Microsoft Hack Shows How to Lose and Win the Cyberwar

Microsoft Hack Shows How to Lose and Win the Cyberwar

Speaking at a computer security conference four years ago, Microsoft Corp.’s president, Brad Smith, warned that digital theft and sabotage had taken a darker turn. Nation-states, he said, had become increasingly aggressive and ubiquitous hackers, targeting so many facets of private and public life that “nothing seems off limits.”

Smith noted that Microsoft had institutionalized cyber warfare reconnaissance by establishing an internal Threat Intelligence Center and was making use of behavioral analysis, machine learning, forensics and data to bulletproof its products and services. To counterattack, he called for greater collaboration between the public and private sectors, sought greater corporate transparency about hacks and asked leading governments to embrace a “Digital Geneva Convention” that would set global limits around digital espionage and disruption.

Little of that came to pass beyond Microsoft’s walls. And Smith found himself sounding many of the same warnings again in congressional hearings less than two weeks ago in the wake of the massive SolarWinds hack. Then, because fate is a vengeful thing, Microsoft disclosed last week that it was at the center of a sprawling hack engineered by China that began Jan. 3 but had only been uncovered recently.

In a brutal twist, Microsoft’s disclosure, and its effort to patch up the breach of email software it sells to businesses, inspired the hackers to accelerate their attacks before they were expelled. By Monday, at least 60,000 victims had been hacked worldwide, many of them small to medium-size businesses and public enterprises such as airports, local governments, police, prisons, hospitals and Covid-19 response teams. It’s a staggering number, though it’s likely that only a small percentage of those will suffer a damaging intrusion and data loss.

Yes, Microsoft should have done better. Hackers found a vulnerability in the company’s web-facing Exchange product it had overlooked, and that allowed them to sneak on to tens of thousands of email servers. The fixes Microsoft has sent to customers aren’t disinfectants: They will keep new hackers from burgling, but predators who already made it inside could still be lurking on a network. Victims will have to strip down their systems to see if malware remains, a painstaking process that can overwhelm smaller firms.

It’s ugly. But Microsoft is an inevitable target due to its size. Unlike most of its major counterparts, it also has been willing to go public with information that might build alliances able to battle government-sponsored hackers more effectively. And it’s taken the risky – and courageous — step of repeatedly identifying countries such as Iran, North Korea, Russia and China that it believes are orchestrating assaults, even when other big companies stay mum. Inc., for example, declined to testify at the SolarWinds hearings, even though hackers used its cloud computing operation’s servers to stage digital assaults. (China has denied that it’s behind the Microsoft hack.)

Although the vast majority of nation-state hacks still rely on rudimentary phishing schemes and password spraying to penetrate networks, the SolarWinds and Microsoft attacks were unusually automated, stealthy and sophisticated – which may suggest we’ve entered an era of more potent assaults that will be hard for any company or public entity to fend off independently. Remember: The National Security Agency itself only became aware of the SolarWinds hack (which penetrated nine federal agencies and at least 100 companies globally) when a private company discovered it several months after it began.

Microsoft said that the hackers who zapped it were part of a China-sponsored consortium it labeled as “Hafnium.” Those hackers have reportedly targeted infectious disease researchers, attorneys, higher education, defense contractors, think tanks and non-governmental organizations. While Hafnium has the Chinese government’s support, it operates from servers it leases inside the U.S., according to Microsoft.

In its “2021 Threat Report,” BlackBerry Ltd., an enterprise software company, said that independent cyber criminals have become so exceptionally adept that nation-states are farming out their hacking operations to them. Subcontracting digital assaults offers countries deniability and more muscle, akin to the reasons why governments like the U.S. hire private military contractors to do some of the dirty work in war zones.

It’s not just the big guys that hackers relish. Among the targets they might consider, according to BlackBerry, are “connected vehicles.” You know, the car you drive around that might have Google Maps or Apple Maps displaying on your dashboard, receive phone calls from your mobile provider, or stream music from your Spotify account. There are 280 million on-road automobiles that are currently internet-connected, according to BlackBerry.

But it’s the large-scale assaults that have already happened that should have propelled tougher countermeasures a long time ago. Consider the Saudi Aramco hack in 2015 that savaged about 35,000 computers and threatened to derail the global oil market, or the 2017 hack of Ukraine’s digital infrastructure that unspooled into global information networks and the maritime industry.

Beating back this sort of chaos requires pointed federal leadership. The Biden administration has prioritized cybersecurity and has promised a robust response to Russia’s launch of the SolarWinds hack. Congress, guided by leaders like Senator Mark Warner, is considering legislation that would require companies to adopt many of the proactive measures Microsoft has recommended.

Analysts have repeatedly said that corporations and governments need to become more vigilant and sophisticated about network security and attack responses. While traditional defenses, such as firewalls, air gaps, encryption and network monitoring remain indispensable, analysts also say that companies and government enterprises should adopt “zero-trust” policies that require elaborate authentication of anyone using a network’s services.

That means that users themselves have to be told – and be willing – to adopt multi-factor authentication (like the separate digital keys everyone hates to use when they log in to their computers, or temporary codes sent to mobile devices). Some companies are planning to move away from passwords entirely in favor of other forms of identification, such as biometrics, in the belief that almost all hacks can be stalled if security hygiene is heightened.

In the meantime, there’s digital warfare raging and it’s not going to end anytime soon.

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Timothy L. O'Brien is a senior columnist for Bloomberg Opinion.

©2021 Bloomberg L.P.