Microsoft says tougher punishments needed for state-sponsored cybercriminals

Although it also reaffirmed commitment to secure-by-design initiatives

by · The Register

Microsoft is calling for more robust deterrents to be placed on nation-states as criminals continue to run rife across online systems "without any meaningful consequences."

However, like those consequences, Microsoft's recommendations contained in its annual cybersecurity report - published today - lack specificity, and thus aren't exactly meaningful either.

The Microsoft Digital Defense Report 2024 includes various suggestions for improvements, all of which place the onus on governments. One subtitled "enhanced countermeasures" mentions "targeted sanctions among other options."

Economic sanctions are a lever allied nations love to pull when it comes to imposing costs on malign states, yet Microsoft seemed unwilling or unable to offer any substantial ideas for building on these.

The Reg asked Microsoft for more input, but it didn't reply in time for publication.

The report calls for allied nations to come together to jointly impose such countermeasures on nation-state cyberattackers, but again doesn't go into anything specific on what these countermeasures should be.

Microsoft is asking for a review of the UN Charter, which currently prohibits retaliatory actions of force in response to critical infrastructure attacks, for example. The Windows maker reckons these cyber assaults deserve "more significant consequences in response."

"A more robust deterrent framework will help to promote stability, protect critical infrastructure, and avoid some of the most harmful cyberattacks," the report reads. "To support this, governments should deepen partnerships across stakeholder groups to identify the essential critical infrastructure.

"Given the growing significance of this technology, this should also include essential AI infrastructure and the intellectual property behind the development of new AI models that might otherwise be attractive targets for rival governments."

From a diplomacy perspective, the company also suggests governments develop stricter norms that recognize additional IT services as critical infrastructure, punishing attacks on them in kind. And it is calling for greater public-private collaboration and stronger public attribution of attacks that include, among other things, specific rule violations.

"With more than 600 million attacks per day targeting Microsoft customers alone, there must be countervailing pressure to reduce the overall number of attacks online," it states in the report. "Deterring this malign activity will require a robust combination of technological and geopolitical solutions.

"This deterrence can be achieved in two ways – by denial of intrusions or imposing consequences. While companies like Microsoft can help 'deny' successful cyberattacks via innovation and further improvements in cybersecurity, enforcing international rules with deterrent consequences must fall on governments."

No, you

The company's position somewhat contravenes that of national cybersecurity agencies, which for some time now have been open proponents of incentivizing better defenses throughout the security industry, rather than further disincentivizing enemies from carrying out attacks.

Essentially, governments think vendors are the problem and vice versa.

To its credit, Microsoft's report states that "cybersecurity is everyone's responsibility," bringing organizational leaders into the fray too – not just governments. It says various measures must be taken such as moving toward passwordless authentication, increasing detection capabilities, proper privilege assignments, and so on.

The report also reaffirms Microsoft's commitment to its Secure Future Initiative (SFI) announced in November last year. This includes a company-wide adoption of secure-by-design, secure-by-default, and secure operation principles.

The US's Cybersecurity and Infrastructure Security Agency (CISA) launched its secure-by-design pledge earlier this year, imploring vendors including Microsoft to build their products to be secure from the outset. Presently, defenders are having to rely on bumper Patch Tuesdays to fix myriad issues all in a single, inconvenient, monthly effort.

CISA director Jen Easterly recently went so far as to say vendors that ship insecure products are directly enabling cybercriminals.

"The truth is, technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," she said at Mandiant's mWise conference last month.

Similarly, Ollie Whitehouse, CTO at the UK's National Cyber Security Centre (NCSC), spoke earlier this year about how the cybersecurity market is "broken" and the need to offer incentives to boardrooms and vendors to better stave off the growing threat of damaging attacks.

As Microsoft notes in the Digital Defense Report 2024, existing deterrents include adding people and entities to sanctions lists and publicly attributing attacks to specific nation-states. Yet the effects of both are questionable.

Various ransomware groups and their members are sanctioned by allied nations but continue to operate seemingly with few material restrictions, although authorities say these measures do actually hamper operations, like with Evil Corp in 2019. Outside of cybersecurity, the US insists that widespread economic sanctions have hammered Russia's economy since its invasion of Ukraine in 2022.

And when Western countries point the finger at specific nation-states for attacks, they often deny it, as China recently did with the Volt Typhoon furor.

Regarding ransomware gangs continuing to run riot, Microsoft said law enforcement should carry on making key arrests to stifle criminality in the real world as well as online.

The report mentions Microsoft's intelligence sharing with authorities that led to the arrest of Octo Tempest aka Scattered Spider/0ktapus members, for example, and the disruption of various ransomware groups.

Of course, it's easy to say "just make more arrests" but navigating extradition restrictions and permissive foreign governments, which continue to be the main blockade against bringing the most prolific criminals to justice, is far from easy.

And that approach to cybercriminality, one notoriously taken by Russia regarding the various ransomware gangs residing in its borders, is increasingly transforming from permissive in nature to collaborative.

The UK's National Crime Agency (NCA) said earlier this month that it found evidence of Russia exploiting its relationship with cybercriminals from the likes of Evil Corp to carry out tasks that contribute to the state's intelligence operations.

In the report, Microsoft echoes this point, saying state-sponsored offensive cyber practitioners are increasingly using criminal tools, and criminals themselves, to advance their interests.

"Microsoft observed nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community," the report reads.

Russia, Iran, and North Korea are the main guilty parties here, with the latter raking in $3 billion from financially driven cyber operations since 2017, per Microsoft's estimates. ®

Extracting vendor promises won't fix cybersecurity. Extracting teeth mightOne branch of tech has learned to work together to solve the near-impossible. Now it's our turnRupert Goodwins, 30 Sep 2024CISA boss: Makers of insecure software must stop enabling today's cyber villainsWrite better code, urges Jen Easterly. And while you're at it, give crime gangs horrible names like 'Evil Ferret'Jessica Lyons, 20 Sep 2024Post-CrowdStrike catastrophe, Microsoft figures moving antivirus out of Windows kernel mode is a good ideaExisting low-level access for security solutions will undergo a reworkConnor Jones, 13 Sep 2024CISA director: US is 'not afraid' to shout about Big Tech's security failingsJen Easterly hopes CSRB's Microsoft report won't impede future private sector collaborationConnor Jones, 01 Jul 2024