Microsoft is calling for a coalition of democratic governments to toughen international cyber rules to forbid “reckless” nation-backed attacks, bolster domestic defenses and enforce accountability, following last week’s massive malware assault on federal agencies and critical infrastructure worldwide said to be the handiwork of Russian operatives.
The brazen cyber espionage directed through SolarWinds' Orion software and thousands of its customers--the severity and expanse of which caught the U.S. and other nations flat-footed--was a “moment of reckoning” that neon-lighted threats the nation and the democratic world face, Microsoft president Brad Smith wrote in a lengthy blog post in which he didn’t mince his words.
“This is not espionage as usual, even in the digital age,” Smith said. “Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.” In some ways, the attacks cut deeper than hits on specific targets, he said, in that they shook the “trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
So profound was the hack's unearthing that the Cybersecurity and Infrastructure Security Agency (CISA) last week issued an emergency order for federal departments to stop using SolarWinds products, supplementing a security bulletin furnished by the management tool provider itself. Since then, reports continue to surface that the infiltration isn’t that bad in some places but worse than initially thought in others. For example, on Monday, December 21, Sen. Ron Wyden (D-OR) reportedly said an attack on the Internal Revenue Service yielded no evidence of compromise but the hack on the Treasury Department “appears to be significant.”
In the hack's immediate wake, Microsoft's president compared it to the findings of the 9/11 investigative commission that called the terrorist attacks a “shock but not a surprise.” This is much the same, Smith said, in laying bare the current cyber landscape while making a case that attacks such as this make clear a line of demarcation between authoritarian regimes and democratic governments.
Three major cybersecurity developments over the last 12 months have marked a turning point in cybersecurity politics, Smith said:
- The determination and sophistication of highly-skilled nation-state attackers has taken cyber espionage to another level.
- The appearance of modern day cyber mercenaries referred to as private sector offensive actors (PSOAs), such as the clandestine Israeli NSO Group, has made clear the increasing contribution of private-sector technology to aid and abet nation-state attackers.
- Crossing the COVID-19 line. “One might have hoped that a pandemic that cut short millions of lives might at least have received a pass from the world’s cyberattacks,” Smith wrote. “But that was not the case.”
Taken together, the three developments “point to a cybersecurity landscape that is even more daunting than when the year began,” he said.
What’s advantaging cyber attackers:
- The ability to use artificial intelligence (AI) to “weaponize” large data caches on individuals and companies to influence social discourse and derail political campaigns.
- Readily available money means more opportunities for nation-states to build or buy the tools needed to construct next generation cyber attacks.
Seven steps to get stronger:
- A national and global strategy to protect against cyber attacks that insists public and private sectors act together for the common good.
- A “major step forward” in the sharing and analysis of threat intelligence and best practices so federal agencies can coordinate activities consistent with a succinct national cyber strategy.
- Nominate and confirm a national cybersecurity director as recommended by the Solarium Commission and provided for in the National Defense Authorization Act.
- A coalition not only of the world’s democratic governments but also technology companies to secure critical infrastructure and the surface area where attacks are spotted.
- Strong and effective endorsements of rules that put attacks on health care institutions and vaccine providers out of bounds.
- New and concerted steps to deter private sector offensives.
- Locked down policies that hold nation-states publicly accountable for cyber attacks backed by real world consequences.
“The coming months will present a critical test, not only for the United States but for other leading democracies and technology companies," Smith wrote. “The defense of democracy requires that governments and technology companies work together in new and important ways to share information, strengthen defenses and respond to attacks.”