Microsoft President Brad Smith posted a blog post on Thursday in which he addressed the string of cyberattacks against the U.S. government
In it, he pointed a finger at Israeli cyber company NSO Group for being among the causes for what he described as the “cyber-assault.”
In a blog post
titled “A moment of reckoning: the need for a strong and global cybersecurity response,” Smith offers his main takeaways from the attack on several branches of the U.S. Government that have been attributed to Russian hackers.
“The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack,” he writes. “This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”
Smith notes three causes for the rise in cyber attacks: a rise in the determination and sophistication of nation-state attacks, the intersection between cyberattacks and the Covid-19 pandemic, and the growing privatization of cybersecurity attacks through a new generation of private companies. He compares the latter to “21st-century mercenaries” and singles out Israeli company NSO as an example.
“One illustrative company in this new sector is the NSO Group, based in Israel and now involved in U.S. litigation,” Smith writes, apparently addressing a lawsuit filed against the company by Facebook. “NSO created and sold to governments an app called Pegasus, which could be installed on a device simply by calling the device via WhatsApp; the device’s owner did not even have to answer, he explains.
Smith went on to say that “NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers.” Smith also cites a study by the University of Toronto’s The Citizen Lab, which exposes the use of the Israeli company’s technology by non-democratic countries and that the offensive cyber industry has grown to become a $12 billion market.
“This represents a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks. And if there has been one constant in the world of software over the past five decades, it is that money is always more plentiful than talent. An industry segment that aids offensive cyberattacks spell bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape,” Smith writes.
Smith dedicated the second half of his lengthy post to what he believes should be the response to the threats, noting that a more effective national and global strategy is required. He writes that an early opportunity for the Biden-Harris Administration to tackle the issue is to weigh in on an appeals court case involving NSO. He noted that NSO has argued that “it is immune from U.S. law because it is acting on behalf of a foreign government customer and hence shares that government’s legal immunity. NSO’s proposed recipe would make a bad problem even worse, which is why Microsoft is joining with other companies in opposing this interpretation.”
“As the first company in the world to lead the formulation and adoption of regulatory principles and compliance policies in the field, we join Microsoft's calls to pursue a binding global policy that will enable countries to defend themselves against cyberattacks by irresponsible state powers and private actors,” NSO said in response.