Malicious hacking and cyberattacks have been all over the news lately, from the dangers of Internet of Things products to the allegations of Russian intervention in the U.S. presidential election.
This danger of cyberattacks has always been present. Now, though, there are more computers to attack, leading to more potential destruction. Also, hacking a personal computer can be more than simply annoying and costly; the consequences are getting ever more dangerous. This was evidenced with the hack of Ukraine's power grid.
Because of the shift in the types of cyberattacks, Microsoft called for a type of Digital Geneva Convention at this year’s RSA conference in February. For those who hadn’t heard of it before, the RSA conference is, according to their site, the world’s largest provider of security events with the motto, “Where the world talks security.”
The original Geneva Convention, which took place shortly after the end of World War II, set humanitarian and other guidelines that all nations are supposed to follow to protect citizens during times of wars and conflicts.
The growth of cybercrime in new avenues (like the IoT) isn’t actually what Microsoft is most worried about. Instead, the proliferation of these attacks garnered by or against both for-profit companies and governments demonstrates a shift from previous offenses.
Microsoft acknowledged on their blog that there isn’t a single step that will counter this large problem, but working toward a solution is a necessity at this point. They ask for a “Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace.”
They also compared the involvement of the Red Cross to the assistance of technology companies. Called "the Internet's first responders" by Microsoft, these companies must protect against nation-state cyberattacks as a “neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.”
How big is the problem?
As many people in the IT security field know, it’s a huge problem that is only growing. According to ISACA, they anticipate that 74 percent of businesses around the world will be hacked each year. Even more, “the estimated economic loss of cybercrime is estimated to reach $3 trillion by 2020.”
Yet, Microsoft believes the real problem lies beyond the economic downfalls. Instead, the most worrisome attacks now are those performed by nation-states, citing the Sony attack by North Korea in 2014 as a turning point.
This differed from previous cyberattacks because it was simply revenge for a movie -- Seth Rogen’s “The Interview” -- that made fun of North Korea leader Kim Jong Un. The attacks have progressed, and Microsoft (perhaps in a bit of an exaggeration) stated that now “nothing seems off limits to nation-state attacks.”
Regardless whether Microsoft’s statements can be considered excessive or not, it’s undebatable that there is a new battleground on the Internet that users, companies, and nation-states must pay more attention to.
One of the most difficult aspects of determining how to combat these attacks is the fact that “cyberspace in fact is produced, operated, managed and secured by the private sector.” While the government obviously has a role to play, these attacks are often done on private citizens and companies.
What is Microsoft doing?
Of course, Microsoft used this conversation to discuss what they are doing to protect consumers from these attacks, spending $1 billion annually in developing and implementing new security features throughout the technology stack.
One way to protect users is by educating them, especially about email phishing attacks, considering that “an estimated 90 percent of all hacking begins with an email phishing attack.”
However, security administrators know that average users cannot always be relied on for protecting themselves from scams or bear the sole responsibility for this. Microsoft themselves plugged their Advanced Threat Protection for Microsoft Exchange Online, which identifies and stops malware and suspicious code patterns in emails.
This feature is one of Microsoft’s many implementations meant to ward off attacks, as numerous other tech companies are doing as well. Security-related product features must work together with data analytics and machine learning in order to uncover nation-state attacks.
Microsoft explained how they have a three-part partnership across their company, working with the Microsoft Threat Intelligence center to search through over 200 cloud services and third-party feeds, creating a real-time understanding of potential threats.
Threats are forwarded to the Cyber Defense Operations Center, which is staffed around the clock, taking immediate action. Next, the Digital Crimes Unit takes legal action across these threats, including those performed by nation-states.
However, Microsoft admits that this is something that they, or any other tech company, is unable to do alone.
Is it up to the government or private sector?
In a short answer, both.
One action that Microsoft sees as the first step is up to the governments; they should decide on and implement international cybersecurity rules (aka a Digital Geneva Convention) in order to protect average people online.
In fact, there are already foundations for international rules in place, such as cybersecurity norms for nation-states recommended by governmental experts from 20 different nations in 2015. These were “aimed at promoting an open, secure, stable, accessible and peaceful ICT environment.”
Additionally, China and the U.S. came to an agreement that cyber-enabled theft of intellectual property would not be performed by either country’s government, something that Microsoft believes should also happen between the U.S. and Russia so all civilians are protected.
This allowed the initial 20 nations to more adamantly push for their previous recommendations. These recommendations should move from norms to actual global rules that avoid “cyberattacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property.”
Not only this, but the tech company also believes that governments should be required to aid the private sector in its attempts to detect, contain, respond to, and recover from such events. Another issue with the way the government handles these attacks is that, according to Microsoft, it stockpiles, sells, or exploits them, rather than reporting the vulnerabilities to vendors.
So, it is clear that the future of Internet security does not lie firmly in the hands of either the private or the public sector; instead, this Digital Geneva Convention should feature an independent organization with representatives from both to determine and share which countries were involved in the nation-state attacks.
“Only then,” Microsoft adds, “will nation-states know that if they violate the rules, the world will learn about it.”