"We're moving into a world where nation-state actors are almost becoming the greatest threat - we think - to the stability of the cyber ecosystem," says Jan Neutze, Director of Cybersecurity Policy, Europe, Middle East and Africa (EMEA), Microsoft. "That's fundamentally a shift that the world is not yet properly addressing. When you have an adversary who is not a teenage hacker in the basement, but a very well funded, well organised nation state, that really raises the stakes for everybody."
Neutze was in New Delhi earlier this week to attend the Global Conference of Cyber Space (GCCS) organised by the Ministry of Electronics and Information Technology and we spent some time catching up with him before the event. Neutze, who worked as part of the United Nations' Counter-Terrorism Task Force before joining Microsoft, touched upon a variety of topics, from the increasing trends in cyber-attacks against physical infrastructure, to how national interests are shaping the threat landscape.
"A growing number of countries around the world [have] now decided that this whole cyberspace thing, not only is it a domain of conflict, but it has a fairly low cost of entry," says Neutze. "If you're able to either develop or procure some of the cyber offensive tools, you become a player in the cyber offensive game, and ultimately this is something we're very concerned about."
At the same time, the concerns around different parts of the world are also somewhat different. In his role at Microsoft, Neutze looks at some very disparate regions - Europe, which has some of the most stringent regulations around cyber-security and privacy, and others like Middle East and Africa, where the challenge is still around getting people connected.
"Middle East and Africa is a slightly different approach because you had this delay about people coming online, I think it'll take a little longer for technology to take hold and for people to have access to this technology so fundamentally that has had a little bit - primarily I think driven government approaches to these questions much of it was how do we have broadband access in place," says Neutze. "But it's also opened up some opportunity for some leapfrogging where some class of technologies could be implemented right away without having to go through some of these legacy challenges. So we're seeing developments like using whitespaces, TV whitespaces, for broadband connectivity in parts of Africa."
That said, from a global perspective, these regions also see more of a focus on cybercrime for financial and other reasons, adds Kaja Ciglic, Senior Cybersecurity Strategist at Microsoft.
"I think from a policy perspective particularly MEA, but also Latin America, we've seen a lot of efforts to put cybercrime legislation in place, and I think that those two regions are unique in that perspective in that's what the focus is on because they see those as the threats," Ciglic says. "What we've seen in Europe, and also Asia to a large extent, is to build on that frameworks that are in place, you know there are certain things that are not allowed in cyberspace, and seeing how you can protect the most critical issues like the government services, so we've seen a large focus on developing standards and requirements."
One area that might not have received as much importance yet though, which Europe is pushing for, is the protection of critical infrastructure, "protecting the banking infrastructure, protecting the energy sector, protecting the healthcare sector," Ciglic adds.
Interestingly, Neutze says that cyberterrorism is still less of a concern when compared to the actions of nation-states. "I think there is certainly increased concern about how terrorist groups are going to leverage cyber attacks and also cybercrime to raise funds, and also ICT broadly to coordinate, to plan, to communicate, but we haven't yet truly seen terrorist groups using cyber tools or cyber means to attack critical infrastructure," he says. "There have been some attempts, and I think it certainly is of concern both to industry and very much to governments, but thankfully we haven't necessarily seen that become the chosen method for most groups to this date."
That doesn't mean that security agencies should dismiss the threat from terrorist groups and rest easy though. "As the environment is shifting and some of these groups are getting squeezed out of certain territories, one potential threat there could be an increase in this type of activity and it is certainly something that we are very concerned about," says Neutze.
For every attack that grabs the headlines, there are many more that get thwarted in the background, Neutze reveals. "Independent from Microsoft, you have certainly the case where many of the attacks against businesses and against critical infrastructure that tend to not be broadly reported at this stage because to date there haven't been obligations for those to be reported," he says. Ciglic adds: "A lot of them are not successful."
Neutze agrees, and continues, "there are a lots of attempted exploitations that get thwarted by technology. But those that do get through - they haven't been voluntarily reported, or may have not reached a certain threshold where enterprises may have even felt that was necessary. Again, I'm not talking about Microsoft."
"That is changing though, as this incident notification is becoming a core element of what the governments want to see when it comes to cybersecurity," Neutze says, adding that such laws would lead it a "different culture" where attacks beyond a certain threshold will need to be reported at least to the government or the regulator, even if they are not made 'public'.
"Lots of attempted exploitations [get] thwarted by technology," Neutze continues. "But those that do get through - they haven't been voluntarily reported, or may have not reached a certain threshold where enterprises may have even felt that was necessary. Again, I'm not talking about Microsoft, but other from what read in the media about other sectors."
A digital Geneva Convention
To address the threat being posed by nation states as bad actors in a cyber threat environment, Microsoft envisions a digital Geneva Convention that can help protect rights during digital conflicts.
"As we're seeing this rise in nation states investing in offensive cyber capabilities and as we're seeing cyberspace become militarised, we need a set of clear rules for what kind of behaviour is in bounds and what is out of bounds," says Neutze. As of now there are gaps, he says, when it comes to protecting civilians and civilian infrastructure short of "armed conflict".
"So short of war scenarios, where we to date have been seeing most of the activity, the cyber malicious activity - so you think about WannaCry, Petya, some of those things, most experts would agree that does not constitute an armed attack or armed conflict. Yet there are no clear rules for how government activity in this space should be limited," says Neutze. "We at Microsoft have taken a very clear stance on basically saying we need more clarity on how existing law applies, but there is a gap and we need more rules on how to close the gap."
He says that Microsoft wants the industry to come together and adopt a set of principles around cyber defence, but more importantly, on a principled level agree not to enable cyber offence.
"We [Microsoft] are 100 percent defence, and no offence," Neutze adds.