoft's prognosis. Many states do see hacking and cyberwarfare as a low-cost, low-risk way of meddling in the affairs of others.

Arguably the US kicked off this modern age of state-backed hacking with Stuxnet a decade ago, but since then a number of countries including Russia, Iran and North Korea have experimented with using hacking and malware as a cheap way of exerting some influence on the world stage.

Russia's interference in the 2016 US presidential elections made clear how a spot of well-timed hacking could have huge consequences; North Korea's WannaCry showed how even the most isolated state can cause chaos with a few well-chosen lines of code.

Tech companies have good commercial reasons to want to discourage cyberwarfare. It drives up costs for them if they have to constantly defend their own networks and their customers' networks from attack and can undermine confidence in their products. A cyber-attack by a nation-state is usually met with a response from another nation-state, but impacts private citizens and companies, Microsoft argues.

"When we are talking about cyberspace, fundamentally we are talking about space that is private property, we're talking about datacenters and undersea cables and laptops and phones and devices and services that we create. Like it or not, and I don't think we should like it, the reality is inescapable; we have become the battlefield," Smith said in Lisbon.

Worse, to fight a cyberwar you need cyber weapons, which means governments and others spend a lot of time looking for (and buying up information about) flaws in all sorts of commercial software.

Sometimes governments tip-off tech companies about these flaws, but other times they keep them quiet. Once a promising flaw is discovered, they can then develop tools to exploit the weakness, either to spy on other governments or businesses, or to damage an aggressor's systems should a conflict ever occur.

Tech companies themselves bear some responsibility for where we are now. They need to spend more time on making sure their products are more secure when they are sold, not scrambling to fix the problems later on when a flaw is discovered. But it's also true that as they make their software more robust, governments become more keen to poke holes in it.

Last year's ransomware crisis is an example of how all these factors can combine to create a perfect cyber storm. WannaCry was such a potent piece of malware because it exploited a known flaw in Microsoft's own software. So how did the (most likely) North Korean developers of WannaCry find such a juicy flaw?

In a twist worthy of a spy novel, the flaw had earlier been used by the NSA, most probably for cyber espionage, before it was somehow stolen or lost and released onto the internet, and after which was reused by North Korea to supercharge the WannaCry ransomware. While Microsoft had released a fix for the flaw before WannCry hit, many organisations failed to apply it in time.

This is not a one-off, either. The UK's GCHQ intelligence agency recently admitted that it does not always hand over to software vendors the flaws it finds in their products. It also recently admitted it would have to spend more time hacking into computer systems to gain the information it needs. All of which means that more potentially serious flaws in the software used around the world will go unfixed.

The campaigns by Microsoft and others in the tech industry no doubt aim to turn up the pressure on Western governments. Since cyberwarfare emerged from the world of espionage, there is little public understanding of what it is, and what the risks involved are. As modern societies are almost entirely underpinned by computer systems now, allowing spies and the military to pursue secret online wars could put us all at risk.

However, the influence of the tech industry is unlikely to reach as far as it needs -- to the Kremlin or Pyongyang -- to make much of an impact on this digital arms race.

Cyberwarfare has proved to be an extremely useful instrument of policy for many nations and -- regardless of the risks to the rest of us -- they will be extremely unwilling to give up on it.

No comments: