Science finally caught up with science fiction, Microsoft President Brad Smith said during his keynote at CES this week.
Smith referenced two things. First: “WarGames,” the 1983 Cold War thriller that introduced many people — including U.S. President Ronald Regan — to the importance of cybersecurity. And more recently, the SolarWinds breach, which is arguably the biggest cyberattack ever against government agencies and corporations.
“Think about the recent holiday season. It was dominated not just by COVID and Christmas, but by cybersecurity issues as well,” Smith said. “We all learned about the first victim, a company called SolarWinds, and how that attack spread from one company to other companies and to governments and other nations around the world.”
Smith didn’t, however, mention that Microsoft was among the companies attacked by suspected Russian state-sponsored hackers. After confirming that it was one of the organizations that downloaded the SolarWinds Orion software update containing malicious code, Microsoft on New Year’s Eve admitted that hackers also accessed its internal source code.
After screening “WarGames” at Camp David in 1983, Regan reportedly asked Gen. John W. Vessey Jr., the chairman of the Joint Chiefs of Staff: “Could something like this really happen? Could someone break into our most sensitive computers?”
Vessey’s answer: “Mr. President, the problem is much worse than you think.”
Fifteen months later, Regan signed the first national security decision directive on computer security.
“We live in a time when, in so many ways, science has now caught up with science fiction,” Smith said during his keynote.
Smith Talks SolarWinds Lessons Learned at CES“‘WarGames' was important not just because it showed engineers what computers could do, but it showed all of us, and people in government, the problems we would need to work together to solve. It literally changed the arc of work needed to protect the country and the world,” Smith continued. “And in this instance, in the year 2021, it’s not a movie that we’re learning from. It’s real life. And the real life of the past month and the attacks that we’ve had to address are of critical importance.”
There are a couple lessons that the tech industry and society as a whole should learn from both the movie and the real-life SolarWinds hack, Smith said. “First, what are the rules of the road that are going to guide us all as a planet? And second, what does it mean for us as an industry?”
SolarWinds emphasizes the critical need for “rules of the road” related to cybersecurity, Smith said. Smith has long championed a global agreement to protect data, privacy, and even lives from becoming collateral damage in nations’ cyber war games. At the annual RSA security conference in 2017, Smith called for a digital equivalent to the Geneva Convention to protect civilians against cyberattacks. A year later, Smith formalized this effort with the Cybersecurity Tech Accord, initially signed by 35 companies, and later in 2018 Microsoft was among the 370 signatories of The Paris Call for Trust and Security in Cyberspace.
During his CES keynote, Smith acknowledged that governments spying on each other isn’t going to stop. “But we’ve long lived in a world where there were norms and rules that created expectations about what was appropriate and what was not,” he continued. “And what happened with SolarWinds was not.”
‘Global Assault on Technology Supply Chain’The SolarWinds attacks wasn’t just about Russia spying on the U.S. or hacking into government networks. “It was a mass indiscriminate global assault on the technology supply chain that all of us are responsible for protecting,” Smith said. SolarWinds “represented a vector of attack that first distributed roughly 18,000 packages of malware on organizational networks literally around the world. It is a danger that the world cannot afford.”
The entire tech industry must unite, and “say to every government around the world that this kind of supply chain disruption is not something that any government or any company should be allowed to pursue,” Smith said.
He also pointed to cyberattacks against hospitals, public health agencies, companies developing vaccines, and the World Health Organization (WHO) during the pandemic. “This, too, should be off limits in a time of peace, just as it is for the use of conventional weapons in a time of war,” Smith said. While this will require the industry work with governments and NGOs, “it starts with us.”
Smith Calls for 9/11-Type Commission at CESThe SolarWinds attack also demonstrates the importance of sharing threat information, Smith said. “It’s a powerful reminder that threat intelligence, data about cyberattacks, really exists in so many silos today: silos within an individual government, silos within an individual company, silos in the public sector, silos in the private sector,” he said. “And yet it is so clear that the only way to protect the future is to understand the threats of the present. And that requires that we share data in new ways.”
Smith said a “very similar problem” contributed to the Sept. 11 terrorist attacks, and he referenced the 9/11 Commission’s finding that U.S. intelligence agencies should move from a culture of need to know to need to share.
“The best time to have a 9/11 Commission is before the next 9/11,” Smith said. “Let’s learn from the past. Let’s imagine the future. But most importantly, let’s put ourselves to work and take new steps collectively.”
Cautionary Tale About AIHowever, “War Games” isn’t just about a teenage hacker who breaks into a military supercomputer and almost starts World War III. It’s also a cautionary tale about artificial intelligence (AI). “The other part of the movie was a story about humanity surrendering control to computers,” Smith said. “That was the real threat that ultimately emerged as the film progressed. And in a very similar way, we actually see the risk of science catching up with science fiction, and of technology outpacing our ability to exercise control.”
For example, facial recognition can reunite parents with missing children. But the technology in general has been criticized for bias because the algorithms are prone to misidentify Black and Asian faces more frequently than white faces.
Because of this, facial recognition came under increased scrutiny last year following nationwide protests about racism and police brutality triggered by the killing of George Floyd by Minneapolis police officers. In response, Microsoft, Amazon, and IBM said they would stop selling their facial recognition technology to police. At the time, Microsoft also said it supports a national law to oversee the technology.
‘Risk That Humanity Will Lose Control’“Something like machine learning and its use can create the risks of bias and discrimination in a whole variety of different commercial settings. Or, the very scenario that we saw in ‘WarGames’ itself — the risk that humanity will lose control of the weapons of war,” Smith said at CES. “As we think about AI, and all of the promise of artificial intelligence, we have to think as well about the new guardrails that we need to create so that humanity remains in control of our technology,” Smith said.
While the shiny new gadgets usually steal the CES headlines, it’s important to also use the massive stage that an event like this affords to advance the industry’s commitment to use technology for good, Smith said.
“Exciting product innovations will always be the heart of CES. But increasingly, people around the world are looking at us, and they want to know not only about our heart, but about our soul,” Smith said. “People want to know what are the safeguards that we’re building around technology to protect against the perils that it can create?”