Written by Suzanne Smalley

Microsoft Chairman Brad Smith spent much of last Wednesday traveling across Washington promoting his company’s report on the current state of cyberwarfare and disinformation in the Russian-Ukrainian war.

He sat down with David Ignatius, foreign affairs columnist for the Washington Post, for a webcast of his findings. Then he went to the Center for Freedom and Democracy at the Reagan Institute to give a 20-minute speech on the 27-page report titled “Defending Ukraine: Early Lessons from Cyber ​​Warfare” before joining Senator Angus King (I-ME) for a panel discussion.

The New York Times, CNN, Washington Post, NPR and others covered the study as an accurate and revealing look at an otherwise opaque and confusing digital front in the war in Ukraine.

Yet, soon after the report was released, leading cybersecurity experts and foreign policy scholars began raising serious questions and concerns. They questioned many key points in the document — namely claims about a combined physical and cyber attack on a nuclear power plant — and complained that Microsoft is trying to characterize the state of cyber conflict in Ukraine to promote its commercial interests. .

“Microsoft is one of the most influential companies on the planet in this space. [and] Microsoft has a responsibility to get it right,” said Thomas Rid, cybersecurity expert and professor at Johns Hopkins University School of Advanced International Studies. “If you post this type of information, you should do so in a sober, fact-based manner and in a way that uses esteemed professional language.”

In total, CyberScoop spoke to a dozen leading analysts, executives, military cyber practitioners, and academics who all criticized Microsoft for releasing a report that lacked the technical underpinnings and supporting evidence. support for his arguments. Moreover, they said, it did not meet the basic standards of academic research that even most tech companies adhere to when producing similar reports on the activities of nation states or criminal cyber threats.

Small sourcing, big complaints

“Source citations are thin to non-existent,” said Christopher Paul, disinformation researcher and senior social scientist at RAND Corporation. There are “a handful of in-text links to specific sources and other reports, and the first real reference being a figure source for a copy of a newspaper page from the 80s”, he said. declared. Paul also noted that the report provided many figures and tables for Microsoft’s AI for Good Research Lab — a group Microsoft calls a “philanthropic team of data scientists and researchers” that focuses on artificial intelligence and machine learning — without enough detail.

Microsoft has unique insight into cyberattacks in Ukraine and, for that matter, much of the world, as one of the world’s largest technology companies. It also often works with the US government on cybersecurity operations due to the scope and scale of its networks. It stands to reason that he would be able to understand the nature of cyber conflict in Ukraine and help inform the public, policy makers and experts in the field.

“If you post this type of information, you should do so in a sober, fact-based manner and in a way that uses esteemed professional language.”

thomas rid, cybersecurity researcher

Similarly, CyberScoop and many other publications regularly cover industry reports on cyber activities and nation-state agents. But in this case, according to experts, Microsoft’s powerful position in the global market, the potential business advantages of positioning itself as a bulwark against Russian cyberattacks and the extremely delicate situation in Ukraine make the assertions bold and the lack of data from this worrying report.

To be sure, much remains unknown about the contours of cyber warfare in Ukraine and all the ways in which Russia uses cyber means in its brutal campaign. But many critics have taken issue with the report because they believe it overstates the degree to which Russia has coordinated cyber and physical warfare and believe it paints Russia’s operations in Ukraine as overly sophisticated.

In a statement to CyberScoop, a Microsoft spokesperson defended the report and disputed the critics’ characterizations, saying the company wanted to reach a wider audience who may not be familiar with the technical nature of cyberattacks.

“Cybersecurity issues are pervasive across the digital landscape, reaching beyond the security community to reach key audiences, including policymakers and others not always steeped in technical details,” said the spokesperson. “We stand by our report and its findings and welcome an ongoing conversation with others in the security community and beyond as we work together to do our part to defend Ukraine and protect the cybersecurity ecosystem.

Questions about an alleged attack on a nuclear power plant

The main objection from many experts concerns Microsoft’s unsubstantiated claims about an apparent assault on a Ukrainian power plant that combined a physical strike with a cyberattack.

The report says that “the Russian military combined cyber and conventional weapons to attack a nuclear power plant” in early March, pointing to a Russian group moving laterally on the computer network of the nuclear energy company on March 2 before a military attack the 3 of March.

Most of the twelve experts CyberScoop spoke to called this claim deeply problematic. Rid points out that while Microsoft initially implied that the Russians were using cyber to gather intelligence about the nuclear power plant, in the next sentence the report appears to be hiding, claiming that the highly reputable Microsoft Threat Intelligence Center (MSTIC) “has identified a Russian group moving laterally on the computer network of the nuclear power company.

“This [statement] is full of assumptions,” said Rid, who has written extensively on Russian intelligence and said that shifting the focus from the factory itself to the larger corporation is misleading. “The first sentence is not supported by the second.”

He also pointed out that while the report called the cyber incident at the factory a “weapon”, the description of the Russian group “moving laterally” was not a weapon.

Rid said that despite his take on Microsoft’s Ukraine report, the work that comes from MSTIC is generally of high caliber and presented without the glare of corporate marketing or grandstanding. “I have the greatest respect for MSTIC and the forensic and investigative work they have done – this report, strangely, does not reflect the quality of their work,” he said.

Another renowned cybersecurity expert, Juan Andres Guerrero-Saade, also said that the nuclear power plant anecdote seems to overestimate the current strategic capabilities of the Russian military.

“It’s incredibly charitable to suggest that the reality of the Russian military is one that includes organized coordination between different intelligence units and kinetic forces,” said Guerrero-Saade, senior threat researcher at SentinelOne and adjunct professor at the KNOW. “He’s building a view of a formidable bear that we haven’t seen yet.”

(SentinelOne is a competitor to Microsoft Defender for Endpoint, a security platform that helps defend against advanced persistent threats).

Understand the issues

Due to the current situation in Ukraine and the political questions it raises, it is more important than ever to get the facts straight about what may or may not happen on the ground or in the digital realm, Guerrero-Saade said.

“At a time when it is suggested that cyber be included as an area that the International Criminal Court should consider in the context of war crimes investigations, research teams and technical results must remain as objective and rigorous as possible” , did he declare.

The story of the nuclear plant also caught the attention of a senior defense official.

“In terms of a cyberattack, strategically, that’s something the Russians don’t want to do,” Ryan Maness, director of the Department of Defense Analytics at the Naval Postgraduate School and author of “Cyber ​​War Versus Cyber ​​​​Realities: Cyber ​​Conflict in the International”. System,” said via email from Europe. “They wanted the plant intact for a strategic energy advantage against Ukraine (blackmail, coercion), so they wanted it in working order. The firing around the plant was irresponsible, yes, but as far as I know it did not threaten the reactors.

Microsoft presents a “very incomplete assessment of the cyberwar situation”, he said.

Like others who spoke with CyberScoop, Maness said the report gave too much credit to the Russians.

Many of the paper’s most vocal critics said a report of this magnitude should have read less like a marketing pitch for Microsoft and relied more on indicators of compromise and sober technical analysis. Instead, Guerrero-Saade said, the report appears to be an “attempt to take technical research and turn it into a bizarre lobbying opportunity.”

Guerrero-Saade also said the report too often makes questionable claims. For example, he said, the report draws links between specific cyber threats and individual Russian intelligence agencies with no evidence to support those links. Specifically, the report attributes various phishing, data theft and wipe attacks to three different Russian intelligence agencies without explaining how it makes each attribution. He said such links are generally difficult to establish, even for the best threat analysts.

Michael van Landingham, who was a Russia analyst for the CIA until 2019 and now runs Actives Measures, a research and analytics firm, also said the report’s lack of data undermined its findings. For example, he said, it’s unclear how Microsoft determined that only 29% of Russia’s cyber intrusion attempts targeting Ukraine were successful.

“What is the extent of Russian cyber activity that you as Microsoft detect, with your data, or measure, and what might you be missing?” he said. “I want to see more discussion about what Microsoft can see and what they can’t see, and how that affects their level of confidence in their judgments about stopping intrusions and also what the intelligence team about the threats or what the perpetrators generally think these intrusions were for.

Overall, he says, he fears the report’s generalizations will leave a non-technical audience with more questions than answers.

“When you’re writing for a larger audience, all of those things come together in the big CYBER!” he said. “But the problem with the CYBER! is it [reality] is obviously much more nuanced and not everything under that umbrella of CYBER! has the same impact in armed conflict that authors or a general audience might expect.