Securing a Digital BattlefieldJune 28, 2017
“The internet's like global warming. You can't solve it one country at a time, we're all connected.” Scott Charney, security expert at Microsoft
In this episode, we examine a new battlefield: The cloud. The information we store in the cloud makes it especially vulnerable to attack. So, what it takes to create a safeguard against bad actors? We explore how a digital Geneva Convention could be the solution.
You can wait for the future to happen to you or engage with it right now and ahead of the curve on .future– a branded podcast from Microsoft, produced in partnership with Gimlet Creative.
This Episode features:
Steven Petrow — a journalist who writes about digital life
Scott Charney — a security expert at Microsoft
Cyrus Farivar — an editor at Ars Technica
Brad Smith — Microsoft’s president and chief legal officer
Heidi Tworek — a professor who writes about the history of media and technology
CRISTINA QUINN: It was 11:30 p.m. on a crowded flight from Vancouver to Raleigh, North Carolina. Steven Petrow is tired, he’d been at a conference all week, and he spent most of the flight working.
STEVEN PETROW: So as we approached Raleigh, I closed down my laptop I read a little bit from a book, I had a couple glasses of wine and then we landed, it was just about midnight. I got up, I got my bag down from the overhead bin, and I was turning to start to go out and this fellow came up to me from behind and said aren’t you a journalist.
CRISTINA QUINN: The answer is yes. Steven is a journalist who writes about digital life.
STEVEN PETROW: And I looked at him, and I thought I don’t know you, I don’t know why you’re asking me that question. I decided I was going to be a little bit rude and not engage with him, and I was tired. But then he said, “I know you were writing about Apple and the FBI.” And then I was like, “how could he know that. There’s no way he could know that.” He said “you better wait for me by the gate.”
CRISTINA QUINN: Steven was totally shaken. He’s JUST spent his flight working on a story about the FBI pressuring Apple to help it break into an alleged mass shooter’s phone — this was big news about a year ago. And now this suspicious man wants to talk to him. Steven felt like he had no choice but to meet him after the flight…
STEVEN PETROW: I walked out and he came right up to me and then joyously, he tells me that he hacked into the Airlines system, and had been sort of reading around people’s emails and computers to see what was interesting what he could find. And mine was the most interesting to him. Not only had he repeated back to me verbatim some of the emails i had sent and received, he raised other possibilities for me. That perhaps, what it if I had been corresponding with my doctor about sensitive medical matters or transmitting important financial documents. And by this point he kind of went on for a couple of minutes, everyone else from the flight was gone and we were standing at the end of this terminal.
I’m here alone with this guy who knew my name, he knew where I lived. The sense of vulnerability and violation, and fear was high.
CRISTINA QUINN: It turns out, the guy who had broken into Steven’s email was a hacker. His intent wasn’t malicious — he was mostly trying to teach Steven a lesson about living and working in the Cloud.
A lesson many of us know in theory, but on a day to day basis is easy to forget: We’re all vulnerable, all the time — even a journalist who writes about tech.
Steven hasn’t had any contact with the hacker since then, but that sense of vulnerability, and that lesson he learned about the Cloud — has stuck with him.
If it can happen here — it can happen ANYWHERE, any time.
CRISTINA QUINN: I’m Cristina Quinn and this is dot-future, a branded podcast from Microsoft and Gimlet Creative, about making the future happen.
Because the future doesn’t just HAPPEN. It’s the result of a series of choices that we’re making right now.
You can wait for the future to come to you … or you can engage with it– and get ahead of the curve.
Welcome to dot-future.
CRISTINA QUINN: It’s easy to feel vulnerable to hacking, when everything is connected. Your home thermostat, your baby monitor, your car, or if you’re Vice President Dick Cheney…your pacemaker.
SCOTT CHARNEY: When Dick Cheney was vice president they disconnected the wireless from his pacemaker…so an adversary couldn’t jump start his heart at an inappropriate moment.
CRISTINA QUINN: This is Scott Charney, a security expert at Microsoft. We’ll hear from him in a bit but the point he’s making here is that if it’s connected, it can be hacked.
But this isn’t just a problem for regular people … it’s a problem on the world stage.
This happens a lot these days. We saw it in May, with the “Wanna Cry attack.” And as we were putting the finishing touches on this episode — another MASSIVE ransomware attack hit infrastructure in something like 150 countries. Companies from the Danish shipping giant Maersk to the Russian oil conglomerate Rosneft were affected, and the Ukrainian government was hit HARD. Everything from banks, to the safety systems at Chernobyl, were targeted.
It drives the point home: It’s more important than ever that the Cloud stays safe and secure for all. And that’s what we’re going to talk about today: New ways of waging war require new ways of waging peace for everyone.
CYRUS FARIVAR: When you hear about, like, the cloud, and you’re like well what does the cloud mean? It just means the internet.
CRISTINA QUINN: This is Cyrus Farivar. He writes for the tech website Ars Technica, and he’s mostly right about the cloud.
If you’re listening to this podcast on your phone — it’s coming to you over the cloud. If you stream movies, they’re coming from the cloud. If you upload your snapshots to a photo service, that’s the cloud.
All of that data lives in privately owned data storage centers around the world. All the big tech companies have them, Google, Amazon, Microsoft has one called Azure.
The cloud has a lot of advantages. You can scale your storage so you don’t have to keep buying new hard drives. Someone with a lot more expertise than you is busy keeping your data safe.
And you access stuff remotely, and collaborate with people who aren’t in the room.
Problem is, other people can also access your stuff remotely. That’s a lesson Steven Petrow learned at beginning of the show.
And it’s a lesson that the entire nation of Estonia learned a decade ago.
CYRUS FARIVAR: Estonia is a tiny little country at the northeastern corner of Europe. The entire population of Estonia is 1.3 million people. So to put that in perspective that is the combination of the population of the cities of San Francisco, Berkeley and Oakland, where I live.
CRISTINA QUINN: In the mid 2000s Cyrus traveled to Estonia to research a part of the book he was working on called The Internet of Everywhere
CYRUS FARIVAR: And I was surprised that this country that is kind of obscure had somehow decided to declare internet access a human right, in the early 2000s when wifi was still very much getting going in the US, Estonia was adopting it all over the place.
CRISTINA QUINN: It was surprising to Cyrus — this tiny country had wifi in gas stations and supermarkets! Their citizens can VOTE online! And they can do their taxes online, in about 10 minutes. The Estonian government actually has a name for it — they call themselves E-Estonia.
So, what’s going on over there? It turns out, it’s all deliberate.
Estonia is a very young nation. Over the centuries, they’ve been occupied by a TON of other countries, ending with the fall of the Soviet Union in 1991.
So now, to Estonia, being connected isn’t just about convenience — it’s a kind of insurance policy for protecting the identity of their young country.
CYRUS FARIVAR: If the territory of Estonia were to be taken away, the government of Estonia, the state of Estonia, the republic of Estonia, would live on in its data, which would reside somewhere else.
CRISTINA QUINN: That “somewhere else” is the cloud. Estonia hasn’t always had its government backed up to the cloud. Early on when they were still converting from Estonia to E-Estonia, the cloud didn’t really exist
And that made Estonia vulnerable to an attack — an attack that all started with a statue.
The statue in question is “the Bronze Soldier of Tallinn.” It’s a Soviet soldier located in a central square in Estonia’s capital, Tallinn.
The statue is about 6 feet tall. He holds his helmet and wears a cape. He’s looking solemnly down toward the ground. And at his feet, lay the remains of a dozen Soviet soldiers.
CYRUS FARIVAR: The monument is meant to memorialize the Soviet Union soldiers who died after they defeated the Nazis in the Baltics. To many ethnic Russians that still live in Estonia today this is a statue it’s a monument that symbolizes their bravery and their heroism
CRISTINA QUINN: But to most ethnic Estonians, the statue was symbol of oppression. The Soviet Union had been an occupier, and the statue was a relic of that. And then, in late April of 2007, Estonia took the statue down.
CYRUS FARIVAR: So at about 4:30 in the morning some workers encircled the statue. They put up a huge fence and there were a lot of people who started getting really upset by this, and who started, shouting at the workers, things like “shame on Estonia.”
And there was this large protest that devolved into something of a riot. There were people that were smashing storefront windows — it got pretty hectic. By the end of the night one person had been killed, there were dozens injured, hundreds of people got arrested
CRISTINA QUINN: And then almost as quickly as it had bubbled up, the violence on the street calmed down. But THEN something kind of WEIRD started happening — online.
First, Pro-Russian comments started showing up on Estonian government websites.
CYRUS FARIVAR: You know, a the beginning people thought of th is, you know in the government, they thought of this as a prank. You know it’s kind of annoying, but it’s not really harmful in any real meaningful way
CRISTINA QUINN: But within a week, it was clear: The attack was turning harmful in a very meaningful way.
CYRUS FARIVAR: And so May 1st was the day when major cyber attacks began affecting various Estonian websites. There were thousands spam emails to the mail server of the Estonian Parliament, which knocked it out pretty fast. Media websites were attacked in similar ways. Most of the bank websites weren’t accessible.
CRISTINA QUINN: It was a “denial of service” attack. Someone was sending so much nonsense traffic to the servers that hosted Estonia’s government services, that they couldn’t keep up.
Banks, newspapers, government websites — were all knocked offline — even the national emergency number couldn’t withstand the attack.
And then, after a few days, it just stopped.
CRISTINA QUINN: It would be two years before anyone claimed responsibility for the attack … a Russia-based youth organization, called Nashi, said they did it.
The Kremlin denied involvement, but the entire incident was a wake-up call for Estonia. To help secure themselves against future attacks, Estonia moved their government data to Microsoft’s Azure cloud. And just as they had with connectivity, they invested big in cyber defense expertise. In the decade since this hack, Estonia’s gotten really good at cyber defense.
Because, according to Cyrus Farivar:
CYRUS FARIVAR: We now live in a world nation states can have a real effect on people’s lives somewhere else
CRISTINA QUINN: Estonia was one of the first nations to be attacked this way – but what happened to them seems almost quaint in comparison to what we face regularly today….
SCOTT CHARNEY: I mean the worst case scenario we worry about is that critical infrastructures are attacked and they’re disabled.
CRISTINA QUINN: This is Scott Charney again. He’s part of a team that heads up security policy for Microsoft. He says man made disasters, like a hack, are like natural disasters, but have the potential to be even worse.
SCOTT CHARNEY: With the hurricane of course you usually know it’s coming and then it hits but then it passes and everyone does restoration in a cyber attack it may never stop. You know it may hit, and things may go down, and as you’re trying to bring it back up, the adversary is trying to bring it back down. It’s a storm that never ends.
And if you think of a world without telecommunications, air transportation, it’s a pretty bleak world.
CRISTINA QUINN: A cyber war is a man made disaster. The question is: how do you come up with rules to govern it? How do you get all of the stakeholders to agree to what’s off limits, ahead of time?
Well, there’s kind of a precedent for this. Here’s Brad Smith, Microsoft’s president and chief legal officer, speaking at a global security conference earlier this year.
BRAD SMITH: We need governments to take a page out of the 1949 Geneva Convention. What we need now is a digital Geneva Convention.
CRISTINA QUINN: A digital Geneva Convention. To understand what that is — and how it would help, let’s go back to the analog Geneva Convention.
ARCHIVAL TAPE: The time is 1949. The place: The Palace of Nations, Geneva, Switzerland. Here, 59 nations have met to create and set up an improved set of rules to provide a greater measure of protection for POWs etc. rules that have since been adopted by almost all the nations of the world…
CRISTINA QUINN: What we call The Geneva Convention, came out of a series of conferences. You know, like a convention. But when use that term now, we’re talking about a document that was ratified in 1949, at the end of World War Two — when the world’s leaders got together to talk about what the rules of war should be. But the idea of defining the rules of war goes back much further, according to Professor Heidi Tworek, who writes about the history of media and technology.
HEIDI TWOREK: The first Geneva Convention was passed in 1864 and it governed how countries should treat wounded and sick soldiers in armed combat on land battle fields. Over the course of the late 19th and early 20th century the Geneva Convention gets updated three times.
CRISTINA QUINN: Each of those updates was meant to address how non-combatants were treated during warfare. The rules changed as technology did. Like when countries starting using aircraft to attack each other. That warranted new rules, to govern how to limit injury to civilians in a bombing.
In its current incarnation the Geneva Convention protects:
- The wounded and sick military personnel on the battlefield and at sea
- Prisoners of war
- And civilians during war times.
SCOTT CHARNEY: When you think about the Geneva Convention that followed the Blitz on London and the firebombing of Dresden, the world got together and said, “if we’re going to kill each other let’s do it in a civilized way.”
CRISTINA QUINN:This is Scott Charney again…
SCOTT CHARNEY: You know if you look at the history of the planet there’s a lot of war and soldiers often kill soldiers. People try to avoid it. But when it does erupt let’s try and protect civilian populations.
CRISTINA QUINN: In the olden days you could protect civilians by not waging war in the places where they lived and worked. But now, where we live and work is the cloud.
And just like the skies became a new place where fighting and spying could happen, cyberspace is a new battle ground. Wars will happen there.
But to protect civilians, we need new rules, we need a new digital Geneva Convention – and there’s a group of companies – including Microsoft – working to protect Internet users.
Here are some of the parameters they’re working with right now:
Recognizing that the “battlefield” –– isn’t a discrete place on the internet. You can’t just keep civilians off of it.
Cyberspace is the playground, the school, the marketplace, the town hall and the economy … and nations need to bear this in mind, when they exchange volleys on the internet.
Here’s Scott Charney:
SCOTT CHARNEY: The battlefield is designed, deployed and maintained by the private sector, and the private sector is often the first responder when there’s an attack. And so we are the battlefield. And that’s fundamentally different than the way it used to work.
CRISTINA QUINN: Number two! A Digital Geneva Convention must be a partnership between the nations that wage war, and the private sector.
Because the private sector is made up of the companies that actually manage and protect the infrastructure where cyber war occurs.
Both governments and private companies have a role to play, by pointing out security flaws to one another, when they find them, so they can fix them – rather than leaving them vulnerable to being exploited.
SCOTT CHARNEY: Microsoft has been involved in this debate for several years, and we are urging more companies to join because we really think it is critical to promoting trust in information technology.
CRISTINA QUINN: And finally, the third parameter they’re working to establish … a digital Geneva Convention that can flex and change as easily as technology evolves. To that end, Microsoft is calling for the creation of a group or forum to help identify the perpetrators of cyber attacks, as the tactics change and get more sophisticated.
Here’s Microsoft President Brad Smith again speaking at that global security conference:
BRAD SMITH: We need an agency that brings together the best and the brightest in the private sector, the best and the brightest in academia and the public sector. We need an agency that has the international credibility not only to observe what’s happening, but to identify the attackers when nation-state attacks happen.
CRISTINA QUINN: The idea behind the forum is similar to the International Atomic Energy Agency. That’s an independent organization that helps investigate whether or not a country has violated international rules, rather than relying on states to police themselves.
A neutral third party could help navigate the stumbling blocks that this new battlefield presents. Like figuring out where a cyber attack really originated, here’s Cyrus Farivar again.
CYRUS FARIVAR: If you’re talking about you know missiles being launched from one place to another you know we have satellites and we have lots of other ways of saying OK yeah this was launched from this base, in this country. It’s very easy to understand that when it comes to you know who attacked who online or who did what, it’s a little bit trickier.
CRISTINA QUINN: For example, going back to our Estonia case study. If one country had bombed another country, that would have been pretty clearly an act of war. But instead, the denial of service stunt — was it a hack? Or an attack? The answer has real world ramifications.
CYRUS FARIVAR: In article 5 in the NATO charter an attack against one is an attack against all. Estonia is a member of NATO, United States is a member of NATO, there are lots of other NATO countries in Europe. And so what does that mean, if Estonia is attacked online? Does that mean the other countries should gang up on Russia and attack Russian websites?
CRISTINA QUINN: When it comes to cyber warfare, nations have a choice about HOW they respond. But ignoring the issue isn’t really an option anymore.
For better or worse, we’re all in this together….according to Scott Charney.
SCOTT CHARNEY: You think about the Internet, you can think about global warming, which you just can’t solve one country at a time, because we’re all connected. We all share the same planet in the same environment, we all share the same Internet and we’re all dependent in large part on the same set of technologies.
CRISTINA QUINN: One set of rules — in a digital Geneva Convention — is a place to start. It’s a way of getting countries and private companies around the table to begin these conversations. We’ve never done that before. Now’s the time to try.
But: In case you’re sitting there thinking “man, this seems like it’s totally out of my hands,”….our historian and media expert from earlier, Heidi Tworek, has some news for you.
HEIDI TWOREK: You see a lot of people who say ah there’s nothing we can do we just have to take it, and to me really seems like a fallacious way of going about things. Can we prevent massive cyber attacks? I really hope so. But let’s not just pretend that there’s nothing we can do about it.
CRISTINA QUINN: Like for starters, follow the instructions!
HEIDI TWOREK: Everybody has done that, where it pops up on your screen and it says “update” and you always want to click on the button not now because you know how annoying it’s going to be. But if you’re a hospital you can’t click on the “not now” button.
CRISTINA QUINN: This is one of the things that went wrong with this spring’s “Wanna Cry” ransomware attack. Computers at the National Health Service in England were locked by the attack — and held hostage, for ransom. The computers were vulnerable because they hadn’t been updated in ages.
But even if you’re not a hospital, do the upgrade!
HEIDI TWOREK: They’re actually about making sure that our computers are not vulnerable and that our critical infrastructure is up to scratch and not subject to these sorts of vulnerabilities as far as we can insure that.
CRISTINA QUINN: Heidi says upgrading might very well be more than just a good idea. We should actually consider whether companies should be legally obligated to do updates on critical infrastructure, in the same way citizens are legally obligated to take certain precautions. For example —
HEIDI TWOREK: It’s the responsibility of every citizen within the United States to get themselves vaccinated against diseases like measles, because then that ensures that we don’t end up having epidemics. But if an epidemic does break out we do have the World Health Organization and we have the CDC to deal with it. So we have multiple stakeholders in trying to prevent epidemics and to contain health scares.
Individuals who use computers are also responsible. They’re not solely responsible but they play a role just as it is our role as a citizen to ensure that our children are vaccinated.
CRISTINA QUINN: Everyone has a role to play. As citizens, it’s keeping our defenses up to date. And as members of the global community — as nations — our role is to engage with each other, to keep our Cloud safe.
A new digital Geneva Convention might seem pie in the sky — get it, the Cloud, pie in the sky — but it’s also important. Because we all play a part in keeping one another safe online. Because we’re all connected….on the Cloud.
Dot-future is a co-production of Microsoft Story Labs and Gimlet Creative.
We were produced this week by Ana Adlerstein and Katelyn Bogucki, with help from Victoria Barner, Garrett Crowe, Frances Harlow, Nicole Wong, Abbie Ruzicka, Julia Botero and Jorge Estrada. Creative direction from Nazanin Rafsanjani. Production assistance from Thom Cote.
We were edited by Rachel Ward and mixed by Zac Schmidt. Our theme song was composed by The Album Leaf. Additional music from Eliot Lipp, Whaltho and Marmoset.
Special thanks to Tom Dannenbaum, Niki Clark, Matthew Dermot Clancy, and Ilves Sandoval from the International Committee of the Red Cross
Coming up next week on Dot Future, we’re tackling the issue of health …
In the digital era we have access to so much data.
CHRIS DANCY: Because I keep track of a lot of sets of data about myself…what’s your heart rate..what’s your respiration…what’s your blood sugar? It’s very easy for me to understand where behaviors are coming from and how to adjust them.
How we turn data into meaningful information, to keep ourselves well.
That’s coming up next week on dot future.
If you like dot-future, subscribe on Apple Podcasts, or wherever you get your podcasts! And please, leave us a review to tell us why! It really helps people find our show. To learn more about the show, visit dot future dot net
I’m Cristina Quinn. Thanks so much for listening!