11 May Europe wants to know—what do cloud companies stand for? Chapter 1: Cybersecurity
Today more than at any time in the past, organizations, governments, and private individuals live under a permanent threat of cyberattack. Both money and data can be lost in these attacks, and sometimes much more. The vast majority of cyberattacks no longer come from the stereotypical teenage hackers operating out of their parents’ basements, but from organized criminal gangs and state-sponsored threat actors. Microsoft’s cybersecurity team each year publishes the remarkably detailed Microsoft Digital Defense Report presenting its latest intelligence about these groups. The 2021 edition estimates the global cost of cybercrime in 2020 at $1 trillion, and few can doubt that this number will be even higher in 2022. The report also notes the increasing professionalization of cyber criminals, who can now take advantage of a global “dark market” for professional hacking toolkits and other sophisticated offerings such as “ransomware as a service”.
The most damaging cyberattacks in recent years have not been perpetrated by criminal gangs, who are motivated chiefly by money, but by shadowy state-sponsored groups. While there is undoubtedly some overlap in personnel between these two varieties of attackers, the state-sponsored groups are primarily interested in espionage or are pursuing broader geo-political goals.
The brutal war in Ukraine has once again turned all eyes to the activities of state-sponsored threat actors. It may be the first hybrid war in history, where kinetic actions on the ground are synchronized with attacks in cyberspace.
Microsoft first detected signs of a massive wave of Russian cyberattacks on Ukrainian government and civilian networks in early January, more than a month before the invasion. The team immediately alerted the Ukrainian government and published details about the technical characteristics of the attacks. Since that early alert the US tech giant has been deeply involved in the cyber defense of Ukraine, in close cooperation with EU and U.S. authorities.
A cloud company, no matter how deep its cybersecurity expertise, is not a country or a government. It can only operate in cooperation with democratic governments and in a purely defensive role, with the aim of preserving civilians and civilian infrastructures from harm. Large scale cloud providers such as AWS (the cloud arm of online retail giant Amazon), Google Cloud and Microsoft Azure have resources that few others can match. For example, Microsoft’s global network operates more than 100 datacenters in 35 countries (including 16 in Europe) representing many tens of billions of dollars of investment and millions of servers. Each day the AI-powered security filters of this network sift through literally trillions of signals looking for potential threats. This is what gives a global cloud provider the power to detect emerging events such as the Russian cyber onslaught against Ukraine before anyone else. Combined with the insights that come from a global view of cyberspace, hyperscale cloud providers can deploy formidable technical resources to shut down malicious software as soon as its presence is detected and remediate its impact on user networks.
The European Union is taking the lead in reinforcing the necessary legal framework for cybersecurity. Cloud was already captured as a key digital service provider under the first Directive on security of network and information systems (the NIS Directive) in 2016, which provides legal measures to boost the overall level of cybersecurity in the EU. The EU is currently updating its legal framework. The EU is also working on the Digital Operational Resilience Act (DORA), which notably focuses on strengthening the IT security of financial entities such as banks and investment firms.
The EU’s Cybersecurity Act mandated the establishment of a European cybersecurity certification framework with the aim of creating a tailored and risk-based EU certification scheme that would be recognized in all EU Member States. As a consequence, the EU cybersecurity agency (ENISA) established the European Cybersecurity Certification Scheme for Cloud Services (EUCS). The plan is meant to strengthen the internal market conditions for cloud services in the Union by enhancing and streamlining their cybersecurity guarantees. The draft EUCS candidate scheme aims to align cloud service security with EU rules, worldwide standards, best industrial practices, and existing EU Member State certifications, such as SecNumCloud and German C5.
These European regulatory initiatives and the EU’s commitment to strengthen cyber resilience in the region are welcome developments. We may live in a “cloud first” world, but it is also a multi-stakeholder world. While private firms own and operate most of the infrastructure of cyberspace, governments make the laws and negotiate the treaties. In such a world, close working relationships based on mutual confidence and trust between governments and the tech industry are indispensable. This is why the commitment to deploy all its resources in defense of the global digital ecosystem is perhaps the most basic civic duty of a responsible cloud provider.