This article is from a special report on the Athens Democracy Forum, which gathered experts last week in the Greek capital to discuss global issues.
Moderator: Steven Erlanger, Europe-based diplomatic correspondent for The New York Times
Participants: Nanna-Louise Wildfang Linde, vice president of European governmental affairs for Microsoft; and Dr. Benedikt Franke, vice chairman and chief executive, Munich Security Conference
Excerpts from the panel Rethinking Security: When Threats are Invisible have been edited and condensed.
STEVEN ERLANGER The topic before us is cybercrime and we’ll get to that, but first I wanted to talk to Nanna-Louise about what’s in the backdrop of almost all our conversations, which is the war in Europe, the Russian invasion of Ukraine and that in that war there’s a secret war we don’t see which, is the war of cyberattacks and disinformation. Nanna, I know your company, Microsoft, but also Google and others, have been working with the Ukrainian government to try to help it defend itself. So I wondered if you could just tell us a little bit about the nature of that threat.
NANNA-LOUISE WILDFANG LINDE I think it’s appropriate to start with the war in Ukraine. It’s something that we’ve been engaged in very actively from the start, even before, because of all the signals — 65 trillion signals — that we analyze every day to make sure that our customers are safe, we have certain insights and information that governments don’t have. So we saw early on that something was going on in Ukraine and we collaborated with the Ukrainian government and gave them the information that we had.
We’ve been very open about that. We have issued a transparency report about everything that we’ve seen and everything that we have worked with the government around seeing — 600 attacks on 100 different government and nongovernment organizations in Ukraine — and what we’ve also been able to do is to see when there will be a physical attack. So this has been very helpful — that we have been able to see some patterns, not only when would there come a new cyberattack and help the Ukrainian government prevent that, but also when will the next physical attack happen.
ERLANGER Do you do that kind of thing for any other country?
LINDE Not in the same extensive way, but we do work with governments all over the world.
ERLANGER Are these political choices made by Microsoft? I mean do you just decide, “Well I think this country is a good country so I’m going to help it and this country is a bad country.”
LINDE This was a little bit of a unique decision to help so extensively in Ukraine. We helped also on many other parameters. We have helped them combat the misinformation and this is also something we do in other countries. But something that’s also unique to Ukraine is the work that we’ve done together with the International Court of Justice to ensure documentation for war crimes so that we’re using our A.I. technology and collaborating with a company that does satellite images so that we can analyze them with our A.I. systems and thereby see exactly how does this building look before and after. Let’s talk about when did that attack happen with the civilians inside and so on.
ERLANGER I suppose you can look at places that were fields that are now gravesites or something like that.
LINDE Right, exactly, and I think one element of cyberdefense work that I think is important to get across is there’s of course a race between those that want to use cyber as a weapon and then cyberdefense technology. The same with A.I. Some will use A.I. as a weapon, some will use A.I. as a tool, and what we’ve learned from the war in Ukraine is that the defensive technology has by far won over the offense technology and this is one reason that we were able to work closely together with government and private companies.
ERLANGER Benedikt, how afraid should we be of this cybersecurity world? I mean are you as confident as Nanna-Louise that the defenses are superior to the attackers?
FRANKE I think that’s the wrong question because we are already scared. We did a little polling ahead of the last Munich Security Conference asking a thousand people in every European country, are you scared when it comes to cybersecurity, what do you feel most threatened by, and you know three results sort of stand out. Seventy-eight percent of Europeans are massively concerned about increasing attacks on them in their function as the smallest but also the most vulnerable building blocks of democracy. I mean we’re at the Athens Democracy Forum here that’s really at the core of their worry that they feel already that they are targeted not only for their money and not only for scams but also because they are the building blocks of democracy and through them you can turn democracy on its head, you can break it up. So 78 percent are concerned about that massively. Ninety-six percent of Europeans that we surveyed are concerned about the inability of their national governments and the European Union to protect them. They have a much higher faith in companies to protect them than they have in their governments. Europeans aren’t quite sure about the U.S. component of that. There are a good 60 percent who are worried about having their data stored outside the European Union, that are worried about the U.S. government’s intent. You know in Germany we still talk about Angela Merkel’s mobile phone being hacked by the U.S. government. No hard feelings, but it’s still a thing. And the A.I. component is massively complicating the picture because it’s so diffuse, so nebulous, people just can’t wrap their heads around it.
And there are three things that we believe need to be done. We’re really bad at aligning tech regulation with security considerations. We need to get much better at aligning the trans-Atlantic tech agendas. If it’s true that 60 percent of Europeans are worried about the U.S. component that’s almost as many as are worried about the North Koreans and the Russians. And we need to work on that and then strengthen societal resilience.
LINDE I think there’s one more thing we need to do, if I can add one to your list. In this world we live in, we need norms. One thing that was really great after World War II in 1949 was that the world came together and adopted the Geneva Convention which really spells out how to protect civilians in times of war and I think we should really think hard about whether we could do something like that. How states can act against each other when it comes to cyberspace — so like a Geneva Convention on digital.