As NATO members prepare to meet in Washington, D.C., for a summit marking the 75th anniversary of the alliance, it is worth recognizing the role cyber operations now play in modern conflict and the multistakeholder partnerships necessary for deterrence online. In recent years, the pace of cyberattacks has increased to the point where there is now effectively constant combat in cyberspace. Deterring this activity will require a combination of both technological and geopolitical solutions. The former can be led in large part by industry, while the latter must be led by governments.
The ongoing war in Ukraine has wedded cyber and military operations in unprecedented ways, and nation-state cyberattacks more broadly continue to escalate in scale and severity around the world. Recent advances in generative artificial intelligence (AI) also raise concerns that foreign adversaries will create synthetic “deepfake” media in attempts to confuse or influence public opinion, especially in a year when so many elections are being held across the globe. Anything the tech industry can do to make cyberattacks less likely to succeed provides a deterrent incentive to malicious actors. However, industry is limited to purely defensive actions in response to the rising numbers of cyberattacks. Imposing further deterrent consequences will require political will on behalf of states to uphold the expectation of responsible online behavior.
Industry Must ‘Do Security’
In the face of increasingly sophisticated and persistent nation-state cyberattacks, the technology industry must revisit its practices and do more to ensure security is the top priority. At Microsoft, we are embracing this reality through a renewed and comprehensive approach to security we call the Secure Future Initiative. This company-wide, multi-year, effort is grounded in three core cybersecurity tenets: to make all of Microsoft’s products and services “secure by design” and “secure by default” as well as managed with “secure operations.” This effort reflects a massive undertaking—reallocating resources and dedicating the equivalent of 34,000 full-time engineers to the single-largest cybersecurity engineering project in the history of digital technology. AI is also augmenting this initiative, being leveraged to make software development more secure.
However, improvements in engineering practices and resourcing for security must also be paired with a deliberate reinvigoration of corporate culture led from the very top. Microsoft CEO Satya Nadella captured this sentiment in a recent message, instructing all employees that, “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security.” In the current threat environment, security must be treated as the most important attribute of product quality, and at Microsoft we are working to ensure this is embraced by employees at every level of the organization. While the Secure Future Initiative reflects Microsoft’s ongoing efforts on security, others across the tech industry can and are taking their own steps to defend against constant, and increasingly sophisticated, cyberattacks. Such ambitious investments in both operations and culture are what it takes to meet the moment.
Beyond what companies can do individually, there are also critical things that industry can do together to prevent attacks from the most advanced threat actors. This includes maintaining robust and cooperative relationships between security teams to share and corroborate findings related to threat activity to protect our customers. The industry must also take action to stay ahead of risks posed by emerging technologies that threat actors are quick to adopt but governments may only be beginning to regulate. We are well past a time when it may have been acceptable to not consider the impact of technological advancements, especially when it comes to something as significant as AI. This is why a coalition of the 20 largest AI and social media companies came together last February to launch a Tech Accord to Combat Deceptive Use of AI in 2024 Elections. This agreement committed companies to take action to limit the malicious creation of election deepfakes, identify and mitigate the impact of deceptive AI use in elections, respond to abuses on the companies’ respective platforms, and raise public awareness to ensure AI is not weaponized against democratic processes.
There is clearly a lot that industry can and should be doing to improve defenses and to thwart nation-state cyber operations targeting systems and customers. However, these actions cannot impose meaningful consequences alone. They will need to be paired with countervailing pressure from governments that discourages adversaries from continuing to pursue cyber operations that violate international norms, and which put civilians at risk. The status quo of perpetual escalation of nation-state cyberattacks is simply untenable, and governments have a critical role to play.
Political Challenges Need Political Solutions
By any measure, lawless and aggressive cyber activity has reached an extraordinary level. Today, Microsoft tracks more than three hundred nation state threat actors and, as reported in the last Microsoft Digital Defense Report, more than 40% of nation state cyberattacks we observed last year targeted critical infrastructure. Too often these actions take place without effective reprisals, reflecting, in part, the degree to which international law and norms of conduct are incomplete or lack meaningful enforcement. Undeterred, foreign adversaries will continue to push the envelope with increasingly dangerous cyber operations.
As U.S. Deputy National Security Advisor Anne Neuberger points out in her contribution to this report, the National Security Agency (NSA) earlier this year discovered sophisticated cyber operations by a foreign adversary targeting U.S. critical infrastructure. The agency determined that these intrusions appeared to be “pre-positioning” for a destructive attack in a potential future conflict. This activity is different in kind from anything that has been considered acceptable state practice in the past and cannot be tolerated. Cyber operations that have the potential to cause serious harm to critical infrastructure systems require a firm response sufficient to deter such activity in the future.
Strengthening deterrence online begins with more consistent and robust public attributions of cyberattacks, which call out bad actors and violations of international laws and norms. To this end, it is encouraging to see NATO and its member states step up their cooperation in these efforts. In May 2024, the alliance released a statement recognizing Germany and the Czech Republic for their public declarations attributing widespread cyberattacks against their citizens to a nation-state threat actor. These declarations collectively raised the visibility of the incident and how it violated international expectations – making clear that this activity should not be tolerated.
This kind of coordinated response should become the standard moving forward, especially as NATO seeks to fulfill its mandate in the digital age. Public attributions not only serve to name-and-shame bad actors, but also to lay the foundation for additional action in response. To this end, governments will also need to consider what additional countermeasures—political or otherwise—will be necessary to further deter such activity. Persistent and determined statecraft upholding international law and norms, alongside necessary innovation and investment in cybersecurity by industry partners, are the best hope for establishing effective deterrence in cyberspace.
Tom Burt leads a cross-disciplinary team at Microsoft that works to improve customer trust in the safety and security of the digital ecosystem by advocating for global cybersecurity policy, partnering with public agencies and private enterprises to disrupt nation-state cyberattacks and support deterrence efforts, and combatting cybercrime. Customer Security and Trust is also responsible for managing Microsoft’s government clearance and national security compliance.