The breach of SolarWinds software that allowed widespread espionage on U.S. government agencies and other organizations worldwide is more than just a shocking use of digital spycraft, Microsoft’s top executive said Thursday.
The incident “represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” writes the company’s president, Brad Smith, in a blog post. “In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
The breach, which multiple U.S. sources have pinned on Russian intelligence, “is not ‘espionage as usual,’ even in the digital age,” Smith writes. In an addendum to the blog post, Microsoft said that it found no indications that its own software systems were used to attack others, but it did find “malicious SolarWinds binaries in our environment, which we isolated and removed.”
The company has been an active part of the U.S. response to the incident, which affected more than 17,000 customers of Texas-based SolarWinds, including the departments of Commerce, Homeland Security and State. The Department of Energy added its name to that list late Thursday.
Smith is a recognized leader in the cybersecurity community who in 2017 suggested a “Digital Geneva Convention.” The idea involved governments committing to protecting civilian infrastructure against nation-state cyberattacks. State-sponsored cyberattacks have continued in the years since, as Smith has continued to weigh in on major security issues.
“As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact,” Smith says. Reports have said SolarWinds was unwittingly pushing out malware from its update service since at least March.
Microsoft was working to notify more than 40 customers targeted by the attackers, according to Smith.
The blog post presents a larger road map for recovering from the incident and responding to it on the world stage, in line with Smith’s previous calls for international norms in cyberspace. Smith warns that the sophistication of nation-state espionage will only increase, especially as intelligence agencies and their proxies use artificial intelligence to analyze the data they collect.
He warns about the privatization of digital espionage, directly naming Israel-based spyware maker NSO Group and its Pegasus software as an example.
Looking ahead, he says the transition to a new U.S. presidency under Joe Biden “creates an opportunity to turn a page on recent American unilateralism and focus on the collective action that is indispensable to cybersecurity protection.” The country needs to take a major step forward in the sharing and analysis of threat intelligence, Smith says.
In repeating his familiar call for cyber norms, he says governments worldwide should do more to ensure there are “greater real-world consequences” for attacks like the SolarWinds incident.
“The U.S. government and its allies need to make crystal clear their views that this type of supply chain attack falls outside the bounds of international law,” Smith says.