Almost no day goes by without another report of a cyberattack against critical infrastructure. Whether the victim is a healthcare provider or a water utilities company, these attacks impact private and public sector organizations alike and can cause severe harm to individuals. Over the past year, Microsoft has partnered with representatives from civil society, academia and the Slovenian and Czech governments to find viable solutions to help address this challenge.
This week, we shared the results of our efforts by publishing two reports: one focused on protecting critical infrastructure against cyberthreats more broadly and a second focused specifically on the healthcare sector. Our reports were released to coincide with the United Nations Open-Ended Working Group (UN OEWG) on cybersecurity, which convened this week in New York to discuss existing and emerging online threats, norms for responsible state behavior in cyberspace, how international rules apply online and how to make progress on implementing them.
The UN’s work to define responsible state behavior in cyberspace is critical because while most cyberattacks on essential services come from criminal groups, we are also seeing increasing activity from states and state-sponsored actors. The war in Ukraine has made this painfully obvious. Since the start of the war, Microsoft has detected Russian network intrusion efforts on 128 organizations, not just in Ukraine but in 42 allied countries. Targets included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers. This is happening despite the fact that all states have agreed to take appropriate measures to protect critical infrastructure online, as part of the consensus reports that were adopted at the end of the previous OEWG and Group of Governmental Experts on cybersecurity.
The findings of the two reports provide valuable insights that underscore the importance of protecting critical infrastructure against cyberattacks. They build on the legislative frameworks put forward by the European Union, which made this area a priority through the revised Network and Information Security (NIS) Directive that was agreed earlier this year. The reports go beyond legislation, however. They bring in the perspectives of technology providers that are protecting their customers from sophisticated cyber criminals on a daily basis. They also bring in the perspectives of individuals working for critical infrastructure providers – those who may see cybersecurity as a burden – and identify ways to drive understanding and create buy-in across these organizations.
Much more needs to be done to deter behavior that violates the spirit of international agreements, and to foster collaboration and exchange of learnings on how to implement these agreements at the national level in a manner that is effective, secure, and can stand the test of time. We are grateful that the governments of Slovenia and the Czech Republic have taken a leadership role in partnering with the multistakeholder community to begin developing recommendations in this space. With critical infrastructure providers relying increasingly on technology to manage operations and deliver services, Microsoft is committed to partnering with governments to advance discussions around the importance of establishing international cybersecurity norms and working with our customers to strengthen the security of their systems. This could include leveraging artificial intelligence that proactively monitors the threat landscape and detects patterns that can provide early warnings about potential threats.
Here are five key recommendations from our reports that governments and critical infrastructure providers should tackle as a priority:
1. Cybersecurity must be understood as a continuous process
Technology and its uses continue to develop at speed. We need to recognize that there will always be important systems in need of protection against malicious actors with harmful intentions and sophisticated capabilities – we will never be able to say that we have accomplished cybersecurity online. Risk management needs to be at the heart of any approach we take.
2. Focus on harmonized regulation that spans sectors and countries
Cyberattacks can have spill-over effects and cross-sectoral impact based on the use of the same underlying technology. Harmonization and alignment are key, which is why the NIS2 Directive aims to streamline risk management and incident reporting across critical infrastructure sectors. Emerging sector-specific legislation, for the financial services or energy sectors, for example, should ideally build on the NIS2 baseline requirements and agree to guarantee consistent and effective regulatory frameworks.
3. Increase information sharing and capacity building efforts
Cybersecurity responsibilities are distributed among many regional, national, and industry actors. Often these entities do not communicate outside their own sector or country. However, attackers do not respect borders, and we need increased information exchange on best practices and defensive actions. Greater collaboration between public and private actors is key to ensuring success in this regard. Similarly, there is an urgent need to address the cybersecurity skills gap. The Global Forum on Cyber Expertise as well as private sector initiatives can play a critical role in further advancing these efforts, domestically and internationally.
4. Establish a culture of cyber resilience
While governments can advance protections for the sector through legislation, there are actions that critical infrastructure providers can take to strengthen the security of their operations. “Box-ticking” cybersecurity compliance is no longer enough. Organizations must invest in continuous cybersecurity protection to thwart ever-evolving threats. This includes implementing horizontal, not hierarchical, IT security team structures within organizations to break down organizational siloes, and to ensure a swift escalation of an issue and a timely response. Organizations should educate all employees on the role they have to play in preventing cyberattacks through good cyber hygiene.
5. Hold malicious actors accountable
Perpetrators of cyberattacks rarely face consequences for their actions. While attribution can be politically sensitive at times, more efforts are needed both nationally and internationally to sanction bad behavior. Recent discussions at the UN have made it clear that international law applies to cyberspace in its entirety. Calling out transgressions and highlighting particular legal or normative frameworks that were flouted – as the European Union’s High Representative for Foreign Affairs and Security Policy, Josep Borrell Fontelles, did last week – is critical for deterrence. Not doing so suggests to perpetrators that there are no consequences for their actions.
The unique value of the reports comes from the diversity of perspectives they reflect, identifying trends and commonalities, the linkages between technology, regulation, and international frameworks, and potential paths forward. They hold important lessons to help organizations and governments create relevant frameworks for inclusive multistakeholder engagement at a global level, and strengthen a culture of cybersecurity across industries. We look forward to discussing the findings and potential next steps as part of this process.