Cyber attacks continue to be a growing problem that requires action at all levels and collaboration across society, according to Brad Smith, president and chief legal officer at Microsoft.
“One thing that has made the situation even more challenging is the rise in the number of nation state attacks,” he told the 2017 RSA Conference in San Francisco.
Smith said the attack on Sony Pictures Entertainment in November 2014 was a turning point because it was a nation state attack that was not motivated by espionage and targeted a private company.
“Since then, we have seen these issues evolve even further – cyber space is the new battlefield,” he said. “And it is a different kind of battlefield than the world has seen before.”
Information security professionals are at the very centre of the battle because they are typically the first responders, he said.
Smith said that for more than two-thirds of a century, the world’s governments have been committed to protecting civilians in times of war. “But when it comes to cyber attacks, nation state hacking has evolved into attacks on civilians in times of peace.” This should prompt everyone in society to ask what they are going to do about it, he said.
According to Smith, three courses of action should be considered. First, each individual and company has to think about what more they can do to raise the cyber security barrier.
He detailed some of the initiatives Microsoft is pursuing to protect customers from phishing emails, to harness the data it collects from customer endpoints and scan for malware distributed by email, and to shut down fake domains.
“That is a step forward, but more than that, we all need to recognise that we are a long way from declaring victory,” said Smith. “We need to do more and we need to do more together if we are going to address this problem effectively.”
For this reason, he said, the time has come for the technology industry to call on the world’s governments to come together in the same way they came together in 1948, which led to the fourth Geneva Convention to protect civilians in times of war.
“Now is the time for us to call on governments to protect civilians on the internet in times of peace, and there is progress on which we can build,” said Smith, citing the September 2015 agreement between the US and China that neither government would support the cyber theft of intellectual property (IP).
“There are new issues that we need governments to come together to address in 2017,” he said. “There is an opportunity for a new president in the US to sit across the table with the president from Russia and take another step forward to address the attacks that concern the world.”
Read more about cyber war
- Terror groups are more likely than nation states to unleash cyber weapons and critical infrastructure is the most likely target, warns Kaspersky Lab chief.
- There is a lot of “fog” surrounding cyber weapons and cyber war because there is no way of knowing the true capability of any country, says security expert Mikko Hypponen.
- Countries are not attacking each other but striking at the IT infrastructure of enterprises in rival states, says security pundit Bruce Schneier.
- Armed forces minister Nick Harvey has revealed the UK is working on a cyber weapon programme with offensive capabilities to counter cyber warfare threats to national security.
The next step after that would be a global convention, said Smith. “What we need now is a digital global convention that will call on the world’s governments to pledge that they will not engage in cyber attacks on the private sector, that they will not target civilian infrastructure, and that instead they will work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities and that they will take additional measures,” he said.
According to Smith, as well as a global convention, the world needs a new independent organisation like the International Atomic Energy Agency, which has addressed nuclear non-proliferation for decades.
Smithy said the new organisation should bring together the brightest people in all sectors and should have the international credibility to confront and even identify attackers when nation state attacks occur.
“That is the only way that governments will come to recognise that this is not a programme that will continue to pay off,” said Smith.
Do more together
A third important area is the need to do more together, he said. “As a global technology sector, we need to come together as the International Committee of the Red Cross did in 1949.
“We need to sign our own pledge in conjunction with the world’s states to pledge that we will protect customers, that we will focus on defence, that we will collaborate with each other to respond to attacks, that we will provide patches to all customers everywhere, that we will not aid in attacking customers, and that we will do our part to address the world’s needs.”
Smith said the technology industry needs to make the case that the world must retain its trust in technology.
“We need to persuade every government that it needs a national and global IT infrastructure that it can trust, and the only way it can have that is if it knows our industry is focused on protecting everyone, everywhere – and attacking or assisting in attacking no one anywhere at any time,” he said.
Smith called on the technology industry to show the world that it needs the industry to be what it can be at its best – “an industry that can serve the world, that earns everyone’s trust every day, and that even in an age of nationalism, is a neutral, digital Switzerland on which everyone can depend and rely”.