Microsoft Wants a Digital Geneva Convention for Cyberwarfare
The software giant is calling for a treaty to outline protections for civilians and companies from government-sponsored hacking.
Some of the world's biggest nerds gathered this week at the RSA convention in San Francisco to talk about a subject most people would rather never contemplate and probably don't fully understand: Cybersecurity. And there, the president of Microsoft issued a rather startling call for the world's governments to come together and form a digital Geneva Convention to protect private citizens from cyberattacks by nation states against private citizens.
"Let's face it," said Microsoft's Brad Smith in his keynote address, "Cyberspace is the new battlefield. The world of potential war has migrated from land to sea to air and now cyberspace." A spate of attacks - North Korea on Sony Pictures, the Russian hacking of John Podesta's emails, and others - in recent years by nation states on civilians in cyberspace make it clear, at least to those who understand what's going on, that something needs to be done.
The Geneva Conventions - the last of which was held in 1949 in the aftermath of World War 2 - established rules and protections from the horrors of war for civilians and medical workers who aren't actively fighting. They stipulate an attack against civilians is a war crime.
"Cyberspace is owned and operated by the private sector," Smith said. "It is private property, whether it is submarine cables or data centers or servers or laptops or smart phones." And the tech community - the Googles and Intels and Microsofts gathered at the RSA convention that made up the audience at Smith's keynote - are typically the first responders to these attacks. Microsoft, a major provider of email software and services where cyberattacks often begin, alone spends a billion dollars annually on cybersecurity.
Governments are still working out how to respond to attacks waged by governments in cyberspace because, as Smith points out, it doesn't exist in a physical space. So there aren't yet clear rules on whether an attack is actual warfare. When Russia attacks an American citizen with the goal of undermining an American candidate for president - as in the John Podesta email leaks - is that an act of war? What about the Sony case, where North Korea retaliated against an American corporation for making a movie the government didn't like?
While governments work this out, private citizens are under fire, Smith said.
"It is a sobering thing to think about," he said. "But consider this: For over two thirds of a century, the world's governments have been committed to protecting civilians in times of war. But when it comes to cyberattacks, nation-state hacking has evolved into attacks on civilians in times of peace."
There are others in the tech community - especially those ob the front lines - who agree it's time for governments to establish treaties that govern malevolent acts in cyberspace. Eugene Kaspersky, the CEO of Kaspersky Lab, a global leader in IT security wrote an op-ed in Forbes reacting to Smith's call to action and agreeing wholeheartedly.
"Yes! Yes! Yes!" he wrote. "The world needs an international convention like this badly and urgently. One should have been adopted a long time ago, and I've been advocating such a thing for I don't know how many years. Ten? Fifteen? News that it's finally gaining traction and there are tech big-guns throwing their weight behind it is music to my ears."
Nor is Smith the first to make this call to action. Joseph Cannataci, UN special rapporteur on privacy, made a similar call to action over a year ago, though his concerns were, then, more about government surveillance of private citizens than attacks on them by foreign powers. "Today there are many parts of the English countryside where there are more cameras than George Orwell could ever have imagined," he told The Guardian last year. "So the situation in some cases is far worse [than in Orwell's 'Nineteen Eighty-Four'] already."
Podesta, perhaps the most well known victim of a hostile cyberattack waged by a world power against a citizen, was surprised by how little assistance he got from the U.S. government. "I think to this day it's inexplicable that they were so casual about the investigation of the Russian penetration of the DNC emails," Podesta told TechCrunch. "They didn't even bother to send an agent to the DNC; they left a couple of messages at the IT help desk saying, 'You might want to be careful.'"
Smith suggests, in his speech, that tech companies need to act as a digital Red Cross and offer technical assistance once these treaties have been worked out. "As the Fourth Geneva Convention relies on the Red Cross to help protect civilians in wartime," he said. "Protection against nation-state cyberattacks requires the active assistance of the tech sector."
Photo: Defense Secretary Ash Carter (lef) and Microsoft President Brad Smith (center) in a Department of Defense file photo.
Watch: Building Digital Labyrinths to Hide Your Password