Today cybersecurity is a major concern for both governments and technology companies and spans domestic and international engagement. Microsoft has been vocal on the challenges in this space and has put forward several proposals. These include the Digital Geneva Convention, the Cybersecurity Tech Accord, the Global Internet Forum to Counter Terrorism (GIFCT) and the CyberPeace Institute. In an exclusive interview for the RIAC, Steve Crown, Vice President and Deputy General Counsel at Microsoft, spoke of these initiatives and their progress, as well as the role that public-private partnerships and the UN play in countering cyber threats.
Today cybersecurity is a major concern for both governments and technology companies and spans domestic and international engagement. Microsoft has been vocal on the challenges in this space and has put forward several proposals. These include the Digital Geneva Convention, the Cybersecurity Tech Accord, the Global Internet Forum to Counter Terrorism (GIFCT) and the CyberPeace Institute. In an exclusive interview for the RIAC, Steve Crown, Vice President and Deputy General Counsel at Microsoft, spoke of these initiatives and their progress, as well as the role that public-private partnerships and the UN play in countering cyber threats.
Which cyber threats are most dangerous for today’s digital environment?
I think it's hard to say that there's a single or even a couple most dangerous threats. The big challenge is the fundamental trust we have in the operation of the global Internet. We have actors across the globe using it in ways we neither imagined, nor want. Some are even attacking it. Examples include terrorists, hate speech, and attacks on human dignity that none of the companies ever intended to enable. Yet it becomes really hard to fight such misuses once people have learned how to abuse internet platforms.
One area where Microsoft spends a great deal of time and effort is thinking through how we can do more to protect the Internet against various types of threats. The challenge here moves beyond people who do bad things using their speech rights on the Internet. We are talking about people actually attacking the global internet infrastructure. That’s what prompted us to propose the “Digital Geneva Convention”. The reason we call it the Digital Geneva Convention is our goal to build upon the history of the Geneva Conventions that centered on protecting civilians or non-combatants. If we look at the “NotPetya” attack, we see that people with bad intentions can disrupt the entire economic and social structure of a country by attacking the Internet. What we did was say, “Look, as we wait for a full convention, if there's ever one achieved – and we think there should be – we can have a Tech Accord. In fact, less than two years ago, we teaming up with some 30 companies launched a corresponding initiative, and since that time the number of supporting companies has quadrupled. The group has partnered on efforts to advance cybersecurity awareness and capacity building, as well, contributing to a more stable online environment.
We could agree with other companies that in the case of an Internet attack, we would adopt the stance of the International Red Cross Organization, for example. That would mean it would be our responsibility to be a first responder to try and help citizens and civilians. No matter who initiates the attack, the signatories of the Tech Accord will protect civilians and citizens against the destruction of the Internet.” This is interesting as it means that even being an American company our principal responsibility, under the Accord, is to try to protect the Internet, even if an attack were conducted by the US.
We are also strong supporters of the Paris Call, which is related. So we, as Internet companies and as people who have created this technology, need to acknowledge our responsibility to help protect it.
Could you speak about Microsoft cybersecurity initiatives and how successful they are?
We currently have a number of cybersecurity initiatives that are underway. We spend about a billion dollars of Microsoft money annually on these various initiatives, as well as the technologists inside Microsoft, to follow, identify and then help remediate attacks on the Internet and Microsoft services. This is an area that remains a challenge and reflects the continuing creativity of the human mind. People are really devious in finding ways to manipulate other human beings, for example using the idea of social engineering, as it's commonly known. As it turns out, it’s really easy to fool even thoughtful people into clicking on things they shouldn’t by sending an email with a package inside that, having been clicked on, launches a code download. Very often the evildoer tries to make it look like an email from a trusted friend or colleague, so of course people are more likely to click and only later realize what they’ve done.
One of the things we've been doing is developing Office 365 Advanced Threat Protection, where we try to do more to protect what's happening in the mailbox, even if a customer has failed to identify and avoid some of the harms that might be coming their way. And we will continue to invest in education, collaboration with law enforcement and technology development to help us protect our customers.
We launched the Global Internet Forum to Counter Terrorism (GIFCT) that has been around for a while. It centers on addressing the well-known, terrorist activities like the process of recruiting or spreading propaganda about terrorism on the Internet. We put that together with Google and Facebook and others. The Forum has taken new importance recently as we've worked to reinvent that in light of the Christchurch Call. In the Christchurch Call we committed to doing still more collaborative work with other companies to keep terrorist material off the Internet. We reinvented some of our programs to be more effective in our collaboration with governments to do more to protect the Internet. I should also mention the CyberPeace Institute or the Digital Geneva Convention. These efforts underscore the idea that the global community needs to do more to understand the increasing importance of the Internet and cyber space today. Every day we discover new ways to use these tools and that’s why we need to seek new ways of collaborating.
Do Russian companies take part in Microsoft cybersecurity initiatives and projects? I didn’t find any information on any Russian companies that take part in it.
We have alliances in which Russians companies participate: for instance, Kaspersky Lab, Group-Ib, and Awara endorsed Paris call. Apart from that, there are some non-state Russian signatories to the initiative. The Paris Call is not legally binding. It does not create any legal obligations, nor is it a legal document. It is rather the endorsement of an approach that we, the global community, are going to take to ensure the respect of Internet end-user rights. And so we encourage more Russian companies to get engaged and participate in those discussions.
So Microsoft encourages Russian companies to join efforts in the field of cybersecurity?
Yes, our business has always been about partnering with others, even going way back to Windows and Office and the other products of the early 90s. Our business model has always been based on providing tools that allowed our partners to do really creative, interesting things and build their own economic success. That is the way we want to approach our global business. We are always looking for opportunities to engage with Russian companies and bring them the most innovative technologies and solutions, empowering all of our customers to achieve more
And Chinese companies too?
Yes, Chinese companies too. I have colleagues who are also close friends currently based in Beijing and they are always looking to build that additional business across the globe. Our mission is to empower every person, every organization on the planet to achieve more, as I noted during my talk today. Perhaps it sounds a little odd for a company to be talking about their mission to empower everyone on this planet – what other planet could we be talking about? But the words “every person and every organization on the planet” are important to us because we want to be very clear: Whether it's China, whether it's somewhere in the Middle East, wherever we're not prohibited by law from doing business, we want to find a way to engage and bring our technology to improve the human experience.
This summer, the UN launched the work of an open-end working group for the global discussion on the topic of International Information Security. It makes room for the possibility of holding intercession consultations and meetings with the representatives of business and other non-governmental actors. The first meeting will be held in early December. What do you think about the potential of such an initiative? Is it useful?
We absolutely support this sort of meeting, which is in line with what I mentioned earlier about this new form of multistakeholderism. We do know that in September, during an initial gathering, that not everyone who wanted to participate in this initiative was able to do so. We have great hope that during the December meeting we will be able to find ways for academics, civil society and the government to work together in this new multistakeholder model and solve global problems. We have tended to think about things in terms of territorial boundaries, yet these global Internet problems don't respect those boundaries, we need to be thinking much more globally and collaboratively.
We at Microsoft believe that cyber is leading us to a new vision of what it means to have multinational and global cooperation. It used to be governments that would get together, we had the United Nations. Then for some years we had tech companies and governments working together. We're actually calling for a much broader, long-term collaboration, uniting civil society groups, academics and other voices that were often on the sidelines, criticizing what was happening and trying to nudge people in a particular direction. Our belief is these challenges are so significant and so pervasive that we need civil society and other voices to be right there in the discussions as we develop plans. That’s what we're trying to drive now.
The international cybersecurity issue, unfortunately, is rather politicized. How does Microsoft develop its strategy within a conflicted political environment?
We do that with a combination of enthusiasm and humility. We need to be engaged everywhere, we also know that we don't know everything and we sometimes don't even know the right questions to ask about how we can be most helpful. But we do believe firmly, both as a business and as people who work and live in a technology company, that people across the globe will benefit from and actually want a peaceful, open, accessible and secure online environment where they can express themselves and take full advantage of what the globe is able to offer them.
It is an interesting challenge, knowing that there are people who are trying to attack us. We think what we ought to be doing is linking arms with anyone who will join us in doing more to protect the future. I believe, as the father of three grown children, that their world is so much richer than mine was when I was growing up. This is partially because of the Internet, despite the threats connected.
I know Russia, for example, has strategic priorities like digitizing the economy and advancing artificial intelligence. This is only going to be possible if we can trust the Internet to allow all of those benefits.
One thing that people might not know is that Microsoft has specifically called for government regulation. We said, "We want regulation.” In fact, we love good regulation. We think that if we can actually help set rules that assure development is productive, positive and minimizes risks to our rights and to the things we're trying to achieve, that's a better path for us. That's why we believe in multistakeholderism, as it can be a right way to peaceful, open, accessible, and secure online environment is in the interest of most countries.
Interviewed by Anastasia Tolstukhina, Program Coordinator and Website Editor at the Russian International Affairs Council.