Europe’s proposed cybersecurity strategy would see companies reporting incidences of when they have been attacked. Microsoft’s Paul Nicholas says that there needs to be more clarity on what the reason for the reporting is, and calls for more collaboration between governments to harmonise cybersecurity controls.
Paul Nicholas is senior director in Microsoft’s Trustworthy Computing group, where he leads the global security strategy and diplomacy team. He spoke to EurActiv’s Jeremy Fleming in Brussels.
Where are the divergences between cybersecurity proposals in the EU and the US?
There is a big struggle everywhere when it comes to how policymakers think about being prepared for cyber readiness and realising that it is a big challenge at national level. That said, I think that they have a lot in common: the US and EU approaches. There is a difference in scope and in political scope, but at core they both want baseline security measures, they both want increased information-sharing for cyber threats. When you get to practical differences, mandatory reporting [as suggested in the European cybersecurity strategy] is a concern from the US point of view.
What are some of the challenges that come with mandatory reporting?
We need to know what we are reporting for. Are we reporting information for situational awareness, or to assist governments, to make statistical information more refined? How significant must the events be that trigger reporting? If we had a common understanding of what is significant, that would help.
Does cybersecurity pose special problems for Microsoft, given its software provision?
On the one hand we have more threats. But we provide software that powers 16 billion desktops and cloud services and from that perspective we have a long-term commitment to our customers. That is why we developed our “Trustworthy Computing Group”, and we have made changes that have reformed the secure ecosystem of computing.
Cyberattacks are perceived as a growing threat, yet it is increasingly difficult to identify their origin. How does this affect your perception of cyberspace?
We are incredibly concerned about that. We think that it’s very important that governments and industry create norms that guide nation state behaviour in cyberspace. You cannot tell who is acting and how, so it is a valid concern.
What are the challenges in approaching cybersecurity form a global perspective?
I think that there are a lot of challenges in co-operation at international level. Developing countries are growing capacity building. It’s important to equip countries with cybersecurity capabilities, and that is not always straightforward. It is very hard to identify the sources of attacks, however, and you cannot build boundaries that will prevent an attack. In terms of costs it’s a battle between opportunity and costs. The biggest challenge may be a direct attack, but there are also indirect results from an attack. There are occasions when the indirect costs are much higher than direct costs. There are many cases where we are unaware what the full scale or effect of certain attacks could be.
What do you want to see emerging within the cybersecurity landscape?
I would like to see greater harmonisation. If 40 countries each came up with their own individual controls that is going to be difficult for industry. Harmonisation between governments about what are acceptable norms at nation state level would be a good aim in the long term.