We expect more cyberattacks driven by nation-states: Microsoft's Tom Burt

Tom Burt, corporate vice-president, customer security and trust, Microsoft, has used his legal expertise to prevent and bring to the fore nation-state backed cyberattacks — the Russia-backed attacks on Ukraine being the latest. In an interview with Shivani Shinde, he talks about the emergence of hybrid war and the need to reimagine the threat landscape. Edited excerpts:

A legal expert heading Microsoft’s customer security division says a lot about how the cybercrime landscape has changed. How has that helped you in managing cybersecurity threats?

The shift has been occurring over at least a decade. As more of the world’s capabilities and activities move to the internet, it also means, unfortunately, that those who wish to do ill also follow. This includes cybercriminals or nation-states, which are seeking to infiltrate and steal intelligence or intellectual property. Or, from the military standpoint, as we’ve seen in Ukraine, utilising cyber weapons as part of the arsenal. The Russia-Ukraine conflict has become a hybrid war.

To that extent, our responsibility is not just to our shareholders, but due to our position in the industry, we also believe our responsibility is to help protect the digital ecosystem. That’s why my team includes a digital diplomacy team that is not engaged in cybersecurity in that sense, but works with leaders in government around the world to advocate enforceable rules of nation-state conduct in cyberspace.

What learnings from the Russia-Ukraine conflict are you now offering your clients?

We’re working hard to help Ukraine defend against the cyber-attacks. There are some important learnings. One, the security benefit of moving to the cloud. For instance, the Ukrainian government and most private-sector organisations there were operating on-premise before the war began. President Zelensky changed the law shortly after the attacks began in late February, which allowed the government to move its data and workload to the cloud.

Now most of the data has moved to the cloud, either to operate or as an effective backup in case they lose control of the on-premise environment during the course of the conflict. We saw this working for some enterprise customers in Ukraine. With the help of our artificial intelligence algorithms these firms could detect and control malware attacks during the conflict.

The other very interesting learning was that the cloud also provides physical security. Many countries and governments believe that they have greater security over their data if it’s located somewhere in their country. But it turns out that that’s short-sighted. The Ukrainians discovered that one of the very first missiles launched by Russia targeted their government data centre. It didn’t occur to us that by operating on-premise they are more vulnerable to physical attack.

The delta between security in the cloud and on-premise is already large, but it’s only going to increase over time, as we and others continue to innovate. One of the reasons we can continue to innovate is the data-set that we have. Microsoft gets 42 trillion signals a day that come into our networks from our global ecosystem.

How prepared is India to handle cyber/hybrid warfare? Are you also working with the Indian government?

We’re working with the government in any way that we can be helpful. It’s quite clear from the meetings that we’ve had already, that government officials here are very thoughtful about how to ensure the resilience of government data. And how best to protect Indian citizens, in the event of conflict. Even in times of peace, we see nation-state actors attacking targets of interest all round the world. One of the things Indian government officials need to think about is how best to secure the IT sector, the IT environment and networks in India against all forms of attack. We’ve seen that future wars will include cyber and weapons working together.

When we analyse data coming into India, what’s interesting is that the volume of nation-state attacks targeting India is low relative to India’s GDP and relative to its aspirations to be a global IT leader. But that is not going to continue. We would expect to see more nation-state-driven attacks. We are seeing increasing amounts of cybercrime, especially ransomware, now beginning to emerge in India, and based on our experience, we would expect to see those attacks escalating in future as well.

The government recently unveiled a new set of rules for cyber security. CERT-In, the nodal agency that deals with cybersecurity threats, also said that a cyberattack incident has to be reported in six hours, among other rules. What’s your take on it?

Microsoft believes that mandatory reporting of security incidents is a good idea. Also, because the private sector too often has incentives not to report these attacks. We supported and testified in favour of legislation in the United States, mandating that the private sector report security incidents. The challenge we have with the India rule is the six-hour requirement. In the US we lobbied and were successful in having the legislation adopt a 72-hour reporting need. That difference is very important because in the early stages of any cyber-attack, the responding team is completely consumed with trying to understand what’s happening.

Recently, the government of Albania faced destructive attacks. At the early stages of that attack, there were security professionals and government officials that initially said it’s Russia. When we were asked, our threat intelligence team said we’re not so sure. But within 24 hours, we had a pretty good idea that it was not Russia, and it was actually Iran. And by 72 hours, we had a developed understanding that it was Iran. We were able to publish that information in a blog that made it very clear who the attackers were and what they were doing.

Our view is mandatory requirements. Six hours, we think, is too short and it’s potentially going to divert responders from the important work that they’re doing, and at the same time, enable attackers to engage in diversionary attacks. But Microsoft will absolutely abide by whatever requirements the government has for us, and we are doing that today.

The pandemic did bring the security discussion into the boardroom as work-from-home became a reality. Now hybrid is a reality. What is the conversation like with an enterprise dealing with diverse points of entry into the system?

The enterprise security profile has become more complex, because you have more people working from home. Our customers are much more focused on ensuring that they can conduct their work in a secure way. In today’s world, we see escalating sophistication and frequency of cybercrime attacks, and increasing numbers of nation-state espionage attacks and theft of intellectual property. We’re seeing all of these happening and continuing to increase at the same time that the security environment for an enterprise or a government has become more complex.

We continue to invest heavily in security, and at Microsoft over the last few years we’ve created a new security engineering organisation focused specifically on the security of our products, and also the security technologies we can provide our customers. And they’re rapidly innovating. We just announced at Ignite new anti-phishing technologies to help enterprises defend against one of the most common ways in which an adversary seeks to attack and get into your network. And you’ll see us continue to innovate and invest in that space.

One of the challenges in India, and globally, is access to talent in the cybersecurity category. How is Microsoft trying to bridge this?

We need more trained technology professionals in security. I don’t know the number of professional openings here in India. In the US alone we’re short of about 600,000 security professionals. It’s a global issue. I believe that India has the opportunity to help fill that need within India. Microsoft is investing a lot in skilling initiatives where we’re working. We just announced the expansion of our CyberShikshaa campaign, under which we aim to skill 45,000 and provide employment opportunities to 10,000 learners in the next three years. We are working with the Data Security Council of India, Tata Strive and ICT Academy for this.