Advancing the European response to nation-state cyber-attacks

Technology is increasingly shaping the future of politics and society, and the realm of international security and warfare is no exception. As we harness the power of cloud computing, democratize artificial intelligence, and use myriad devices to make our lives easier, our world is becoming more and more interconnected. In parallel, however, we have also seen an increase in cybercrime and state-sponsored cyberattacks. 2017 saw some of the most concerning attacks to date, from WannaCry to NotPetya, as well as a continuation of large-scale data breaches (Equifax, Uber, etc.).

Faced with such challenges, governments and industry must come together to determine a set of rules that can enshrine the benefits of digital transformation, rather than exploit them. At Microsoft, we have been engaged in discussions around “rules of the road” for cyberspace for some time. Earlier this year, our President and Chief Legal Officer Brad Smith urged the world to take collective action and create a “Digital Geneva Convention” to protect civilians from cyberattacks in times of peace.

Throughout 2017, we have had the opportunity to discuss the evolving cyber landscape with government stakeholders, industry partners, and civil society organizations – and several themes have recurred across our conversations.

Firstly, there is significant evidence that the use of “cyber weapons” for malicious behavior is on the rise. These range from denial of service attacks and data theft, to ransomware, espionage and influence operations, as well as destructive attacks. Secondly, several stakeholders – particularly countries which have admitted to developing offensive cyber programs – are reluctant to propose new solutions on how to tackle these issues. Finally, those countries with less capabilities are beginning to question how to build a more balanced global framework even though there is no clarity on which process or forum should advance these debates; an obstacle which has been compounded since the 2016-2017 UN Government Group of Experts failed to reach consensus on a range of cybersecurity norms earlier this year.

Another ongoing challenge is the fact that most cybersecurity discussions tend to be limited to only one stakeholder-group (government only and/or industry only) which focus narrowly on one particular set of interests. However, efforts are being made to complement political-military dialogue on cyber arms control (such as the UN-GGE) with broader, multi-stakeholder discussions.

One such initiative is the Global Conferences on Cyberspace (GCCS) series of biannual conferences for governments, private sector and civil society. The most recent edition in New Delhi, India, provided an opportunity for our own Brad Smith to share Microsoft’s vision for advancing global cybersecurity norms.

The Internet Governance Forum (IGF), taking place in Geneva this week, is another opportunity for multi-stakeholder dialogue around Internet governance, security, stability, and developing the digital economy. Cybersecurity and the specific issue of offensive behavior by nation states will take a more prominent role at IGF this year. Microsoft will be participating in multiple briefings and workshops at this year’s forum, and we look forward to continuing our engagement with relevant stakeholders on-site.

Finally, collaboration on cybersecurity remains a key topic at EU level, as demonstrated during last week’s Estonian Presidency Closing Conference. Under Estonia’s leadership, the EU has made progress on its approach to international cybersecurity, ranging from the launch of a new Cybersecurity Package (which includes a revised Cybersecurity Strategy), to advancing the implementation of the EU’s Cyber Diplomatic Toolbox. This latter will form a framework for joint diplomatic responses to malicious cyber operations. However, there is still work to be done to effectively deter hostilities from third countries.

As Member States move to implement both the new Cybersecurity Strategy and the Cyber Toolbox, they should consider how to:

  • Increase capabilities for generating situational awareness of cyber incidents, particularly around incidents targeting critical infrastructures and public sector networks within their borders (the EU Network and Information Security Directive partially addresses the former, but not the latter);
  • Deepen operational collaboration and coordination by allocating resources to national competent authorities, whose capabilities currently vary considerably from country to country;
  • Develop a clear menu of response options to cyber-attacks, based on the principles of international humanitarian law. Any such countermeasures must be mindful of the potential for escalation which can impact civilian infrastructures and users. Moreover, any coordinated EU response should be based on credible technical attribution. Currently, the proposed toolbox does not specify how the EU would determine the origin of an attack, who would be responsible for this (e.g. would it be based on national attribution capabilities?), or whether this process would involve industry and civil society researchers.

At the conclusion of the Estonia’s #DigitalPresidency, European cybersecurity remains a work in progress. But it also continues to be a significant opportunity for enhanced public-private cybersecurity collaboration; the kind which not only benefits governments and the ICT industry, but – most importantly – keeps users everywhere safe.

Jan Neutze
Director of Cybersecurity Policy, Microsoft EMEA

Jan Neutze is Director of Cybersecurity Policy responsible for cybersecurity policy matters in Europe, Middle East, and Africa. Before taking on Microsoft's EMEA security portfolio, Jan worked in Microsoft's Trustworthy Computing group at Microsoft Corp. in Redmond. In this role, he led engagement with governments and industry partners at an EU-level and in Germany, and developed corporate strategies on emerging cybersecurity policies, risk management, critical infrastructure protection, cybersecurity norms, and internet governance. Jan Neutze joined Microsoft from the United Nations Headquarters, where he served for three years in the policy planning staff of the UN Secretary-General and the Department of Political Affairs, leading a range of cybersecurity and counterterrorism projects. Prior to this, Jan served as program officer for foreign policy at the German Marshall Fund of the United States and as assistant director of the Program on Transatlantic Relations at the Atlantic Council of the United States. Jan Neutze holds a law degree from the Westphalian Wilhelms-University in Munster, Germany and an M.A. in security studies from Georgetown University's School of Foreign Service.