During a recent fireside chat co-hosted by Microsoft and the CyberPeace Institute at the World Economic Forum’s annual meeting in Davos, Brad Smith and Stéphane Duguin discussed the need for international action to protect civilians from cyberattacks.
This is a moment of historical significance, said Brad Smith, Microsoft President and Vice Chair. The beginning of 2022 marked the first true cyber conflict, when Russia launched cyberattacks against Ukraine days before its invasion.
There have been incidents before, but this is an unprecedented volume of attacks, backed by conventional military action. It’s comparable to the first recorded conflict at sea in 1210 BC, where war was waged on two fronts – land and sea – and, in World War I when aerial combat techniques were used alongside military ground action. Like those, the first steps end up looking small, but they grow in significance, as we are seeing now, with militaries that can combine the capacity to wage war on several places at the same time.
Ukrainian defenders have been holding their own, said Mr. Smith. He added that it is largely due to endpoint protection – solutions deployed on devices to detect and block malicious activity –allowing cybersecurity teams to identify the signature of the attack and write code to protect against it. This code can then be quickly shared with every other computer. However, he also warned that Russia’s attacks are likely to get stronger, so defenders must be ready to evolve.
Throughout this war, there have been examples of cyberattacks targeting civilians, intentionally or not, said Stéphane Duguin, CyberPeace Institute, CEO. Far from being abstract technological threats, these attacks affect real people, including their access to food, water, energy, and healthcare. Victims of these attacks are often unable to defend themselves.
The importance of evidence-gathering
Five years ago, Mr. Smith called for a Digital Geneva Convention to make governments responsible for protecting civilians from cyberattacks. Echoing this, he stated in Davos that claims that Russia has violated the existing Geneva Conventions only emphasize the need to continue pressing for legislation to support the principle of defending civilians.
In order to defend civilians and hold culprits accountable for their actions, there needs to be substantial evidence of the operations and its effects. The CyberPeace Institute has been gathering that evidence since the very beginning of Russia’s invasion, said Mr. Duguin. Ongoing investigations have revealed a range of attacks, from those intended to destroy infrastructure or disrupt operations, to attacks designed to spread disinformation, confuse the population, and undermine efforts to protect civilians.
Such attacks are not new, but the number of attacks and their use against critical infrastructure is alarming. The hybrid combination between kinetic and cyber capabilities affects the information space, access to information and are both disruptive and destabilizing.
Tackling the attribution problem
Both agreed that attribution is fundamental to dealing with cyberattacks. Knowing where an attack is coming from makes it easier to determine how to deploy your defenses. However, attribution is difficult for technical reasons as well as political ones. Even so, Mr. Smith pointed to the attribution of the WannaCry attack to North Korea, almost five years ago, as an important breakthrough for international collaboration and multi-stakeholder action.
A good first step would simply be to enforce existing laws, said Mr. Duguin. National and international laws are being violated by cyberattacks and they’re typically not enforced. Attribution is critical for remedy and redress for victims of cyberattacks. Therefore threat actors need to be identified and held to account.
A dangerous time
The invasion of Ukraine represents a grave threat. Mr. Smith said that wars are more likely to get bigger, rather than smaller, the longer they continue. That could mean, for example, Russia launching cyberattacks against a NATO country in retaliation for NATO’s support of Ukrainian forces.
Both agreed that there is much more work to be done. Mr. Smith said that a new generation of NGOs will be needed to bring in, and then maintain, the era of cyber peace. The work of the CyberPeace Institute will be crucial in creating that future.
* Ravi Agrawal (Editor-in-Chief, Foreign Policy) moderated this session.