Tech companies must have a voice in crafting the rules of cyberspace
Illustration by NICOLÁS ORTEGA
Over the past year, cybersecurity incidents have again dominated global headlines, much like 2017 when the world faced the massive WannaCry and NotPetya attacks. Indeed, the current age of state-sponsored cyberattacks dates as far back as the Moonlight Maze incident in 1996, which involved the theft of vast amounts of classified information from government agencies and private sector entities.
Cyberspace has become an escalating domain of conflict among states that is badly in need of meaningful and enforceable rules of conduct. Such rules can be achieved only if stakeholder groups work cooperatively and in partnership to set norms and enforce expectations. Unlike physical spaces, the digital domain is largely created, owned and protected by the private sector, and global technology companies, as the designers, operators and first responders in this domain, must join governments in discussions of how to establish and uphold a rules-based order for peace in cyberspace.
While governments will always have ultimate authority when it comes to national security, protecting cyberspace requires that we rethink the traditional approach to ensure governments benefit from the unique knowledge and capability of the technology industry.
A unique role in supporting national security
Private sector participation as a trusted government partner is essential so that it can help inform and advise in order to find the solutions that mitigate cybersecurity risks. This is true irrespective of whether we are defending against criminal groups or state actors engaged in offensive operations online. However, issues of international peace and security have traditionally been the exclusive purview of governments. And, while governments will always have ultimate authority when it comes to national security, protecting cyberspace requires that we rethink the traditional approach to ensure governments benefit from the unique knowledge and capability of the technology industry.
Recent incidents including the Nobelium (SolarWinds) hack, which corrupted a software update process to infiltrate government and enterprise networks, and the Hafnium (Microsoft Exchange Server) attack, which targeted private servers, demonstrate that countries are willing to launch indiscriminate attacks that harm thousands of people to achieve narrow espionage goals. Unfortunately, sophisticated cyberattacks can, and frequently do, spread beyond their intended targets to cause collateral damage that puts human lives at risk and causes massive economic harm. And even when such attacks remain limited to their targets, the sophisticated capabilities that governments employ can be quickly repurposed by criminals to cause more harm, further eroding trust and confidence in the digital ecosystem.
A commitment to listening, learning and evolving
The scale and sophistication of cyberattacks continue to increase. More nations now have the expertise and capacity to launch cyberattacks, and private sector offensive actor companies can supply hacking tools to those countries that don’t. Consequently, cybersecurity is a priority investment area for Microsoft. This includes investing to increase the resiliency of our technologies and driving cutting edge security innovation through our 3.500 cybersecurity defenders who are charged with protecting our customers and hardening our technology against potential attackers. Our investment also includes the development of advanced security technologies to protect our cloud services. We apply machine learning and AI tools to the 8 trillion digital signals we receive from our ecosystem daily to identify and prevent cyberattacks before they cause harm. In 2020 alone, our cloud technologies blocked more than 30 billion email threats. We also share threat intelligence and tools to help defend the digital ecosystem, as we did following the Nobelium hack this past year. Microsoft’s commitment to cybersecurity, like that of many of the leading technology companies, is a powerful asset that provides understanding and innovation that governments cannot match when they act alone.
This was demonstrated by the informal task force of public and private participants that came together to address the Hafnium (Exchange Server) attacks. Working in partnership, industry and government achieved an unmatched patching rate to protect vulnerable systems. By sharing data, the task force was able to quickly ascertain the scope of the attack.
In addition, the industry itself is taking steps to work collaboratively and responsibly toward online peace and security solutions through initiatives such as the Cybersecurity Tech Accord, a coalition of more than 150 global technology firms. As just one example, the Cybersecurity Tech Accord announced earlier this year that 100 of its signatory companies had adopted a vulnerability disclosure policy as a way to ensure known vulnerabilities are reported and remediated in a timely fashion.
The need to work outside our comfort zone
Cyberspace is different from every other domain of human activity. Therefore, finding solutions to challenges will require a different approach. At Microsoft, we believe industry must work more closely with one another, must consider the unique insights civil society and academia can bring, and must partner with governments domestically and internationally to increase our overall cyber defenses. Maintaining international peace and stability online is a global effort requiring meaningful and continuous cross-sector engagement. We stand ready, willing and committed to playing an active role.
Tom Burt is Microsoft’s Corporate Vice President for Customer Security and Trust (CST). He leads a cross-disciplinary team that works to improve customer trust in the safety and security of the digital ecosystem by advocating for global cybersecurity policy, partnering with public agencies and private enterprises to disrupt nation-state cyberattacks and support deterrence efforts, and combatting cybercrime. CST is also responsible for responding to law enforcement requests for access to data while protecting customer privacy, advocating for data access policies, and managing Microsoft’s government clearance and national security compliance. Burt first joined Microsoft in 1995 and has held a number of leadership roles in the company’s Corporate External and Legal Affairs department. He holds a bachelor’s degree in human biology from Stanford University and a law degree from the University of Washington Law School.