Published by The Lawfare Institute
in Cooperation With
Just hours before the first group of Russian tanks crossed into Ukraine in February 2022, Microsoft’s Threat Intelligence Center discovered a new piece of “wiper” malware known as Foxblade “aimed at the country’s government ministries and financial institutions” and capable of wiping data from their computers.
As the New York Times reported, Microsoft quickly updated its virus detection systems to block the malicious code, and it contacted Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technology.
Neuberger facilitated Microsoft’s sharing of information about the malicious code with other countries in order to prevent it from spreading and potentially “crippling the military alliance or hitting West European banks.” This early intervention was perhaps the first public indicator of how integral the private sector would become in both cyber defense and resilience during the course of Russia’s unlawful war of aggression against Ukraine.
As Susan Landau has observed, the interaction between Microsoft and Neuberger “represents an important change in the cooperation between the U.S. government and the tech industry”—the kind of cooperation that may not have seemed possible just a decade ago in the wake of the Edward Snowden disclosures.
Only five years ago, Brad Smith, president and vice chairman of Microsoft, was openly critical of the U.S. government for its failure to privilege the disclosure of zero day vulnerabilities over their retention for use in the U.S. government’s own offensive cyber operations, putting private-sector companies and their customers at risk of harms that could flow from the failure to patch significant software vulnerabilities. Without knowledge of zero day vulnerabilities, the private sector cannot develop and deploy protective patches.
Now, some nine months into the Russia-Ukraine armed conflict, more information about the private sector’s role in cyber defense and resilience is becoming available, much of it through reports that Microsoft is publishing about its own observations and defense efforts.
The role of Russian offensive cyber operations and the defenses taken against them, which involves “Western governmental, military, and commercial actors,” will be studied for years to come. Analysis and debate over the significance and impact—or lack thereof—of these operations is already ongoing. What should not get lost in this conversation, however, is a discussion about the implications of having the private sector so inextricably intertwined in cyber defense and resilience during an armed conflict, including when private companies assume the role of a “reliable reporter” with respect to how Russia is engaging in cyber warfare (and the successful defense efforts against Russia’s offensive cyber operations they claim to be waging). The private sector brings immense resources and critical knowledge to cyber defense during times of both peace and armed conflict, but there are pitfalls that must be avoided.
An Integral Role for Big Tech in Cyber Defense During Armed Conflict
In March 2020, Gen. Paul Nakasone, the dual-hatted commander of U.S. Cyber Command and director of the National Security Agency, testified before Congress about some of the challenges the military is facing from foreign adversaries engaging in malicious offensive cyber operations outside of traditional armed conflict:
A decade ago, we trained and postured our cyber forces like any other military force: to prevail in future conflict. A central challenge today is that our adversaries compete below the threshold of armed conflict, without triggering the hostilities for which [the Defense Department] has traditionally prepared. That short-of-war competition features cyber and information operations employed by nations that by-pass America’s conventional military strengths.
To adapt to this environment, the military has adopted a “persistent engagement” strategy that involves, among other things, the ability to “maneuve[r] seamlessly between defense and offense,” to operate “globally, as close as possible to adversaries and their operations,” and to engage “continuously,” thereby “shaping the battlespace,” all with the goal of creating an “operational advantage” for the United States “while denying the same to our adversaries.”
Even as the U.S. military is taking a more active role in defending against offensive foreign cyber operations occurring outside of traditional armed conflict, however, does that imply a correspondingly active role for the private sector during warfare? When the New York Times described Microsoft’s efforts to protect systems from Foxblade, it made an analogy to how the Ford Motor Company “converted automobile production lines to make Sherman Tanks” in World War II. That the private sector supplies the military with equipment for war, even when it’s not in line with normal business operations, is not new. But since the start of the Russia-Ukraine armed conflict, the role of the private sector in assisting with Ukrainian cyber defense represents a step beyond producing and providing material and equipment to a country at war. Based on Microsoft’s own reporting and additional analysis of broader cyber defense efforts, private-sector companies have emerged as integral, necessary players in rapid defense against Russian cyber operations.
Nick Beecroft interviewed representatives from several different companies, including Microsoft, Google, Cloudflare, and BAE Systems Digital Intelligence, along with Oleksandr Polti from the State Service of Special Communications and Information Protection of Ukraine, in an effort to evaluate the international support to Ukrainian cyber defense. With the caveats that whatever success has been achieved thus far will not necessarily endure, and that none of the entities involved has a full and complete picture of Russian cyber operations being perpetrated against Ukraine, especially with respect to intelligence-gathering operations, Beecroft suggests that the private-sector role in the cyber defense of Ukraine has been instrumental:
It became quickly apparent that the ability to deliver operational effect in cyberspace rested not only with the government and military agencies but also on the close integration of commercial technologies and cybersecurity companies. While official Western agencies could draw on existing relationships with Ukrainian partners and possessed powerful tools and unique capabilities, delivering cyber defense at scale could only be achieved by private sector entities that owned, operated, and understood the most widely-used digital services. Early decisions by the leadership of some of the world’s major technology and cybersecurity companies to take proactive roles in defending Ukraine were pivotal.
Beecroft also notes that:
A further defining feature of the defensive effort has been the integration of large American technology providers, particularly Amazon, Cloudflare, Google, and Microsoft. These companies’ ability to migrate Ukrainian government data and services to distributed cloud servers; provide automated protection of massive networks, coupled with dedicated protection of high-risk users; as well as continually update threat intelligence drawn from global telemetry has added defensive depth and resilience far beyond that which Ukraine could have achieved independently.
What Beecroft suggests with respect to the direct involvement and support of the private sector in Ukraine’s network defense and resilience is bolstered by statements from Georgii Dubynskyi, deputy minister of digital transformation of Ukraine. He has indicated that Ukrainian collaboration and partnership with a number of private-sector companies has been a critical aspect of cyber defense and resilience.
Microsoft’s Perspective on Defending Ukraine: Early Lessons From the Cyber War
Microsoft—one of the tech companies integral to the Ukrainian cyber defense effort—published a report in June 2022 about the kinds of cyber operations at play in the conflict. In a presentation about the report, Smith indicated that Microsoft had been “closely involved in a way I would not have imagined—on the front lines—when I started at Microsoft many years ago.”
In conjunction with a report Microsoft issued in April 2022, the June report represents the most complete public inventory of Russian cyber operations both immediately preceding and during the course of the armed conflict. One of the reasons that Microsoft published the June report was “a feeling” inside the company that offensive cyber operations and attacks were being “vastly under reported.” Moreover, through its own analysis, Microsoft characterizes the attacks as more “sophisticated” and “widespread” than previously acknowledged.
One of the key insights that Microsoft communicates is a need for most countries to have the “ability to disburse and distribute digital operations and data assets across borders and into other countries” when defending against a military invasion. Prior to Russia’s 2022 invasion of Ukraine, data protection law in Ukraine prevented the government from storing and processing data in a public cloud. This prohibition left public-sector digital infrastructure, then stored locally on servers located inside government buildings in Ukraine, vulnerable to physical attacks from missiles or other munitions. To address this vulnerability, just days before the invasion, Ukraine amended its data protection law to allow government authorities to move data into a public cloud. Microsoft, along with other tech companies, assisted Ukraine’s Ministry of Digital Transformation and some 90 chief digital transformation officers across government with the transfer of “the central government’s most important digital operations and data.”
The movement of Ukrainian governmental operations and data into a public cloud environment proved instrumental in limiting the operational impact of both kinetic and cyber wiper attacks. This evacuation operation, according to Microsoft, “highlights a critical difference between protecting public-sector data in a time of war instead of peace.”
Another key part of the report is Microsoft’s discussion of different facets of the destructive cyberattacks that Russia has deployed against Ukraine and the overall ability of cyber defenses to defeat those attacks. Microsoft, for example, has detected targeted phishing attempts to penetrate computer networks, which it characterizes as consistent with the “determination, sophistication, and persistence long observed across the cyber activities of Russia’s intelligence community and military.”
Moreover, as previously noted, Microsoft’s Threat Intelligence Center detected Foxblade wiper software that Russia launched against 19 government and critical infrastructure entities in Ukraine. Microsoft has attributed this malware to the same Russian military intelligence group—known at Microsoft as Iridium and elsewhere as Sandworm—that was responsible for the NotPetya attack against Ukraine in 2017, which caused more than $10 billion in global damage. Since the discovery of Foxblade wiper software, the Microsoft Threat Intelligence Center has “detected multiple attempts to use eight distinct malware programs—some wipers and some other forms of destructive malware—against 48 different Ukrainian agencies and enterprises.” But unlike the 2017 NotPetya attack, which readily crossed international borders due to the “wormable” nature of the malware, the destructive malware observed to date has been designed to stay within Ukraine.
As a coalition of countries has come together in support of Ukraine, Microsoft has, however, detected Russian network intrusions constituting cyber espionage in 128 different organizations in 48 countries around the world. Moreover, Microsoft believes that Russian cyber actors have achieved successful intrusions 29 percent of the time, with a quarter of the “successful intrusions” involving “exfiltration of an organization’s data.”
While there has been some surprise that Russian cyberattacks have not been more destructive both within and outside of Ukraine, especially given the type of damage caused by NotPetya, Microsoft attributes the more limited damage, at least in part, to a range of factors and innovations. For example, since the NotPetya attack, cyber threat intelligence has improved. Microsoft now has greater visibility into the threat environment based on some “24 trillion signals” it receives on a daily basis from “devices and cloud services across a global ecosystem.” Moreover, advances in artificial intelligence (AI)-based detection capabilities deployed across cloud networks are strengthening cybersecurity efforts: Malware can be blocked at “first sight” without human intervention. Another set of innovations deployed by Microsoft has made it possible to distribute protective software signature code through the internet and back to devices to “identify and disable destructive malware.” On a number of occasions, Microsoft has “been able to develop new signatures in just a few hours and distribute them back to devices across Ukraine and more globally.”
Additional “wartime measures and innovations” have come from the use of technology Microsoft acquired from RiskIQ that “identifies and maps organizational attack surfaces,” such as devices that remain “unpatched against known vulnerabilities,” making them particularly “susceptible to attack.” Microsoft has also worked with the Ukrainian government, which enacted special legal measures, to allow Microsoft to turn off a feature in a Microsoft security application proactively and remotely, thereby mitigating the spread of malware. Prior to this new arrangement, Ukrainian information technology administrators would have needed direct access to the relevant devices to accomplish this task, which could be difficult and possibly dangerous during an ongoing war.
Some Thoughts About the Integral Role the Private Sector Is Playing in Cyber Defense During an Armed Conflict
In many respects, no one should be surprised that the private sector is integral to cyber defense and resilience during an armed conflict. The private sector owns and operates much of cyberspace—and that doesn’t change when a country becomes embroiled in an armed conflict. As the Microsoft June report revealed, defending networks and digital services during armed conflict has proved to be an intense endeavor—one in which rapid innovation is essential—hence it is a process that inevitably flows from ownership and operation of significant data and communications infrastructure and services. This, according to Microsoft, makes the current armed conflict different from past wars. Moreover, Microsoft believes that modern warfare “imposes a heightened responsibility on tech companies to use the best technology available,” in addition to taking “extraordinary measures to help defend a country from attack.” Going forward, Microsoft attributes “a high responsibility” to the tech sector “to keep investing in ongoing innovation to ensure that defensive protection not only keeps pace with but exceeds innovations in the offensive cyber-attack tactics and capabilities.”
What Microsoft is acknowledging, both for itself and for other big tech companies, is that the integral role of Big Tech in cyber defense is an inescapable reality that imposes affirmative obligations to continue to innovate in the cyber defense area. That said, Smith is also careful to note that Microsoft is “a company and not a government or a country.” Smith realizes that successful cyber defense will happen only in “constant and close coordination” with governments and international institutions—Ukraine, the United States, European nations, NATO, the United Nations, and so on.
As Landau observes, such cooperation, illustrated by the information sharing surrounding the Foxblade wiper malware, is part of a broader strategy the Biden administration is pursuing, and one that National Cyber Director Chris Inglis, in particular, believes is critical to strong cybersecurity and cyber defense. During a fireside chat at Blackhat Asia in May 2022, Inglis discussed the important kind of knowledge to be gained by close cooperation between public and private sectors:
We often overestimate what a government would know, underestimate what the private sector knows, and ignore at our peril what we could know together. ... We’re looking for a degree of professional intimacy such that we can discover things together that no one of us could discover alone.
Inglis expands on this vision in a co-authored article in Foreign Affairs:
Building resilience to potentially catastrophic cyber-incidents will require an unprecedented level of planning, information sharing, and operational intimacy across once-isolated fields. Existing efforts to place government and industry experts side-by-side—including in sector-specific Information Sharing and Analysis Centers—are a good way to start. The U.S. government has quickly realized that these partnerships can identify and address threats far more effectively than a single organization operating alone.
To make this kind of partnership sustainable for the long haul, however, there are pitfalls that must be avoided. As Landau notes, companies should not be put in the position of “undermin[ing] their primary effort of protecting their customers”—that is, the government should not seek to “co-op[t] private customer data for other purposes.” In addition, the government must not be seen either as failing to share critical cyber threat intelligence across relevant government agencies, leaving that burden to the private sector, or as working against private-sector cyber defense efforts. Just over a year ago, Smith raised concerns about “too tightly controlled silos of information” pertaining to cyberattacks across various government agencies. Apparently, on more than one occasion, Microsoft has been asked by federal employees about relevant information in other parts of the government because it was easier to get the information from Microsoft than from other federal agencies. According to Smith, “[i]t’s impossible to avoid the grave conclusion that the sharing of cybersecurity threat intelligence today is even more challenged than it was for terrorist threats before 9/11.”
As previously referenced, Smith has long had concerns that the U.S. government too frequently privileges the retention of zero day vulnerabilities for offensive cyber operations of its own, rather than disclosing them and allowing the private sector to patch the vulnerabilities. At least from Microsoft’s perspective, it seems that too many decisions to retain rather than disclose these vulnerabilities would undermine the kind of trust necessary to sustain the type of public-private partnership that Inglis believes is critical to cyber defense efforts.
There is another notable aspect to Microsoft’s integral role in Ukraine’s cyber defense. Microsoft has become a key reporter, if not the primary one, on the kinds and frequency of offensive cyber operations employed by Russia, as detailed in the April and June reports. While Microsoft does not claim to have vision into all of Russia’s offensive cyber operations, it has enough vision and analytical capabilities to assert its belief that, prior to its own effort to report them, offensive cyber operations and attacks were being vastly underreported.
But the style of the language used in the June report and some conclusions drawn in it by Microsoft have raised concerns with experts who study cyber conflict. Suzanne Smalley, a reporter at Cyberscoop, interviewed a dozen experts, all of whom criticized Microsoft for publishing a report that “didn’t contain either the technical underpinning or evidence to back up its points [and] ... didn’t meet basic standards of academic research.”
Thomas Rid was quoted in the Cyberscoop article as saying, “[I]f you publish this kind of information, you have to do it in a way that is sober, in a way that is fact driven, and in a way that uses professional estimated language.” Rid, along with other experts, was particularly critical of the report’s assertion that Russia combined a cyber operation with a physical assault on a nuclear power plant in Ukraine. The report says that “the Russian military combined cyber and conventional weapons in assaulting a nuclear power plant in early March,” indicating that on March 2, the Microsoft Threat Intelligence Center “identified a Russian group moving laterally on the nuclear power company’s computer network.” The report notes that, the next day, Russia’s military “attacked and occupied the plant.” According to Rid, “while Microsoft initially implied the Russians used cyber to collect intelligence from the nuclear power plant, in the following sentence the report appears to hedge, saying the highly regarded Microsoft Threat Intelligence Center (MSTIC) identified a Russian group moving laterally on the nuclear power company’s computer network.” Rid notes that the report’s statement “is full of assumptions,” that the change in focus from the plant to the company is “misleading,” and that “[t]he first sentence is not backed up by the second.”
No one, as the article explains, disputes the fact that Microsoft, as one of the largest, most significant global technology companies working directly with key governments, has “unique insights” into the cyberattacks being perpetrated against Ukraine. But more attention must be paid when asserting that Russia is coordinating cyber and physical attacks. Moreover, to trust the validity of Microsoft’s claims, researchers want, for example, to see data to support the report’s assertions that phishing, data theft, and wiper attacks can be attributed to different Russian intelligence agencies. Given its unique access and willingness to share what it sees, Microsoft has become one of the best sources of knowledge for understanding how Russia is using offensive cyber operations to prosecute its war on Ukraine. Insofar as Microsoft has willingly assumed this “reliable reporter” role—one that it may not have initially intended or wanted to play—it needs to impart knowledge through sober and precise language.