Tag: Microsoft on the Issues

“Please don’t create the next trafficking app.” Those were the words I heard a few months ago when I visited a large international humanitarian organization as it focused on helping refugee children from Ukraine. The point of that statement was that too often and despite our best intentions, private sector technology companies, including us, jump in to help during crisis situations without first understanding the ecosystem of standards, privacy, and security necessary for nonprofits to best provide services to the vulnerable populations they serve.

For instance, a single application built for a single organization and point in time too often ends up contributing to a fractured ecosystem of applications that prevents scaled impact.

One of the things I learned by spending 10 years working at a large global health NGO, is that digital technology cannot solve complex social issues by itself. Technology is a tool, a valuable tool even, but it is also best used when part of a systems-based approach inclusive of policy, standards, program delivery, and cross-sector alignment. It requires strong public-private partnership, certainly, but also requires private sector companies to collaborate in areas where they naturally compete.

Today, on World Refugee Day, during this year of all years, we are committed to increasing our investments in innovation partnerships to help the millions of refugees across the world. We will do this through continued support of NGOs (nongovernmental organizations) as they work tirelessly to support personal safety, health, housing, and family reunification. We will do this by working together across sectors – NGO, public, and private to partner effectively and thoughtfully. And, we are recommitting to aligning with others on standards that benefit refugees. This means, we are committed to partnering across the tech sector to drive lasting impact in the humanitarian space.

These partnerships do work. We recently contributed to a collaboration led by NetHope and its members to establish a common data schema for delivering humanitarian aid to refugees and rural communities. Collaboratively, 15 international humanitarian aid organizations and a dozen private sector companies developed the Frontline Humanitarian Logistics data model, a new data standard designed to create sustainable, interoperable technology capability for the humanitarian community.

We also see tremendous public private partnership driving lasting solutions in the response to the war in Ukraine. As millions of refugees streamed out of Ukraine, many companies leaned in to help. There was an immediate need to align volunteers to refugees in need of services, healthcare, education, and housing.

Where private sector technology companies may normally compete, we have agreed to collaborate in these instances to create lasting solutions that align to international security and privacy standards. We agree to prevent inadvertently contributing to a fractured ecosystem of applications that expose the data of vulnerable populations.

We realize the nuances and challenges around engaging and recognize we don’t have all of the answers. Progress depends on us continuing to work together with our partners to share learnings. Refugees deserve all our attention, lasting support, and for us, as competitors, to align and collaborate for the greater purpose – their survival.

Learn more about Microsoft’s efforts, and reflections on World Refugee Day from Kate Behncken, Vice President, Microsoft Philanthropies

On June 2, we announced and adopted principles that apply across Microsoft for employee organizing and engagement with labor organizations.  

Today I want to share that we are putting these principles into practice with a ground-breaking labor neutrality agreement between the Communications Workers of America (CWA) and Microsoft. This agreement, details of which you can read in our joint press release, will apply at Activision Blizzard after the acquisition closes.

Today, the White House announced that the United States and 60 other governments have signed a new Declaration for the Future of the Internet. As the world grapples with so many technology challenges, this Declaration represents a vital step at a critical moment. At Microsoft, we applaud the White House for its leadership, we are grateful for such broad global support, and we look forward to doing our part in supporting the Declaration’s principles.

As I read through the Declaration, there are few aspects that jump out as not just important but incredibly timely.

First and most broadly, the Declaration, using its own words, “reclaims the promise of the internet in the face of the global opportunities and challenges presented by the 21st century.”

This is precisely what the world needs.

Almost three decades ago when I first joined Microsoft, we all looked at the Internet and saw the promise of the digital age. In hindsight, we were too absorbed by the internet’s promise, and we paid too little attention to the potential pitfalls and even perils that would lie ahead. We collectively did too little to solve problems when they were small, and we failed to foresee the potential use and abuse of the internet by the autocrats of the world. As we approach the start of the second quarter of the 21st century, digital technology has become both the world’s most powerful tool and most formidable weapon.

This is a time for new leadership to reset and reclaim a brighter future for technology that is hardheaded and clear-eyed about the challenges we face. And it’s a time when a realistic grounding in technology challenges can help the world move faster and farther to make real a more optimistic vision for the internet’s future. The Declaration not only speaks to this future but provides with specificity the principles that will be needed to achieve it.

Second, while the Declaration embraces an important variety of critical and even timeless values, I think it’s right that it starts with a focus on human rights. Today’s new Declaration rightly grounds this focus on an explicit reference to the Universal Declaration of Human Rights, adopted when the world’s nations came together in 1948. That Declaration was forged by a generation that had not only witnessed but won the most global and terrible war in human history. World War II had claimed the lives of more than 70 million people, more that 50 million of whom were civilians. The generation that won the war rightly came together a year later to sign the Fourth Geneva Convention and adopt one of the most important advances of the 20th century, the proposition that governments must protect civilians even in a time of war.

Almost 75 years later, our generation is being put to a new test. The war in Ukraine is being fought not only on the ground, in the air, and at sea, but literally on the internet as well. As we reported yesterday, the Russian military is waging the world’s first “hybrid war” by combining cyber and kinetic weapons, and, tragically, it is targeting, destroying and killing Ukrainian civilians. All of this is being coupled with a disinformation battle that is being fought on the internet on a global scale. Today’s new Declaration points not only to the urgent technology issues we must address to grapple with the war in Ukraine, but to the many varied human needs that require our generation to step forward and act collectively to protect human rights on the internet.

Finally, today’s Declaration rightly calls for the protection and strengthening of a multistakeholder system of internet governance. This reflects one of the big differences between the worlds of the 20th and 21st centuries. As technology has evolved, governmental leadership is as important as ever. But governments can neither manage the internet nor solve the world’s greatest problems by acting alone. We need new and innovative internet initiatives that bring governments together with NGOs, academic researchers, tech companies and many others from across the business community.

This decade will require that the tech sector mature and adapt to regulation. We equally will need governments that can work together more cohesively and effectively across borders. Today’s Declaration for the Future of the Internet should help inspire us all to help build a brighter future that will benefit the generations that will come after we are gone.

Any day that brings together so many countries to embrace principles of such vital importance is a good day indeed.

Tags: cyberattacks, cybersecurity, Government, Internet, Internet governance, Russia, Ukraine

Today, we released a report detailing the relentless and destructive Russian cyberattacks we’ve observed in a hybrid war against Ukraine, and what we’ve done to help protect Ukrainian people and organizations. We believe it’s important to share this information so that policymakers and the public around the world know what’s occurring, and so others in the security community can continue to identify and defend against this activity. All of this work is ultimately focused on protecting civilians from attacks that can directly impact their lives and their access to critical services.

Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine – including destructive attacks that are ongoing and threaten civilian welfare. The destructive attacks have also been accompanied by broad espionage and intelligence activities. The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership. We have also observed limited espionage attack activity involving other NATO member states, and some disinformation activity. 

As today’s report details, Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians. For example, a Russian actor launched cyberattacks against a major broadcasting company on March 1st, the same day the Russian military announced its intention to destroy Ukrainian “disinformation” targets and directed a missile strike against a TV tower in Kyiv. On March 13th, during the third week of the invasion, a separate Russian actor stole data from a nuclear safety organization weeks after Russian military units began capturing nuclear power plants sparking concerns about radiation exposure and catastrophic accidents. While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of “abandoning” Ukrainian citizens.

The destructive attacks we’ve observed – numbering close to 40, targeting hundreds of systems – have been especially concerning: 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional and city levels. More than 40% of destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians. Actors engaging in these attacks are using a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities and compromising upstream IT service providers. These actors often modify their malware with each deployment to evade detection. Notably, our report attributes wiper malware attacks we previously disclosed to a Russian nation-state actor we call Iridium.

Today’s report also includes a detailed timeline of the Russian cyber-operations we’ve observed. Russia-aligned actors began pre-positioning for conflict as early as March 2021, escalating actions against organizations inside or allied with Ukraine to gain a larger foothold into Ukrainian systems. When Russian troops first started to move toward the border with Ukraine, we saw efforts to gain initial access to targets that could provide intelligence on Ukraine’s military and foreign partnerships. By mid-2021, Russian actors were targeting supply chain vendors in Ukraine and abroad to secure further access not only to systems in Ukraine but also NATO member states. In early 2022, when diplomatic efforts failed to de-escalate mounting tensions around Russia’s military build-up along Ukraine’s borders, Russian actors launched destructive wiper malware attacks against Ukrainian organizations with increasing intensity. Since the Russian invasion of Ukraine began, Russian cyberattacks have been deployed to support the military’s strategic and tactical objectives. It’s likely the attacks we’ve observed are only a fraction of activity targeting Ukraine.

Microsoft security teams have worked closely with Ukrainian government officials and cybersecurity staff at government organizations and private enterprises to identify and remediate threat activity against Ukrainian networks. In January of this year, when the Microsoft Threat Intelligence Center (MSTIC) discovered wiper malware in more than a dozen networks in Ukraine, we alerted the Ukrainian government and published our findings. Following that incident, we established a secure line of communication with key cyber officials in Ukraine to be sure that we could act rapidly with trusted partners to help Ukrainian government agencies, enterprises and organizations defend against attacks. This has included 24/7 sharing of threat intelligence and deployment of technical countermeasures to defeat the observed malware.

Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression. We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey – all NATO member states actively providing political, humanitarian or military support to Ukraine. The alerts published by CISA and other U.S. government agencies, and cyber-officials in other countries, should be taken seriously and the recommended defensive and resilience measures should be taken – especially by government agencies and critical infrastructure enterprises. Our report includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community. We will continue to provide updates as we observe activity and believe we can safely disclose new developments.

Tags: cyberattacks, cybersecurity, Microsoft Threat Intelligence Center, Russia, Ukraine

Today, we’re publishing a resource to help nonprofits, multilateral organizations, governments and research institutions around the world put data to work to help address societal issues: the Open Data for Social Impact Framework. This new resource builds on the 10 lessons learned from Microsoft’s Open Data Campaign, and includes practical recommendations on how to apply these lessons to an organization’s data strategy.

At Microsoft, we believe data powers insights that help address critical societal problems. This is why we launched the Open Data Campaign in April 2020, partnering with organizations to better understand the opportunities and challenges they face in applying data strategies to advance their core social missions. Now, having supported 23 collaborations built around open and shared data, we’ve found that, while much of the talk around data focuses on the role it can play in the development of new business solutions, opening up data can also help answer some of the most challenging questions we face today. Questions ranging from, “How do we reduce carbon emissions?” to “How can we build a broader and more inclusive digital workforce?” to “How can we close the broadband gap?” – these can all benefit from collaboration and exploration through an increase in open and shared data.

The Open Data for Social Impact Framework is a tool organizational leaders can use to further understand how best to put data to work to solve important societal challenges. The collaborations we have supported helped us better appreciate both the benefits of data strategies and the challenges organizations face in building them. By compiling what we’ve learned from our Open Data journey and what others have shared along the way, we seek to help organizations think about the various questions and technological elements they will need to explore on their journey. We also share examples of organizations and projects that illustrate both best practices in building data strategies and the positive social impact that open data can help unlock. For instance, the World Health Organization is a case study in the importance of leadership in transforming an organization’s culture to be data-driven, and the Caring for Equality data collaboration in Buenos Aires, Argentina, shows how open data can lead to insights that help address inequality gaps with respect to care-related tasks that constrain women’s economic autonomy. These and other examples featured in the framework provide evidence of the benefits of using open data, but they also highlight a methodology that can be applied in other scenarios.

The framework highlights the challenges organizations can face when it comes to open data. It walks leaders through the following common steps and considerations:

1. Leadership: Are you ready to put data to work to improve social outcomes?
2. Opportunity: What are the questions you want to answer with data?
3. Skills: Do you have the talent needed for data analysis?
4. Community governance: Have you built trust in your community around the use of data?
5. Technology and data: What solutions and resources do you need to measure, enable and enhance your impact?

The framework also includes a roadmap for organizations to follow to start using data to address their core social missions, and other important resources to help leaders embrace open data.

One of the key lessons we’ve learned is intrinsic to the framework – the ability to access and use data to improve outcomes involves much more than technological tools and the data itself. It includes having a leadership that is committed to using and publishing more open data, assembling the talent necessary to work with that data, and creating a good governance framework to ensure that data opportunities and data risks are managed.

Open data is important, but it can be challenging for some organizations to realize its benefits and we should all continue to look for ways to make it easier. We believe in the limitless opportunities that opening, sharing and collaborating on data can create to help drive solutions to some of the world’s most pressing challenges.

Tags: Open Data, Open Data Campaign, world health organization

Just over a year and a half ago, I wrote about the broadband gap, calling attention to the urgent need for the Federal Communications Commission (FCC) to update their approach to gathering and reporting broadband mapping data. At the time, we knew very clearly that the FCC was vastly undercounting the number of Americans without access to broadband. And because of new research – including our own – we knew the problem to be much larger than previously thought: According to Microsoft’s own data, 157.3 million people in the U.S. do not use the internet at broadband speeds and, according to BroadbandNow, at least 42 million people do not have broadband access at all.

But, today, we know its impacts better than ever. As a result of the Covid-19 crisis, millions of people today aren’t just being left behind, they’re being left out of everyday life. While many can work from home, use telehealth or educate their kids remotely, huge swaths of the country are forced to drive long distances to pick up schoolwork or camp out in public library parking lots to access Wi-Fi. It doesn’t have to be this way.

We often say that we can’t solve a problem we don’t fully understand. Accurate maps are absolutely necessary to help regulators effectively target funding where it is most needed and understand how effectively their funding is being applied to connect those without broadband access.

Fortunately, Congress passed the Broadband DATA Act earlier this year, which would improve the FCC’s mapping data. And we commend Congress for providing broadband funding in the latest Covid-19 stimulus bill signed into law this week, which would begin setting up the new mapping solution. We particularly want to thank Senators Wicker, Thune, Cantwell, Klobuchar and Peters, as well as Representatives Pallone, Loebsack, McEachin, Walden, Latta and Long for their work in including this vital funding in the bill.

But the work doesn’t end there. The FCC must now move forward with standing up the new mapping solution as soon as possible. If they fail to rapidly implement this new accurate mapping solution, rural America will be left in the digital dust. We can’t let that happen. But if they move with the urgency the issue deserves, the FCC can change millions of lives for the better.

Tags: Congress, digital divide, FCC, rural broadband

As Covid-19 affected our personal and working lives, 2020 was a year of unimaginable change. Microsoft on the Issues covered topics including cybersecurity, digital skills accessibility and more, and the pandemic influenced many of the stories we brought you.

As we say goodbye to 2020, here’s a look at some of this year’s most read stories, from the Puget Sound region and beyond.

Data, supplies, community: How Microsoft is supporting efforts to combat Covid-19

Family, friends and co-workers around the world are facing the effects of the Covid-19 pandemic. Managing response efforts requires the cooperation of every sector of society. Back in March, we offered this resource to communities, non-profits and government officials.

Everyone should have access to digital skills. New grants aim to help

Microsoft’s skills initiative hopes to help 25 million people around the world secure digital skills. In June, Microsoft made a public commitment to be more inclusive as an employer and to extend Microsoft’s support and outreach programs in Black and African American communities. As part of this, Microsoft’s community skills program will provide financial grants and tech enablement to community-based non-profits reaching 5 million unemployed workers who need it most.

This is a look at i.c.stars, a rigorous, tech-focused program that provides young adults from low-income communities with the tools to develop the technical and leadership skills needed for a career in technology, a field that continues to lack diversity and be in high demand.

What is ElectionGuard?

Every election year, millions of Americans are eligible to cast their ballots to elect officials ranging from members of school boards to the President of the United States. Those millions of voters need to be confident that the democratic process is carried out without interference.

However, in recent years, technology designed to help elections run smoothly has been targeted by those seeking to influence, subvert or sabotage democracy. Microsoft has been working with governments, NGOs, academics and industry on the Defending Democracy Program. One of the components is ElectionGuard, explored in this article.

An inside look at the global battle with botnets

In March, a small team at Microsoft dismantled Necurs, one of the world’s largest botnets. It was a project that was eight years in the making, and involved coordinated legal and technical action from 35 countries. Botnets are highly sophisticated, acting as a unified threat and often run by well-resourced operators. Tracking them down and preventing them from carrying out further infections and attacks is a complex task that takes coordination across geographies and organizations. This article explored the battle with botnets around the world.

Understanding accessibility through ABCs

At Microsoft, we focus on the maxim of “nothing about us, without us” in order to create technology for people with and without disabilities. Creating and developing technologies for everybody to use involves embracing diversity and an inclusive culture in Microsoft’s own workforce.

The main obstacle to inclusion and diversity is the lack of awareness. As a starting point to educate and share, we shared our ABCs of Accessibility, from A to Z.

How AI is helping map the world’s most vulnerable places

There are places in the world that have not been mapped in detail. In the event of a natural disaster that can be a problem, as rescue teams try to understand where their help might be needed. The Humanitarian OpenStreetMap Team, or HOT, is working with Microsoft’s AI for Humanitarian Action program and Bing to combine satellite mapping, machine learning and an army of volunteers to create detailed and potentially life-saving maps. This story looks at the work HOT is doing, particularly across Africa, and explains how these maps are part of the effort to contain Ebola.

The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.

The evolving threats

The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.

The first is the continuing rise in the determination and sophistication of nation-state attacks. In the past week this has again burst into the headlines with the story of an attack on the firm FireEye using malware inserted into network management software provided to customers by the tech company SolarWinds. This has already led to subsequent news reports of penetration into multiple parts of the U.S. Government. We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations. As FireEye CEO Kevin Mandia stated after disclosing the recent attack, “We are witnessing an attack by a nation with top-tier offensive capabilities.”

As Microsoft cybersecurity experts assist in the response, we have reached the same conclusion. The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.

There are broader ramifications as well, which are even more disconcerting. First, while governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy. As SolarWinds has reported, the attackers installed their malware into an upgrade of the company’s Orion product that may have been installed by more than 17,000 customers.

The nature of the initial phase of the attack and the breadth of supply chain vulnerability is illustrated clearly in the map below, which is based on telemetry from Microsoft’s Defender Anti-Virus software. This identifies customers who use Defender and who installed versions of SolarWinds’ Orion software containing the attackers’ malware. As this makes clear, this aspect of the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia. This also illustrates the heightened level of vulnerability in the United States.

The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion. While investigations (and the attacks themselves) continue, Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures.

While roughly 80% of these customers are located in the United States, this work so far has also identified victims in seven additional countries. This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.

Additional analysis sheds added light on the breadth of these attacks. The initial list of victims includes not only government agencies, but security and other technology firms as well as non-governmental organizations, as shown in the chart below.

It’s critical that we step back and assess the significance of these attacks in their full context. This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.

As we have now seen repeatedly, Silicon Valley is not the only home of ingenious software developers. Russian engineers in 2016 identified weaknesses in password protection and social media platforms, hacked their way into American political campaigns, and used disinformation to sow divisions among the electorate. They repeated the exercise in the 2017 French presidential campaign. As tracked by Microsoft’s Threat Intelligence Center and Digital Crimes Unit, these techniques have impacted victims in more than 70 countries, including most of the world’s democracies. The most recent attack reflects an unfortunate but similarly ingenious capability to identify weaknesses in cybersecurity protection and exploit them.

These types of sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape.

Thankfully, there is a limited number of governments that can invest in the talent needed to attack with this level of sophistication. In our first Microsoft Digital Defense Report, released in September, we reviewed our assessment of 14 nation-state groups involved in cybersecurity attacks. Eleven of the 14 are in only three countries.

All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.

One illustrative company in this new sector is the NSO Group, based in Israel and now involved in U.S. litigation. NSO created and sold to governments an app called Pegasus, which could be installed on a device simply by calling the device via WhatsApp; the device’s owner did not even have to answer. According to WhatsApp, NSO used Pegasus to access more than 1,400 mobile devices, including those belonging to journalists and human rights activists.

NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers. Citizen Lab, a research laboratory at the University of Toronto, has identified more than 100 abuse cases regarding NSO alone. But it is hardly alone. Other companies are increasingly rumored to be joining in what has become a new $12 billion global technology market.

This represents a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks. And if there has been one constant in the world of software over the past five decades, it is that money is always more plentiful than talent. An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.

There is a third and final sobering development worth noting from what has obviously been a challenging year. This comes from the intersection between cyberattacks and COVID-19 itself.

One might have hoped that a pandemic that cut short millions of lives might at least have received a pass from the world’s cyberattacks. But that was not the case. After a brief lull in March, cyberattackers took aim at hospitals and public health authorities, from local governments to the World Health Organization (WHO). As humanity raced to develop vaccines, Microsoft security teams detected three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. A crisis always seems to bring out the best and worst in people, so perhaps we should not be surprised that this global crisis was no exception.

Put together, however, these three trends point to a cybersecurity landscape that is even more daunting than when the year began. The most determined nation-state attackers are becoming more sophisticated. Risks are both growing and spreading to other governments through new private sector companies that aid and abet nation state attackers. And nothing, not even a pandemic, is off limits to these attackers.

We live in a more dangerous world, and it requires a stronger and more coordinated response.

A more effective strategy as we enter a new year

Put simply, we need a more effective national and global strategy to protect against cyberattacks. It will need multiple parts, but perhaps most important, it must start with the recognition that governments and the tech sector will need to act together.

The new year creates an opportunity to turn a page on recent American unilateralism and focus on the collective action that is indispensable to cybersecurity protection. The United States did not win World War II, the Cold War or even its own independence by fighting alone. In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together – sharing information and best practices, and coordinating not just on cybersecurity protection but on defensive measures and responses.

Unlike attacks from the past, cybersecurity threats also require a unique level of collaboration between the public and private sectors. Today’s technology infrastructure, from data centers to fiberoptic cables, is most often owned and operated by private companies. These represent not only much of the infrastructure that needs to be secured but the surface area where new cyberattacks typically are first spotted. For this reason, effective cyber-defense requires not just a coalition of the world’s democracies, but a coalition with leading tech companies.

To be successful, this coalition will need to do three things more effectively in the future:

First, we need to take a major step forward in the sharing and analysis of threat intelligence. In a new year that will mark the 20th anniversary of 9/11, we should remember one of the lessons from the tragic day that the 9/11 Commission called “a shock but not a surprise.” A recurring theme of the commission’s findings was the inability across government agencies to build collective knowledge by connecting data points together. The commission therefore focused its first recommendation on “unifying strategic intelligence” and moving from the “need to know” to the “need to share.”

If there is an initial question for the incoming Biden-Harris Administration and America’s allies, it is this: Is the sharing of cybersecurity threat intelligence today better or worse than it was for terrorist threats before 9/11?

In the wake of this most recent attack, perhaps no company has done more work than Microsoft to support agencies across the federal government. As much as we appreciate the commitment and professionalism of so many dedicated public servants, it is apparent to us that the current state of information-sharing across the government is far from where it needs to be. It too often seems that federal agencies currently fail to act in a coordinated way or in accordance with a clearly defined national cybersecurity strategy. While parts of the federal government have been quick to seek input, information sharing with first responders in a position to act has been limited. During a cyber incident of national significance, we need to do more to prioritize the information-sharing and collaboration needed for swift and effective action. In many respects, we risk as a nation losing sight of some of the most important lessons identified by the 9/11 Commission.

One indicator of the current situation is reflected in the federal government’s insistence on restricting through its contracts our ability to let even one part of the federal government know what other part has been attacked. Instead of encouraging a “need to share,” this turns information sharing into a breach of contract. It literally has turned the 9/11 Commission’s recommendations upside down.

It will be critical for the incoming Biden-Harris Administration to move quickly and decisively to address this situation. One ready-made opportunity is to establish a national cybersecurity director as recommended by the Solarium Commission and provided for in the National Defense Authorization Act.

Effective progress will also require a second realization that goes beyond anything the 9/11 Commission needed to confront. Cybersecurity threat intelligence exists in even more disconnected silos than more traditional information about national security threats. This is because it is spread not only among different agencies and governments but across multiple private sector companies as well. Even within a large company like Microsoft, we have learned that it is critical for our Threat Intelligence Center to aggregate and analyze data from across our data centers and services. And when there is a major threat, we need to share information and collective assessments with other tech companies.

Recent years have brought several important steps to better share cybersecurity information, and we greatly appreciate the dedication and support of many key people across the U.S. government. But we still lack a formal and cohesive national strategy for the sharing of cybersecurity threat intelligence between the public and private sectors. While there need to be important safeguards to protect government secrets and private citizens’ privacy, the time has come for a more systemic and innovative approach to the sharing and analysis of threat intelligence with those best positioned to act.

Second, we need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem. While the world has important international norms and laws to address nation-state attacks, we continue to believe it is important to fill in gaps and continue to develop clear and binding legal obligations for cyberspace.

This should build on the lessons of 2020 and prioritize key and specific areas. For example, it should include the continued development of rules to expressly forbid the type of broad and reckless activity used against SolarWinds and its customers, which tampered with legitimate software and threatened the stability of a broader software supply chain. The international community has been moving in this direction, building on a 2015 report by a United Nations Group of Governmental Experts that received broad UN endorsement last year, as well as multi-stakeholder support by the Global Commission on the Stability of Cyberspace (GCSC). The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law.

We need similar strong and effective endorsements of rules that put attacks on health care institutions and vaccine providers off limits. (The recently convened Oxford Process has done important work to highlight the protections existing international law affords in this context.) And international rules should include stronger protections of democratic and electoral processes, as reflected in the principles of the Paris Call for Trust and Security in Cyberspace, which now has more than 1,000 signatories – the largest multi-stakeholder group ever assembled in support of an international cybersecurity-focused agreement.

In addition, governments should take new and concerted steps to thwart the rise of private sector offensive actors. As described above, these companies in effect have created a new ecosystem to support offensive nation-state attacks. The sooner governments take action to put this ecosystem out of business, the better.

An early opportunity for the Biden-Harris Administration will come in an appellate judicial case involving the NSO Group itself. NSO has appealed a lower court finding that it is not immune from claims that it violated the U.S. Computer Fraud and Abuse Act by accessing mobile devices without permission. Its argument is that it is immune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that government’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why Microsoft is joining with other companies in opposing this interpretation. The Biden/Harris Administration should weigh in with a similar view.

NSO’s legal approach, while disconcerting, does the world a service by highlighting the path needed to thwart this new cyberattack ecosystem. It’s to ensure that domestic laws clearly and strongly prohibit companies from helping governments engage in unlawful and offensive cyberattacks and investors from knowingly financing them.

Consider the analogy to other forms of societally harmful activity, like human trafficking, narcotics or terrorism itself. Governments not only take strong steps to prohibit the illegal activity itself – such as engaging in drug trafficking – but also ensure that airlines don’t transport the drugs and investors don’t finance the activity.

A similar approach is needed to deter private sector offensive actors. We need steps to ensure, for example, that American and other investors don’t knowingly fuel the growth of this type of illegal activity. And the United States should proactively pursue discussions with other countries that are giving rise to these companies, including Israel, which has a strong cybersecurity ecosystem that can be drawn into dangerous support of authoritarian regimes.

Finally, we need stronger steps to hold nation-states accountable for cyberattacks. Governments and private companies have taken stronger steps in recent years to hold nation-states publicly accountable for cyberattacks. We need to build on this course and continue to press forward with it, with governments ensuring that there are greater real-world consequences for these attacks to promote stability and discourage conflict.

The world’s democracies took important steps in 2017 and 2018, led by the United States. With public statements about WannaCry and NotPetya, multiple governments attributed these attacks publicly to the North Korean and Russian governments, respectively. These types of coordinated public attributions have become an important tool to respond to nation-state attacks. The United States followed with stronger deterrent steps to protect the 2018 mid-term elections, and an even more concerted effort to successfully deter foreign tampering with voting in the 2020 Presidential elections.

In the private sector, circumstances have also changed dramatically since the early days in 2016 when we at Microsoft took legal action to thwart Russian cyberattacks on American political campaigns but were reluctant to speak publicly about it. In the years since, companies such as Microsoft, Google, Facebook and Twitter have all acted and spoken directly and publicly when responding to nation-state cyberattacks. Moreover, a coalition of more than 145 global technology companies have signed on to the Cybersecurity Tech Accord – committing themselves to upholding four principles of responsible behavior to promote peace and security online, including opposing cyberattacks against innocent civilians and enterprises.

The coming months will present a critical test, not only for the United States but for other leading democracies and technology companies. The weeks ahead will provide mounting and we believe indisputable evidence about the source of these recent attacks. It will become even clearer that they reflect not just the latest technology applied to traditional espionage, but a reckless and broad endangerment of the digital supply chain and our most important economic, civic and political institutions. It is the type of international assault that requires the type of collective response that shows that serious violations have consequences.

If there is a common lesson from the past few years, it’s the importance of combining ongoing learning with new innovations, greater collaboration, and constant courage. For four centuries, the people of the world have relied on governments to protect them from foreign threats. But digital technology has created a world where governments cannot take effective action alone. The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks. As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.

---

Editor’s note: 12/17/2020, 7:50pm PT

Following news reports about the impact on Microsoft of the SolarWinds issue, the company issued the following statement:

“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

Tags: COVID-19, cyberattacks, cybersecurity, Defending Democracy Program, ElectionGuard