The Geneva Convention, signed by war-weary nations in August 1949, now binds 196 countries to protect civilians in war zones. Microsoft’s president, Brad Smith, argues that the U.S. and other countries now need to draw up a digital equivalent to protect civilians and companies caught in the crossfire of constant cyberwar.
In recent years, computing and security companies have uncovered or been the victims of malware and network attacks that appear linked with military or intelligence agencies. Smith told an audience at the world’s largest security conference Tuesday that international diplomacy is needed to mitigate the negative effects on private companies and citizens.
Smith's Proposed Requirements
1. No targeting of tech companies, private sector, or critical infrastructure.
2. Assist private-sector efforts to detect, contain, respond to, and recover from events.
3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.
4. Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.
5. Commit nonproliferation activities to cyberweapons.
6. Limit offensive operations to avoid a mass event.
“Nation-state hacking has evolved into attacks on civilians in times of peace,” said Smith at the RSA Conference in San Francisco, echoing the language of the Geneva Convention. “We need to call on the world’s governments to come together [as] they came together in 1949 in Switzerland.” Smith, who is also Microsoft's chief legal officer, has recently lobbied for legal reforms to update privacy and security protections for the Internet era (see "Microsoft's Top Lawyer Becomes a Civil Rights Campaigner").
Smith listed six requirements such an agreement might lay on countries, for example not to target private companies or critical infrastructure with digital campaigns.
He said the 2014 attack that crippled Sony Pictures—an attack the U.S. blamed on North Korea—was an example of the kind of event that shows the need for international agreement on hacking. North Korea is believed to have targeted Sony because of its displeasure with the movie The Interview, which satirized its leader, Kim Jong-Un.
Smith cited a 2015 agreement signed by China and the U.S. pledging not to conduct or encourage corporate cyberespionage as evidence that international diplomacy can rein in what happens in cyberspace. Security experts and the U.S. government had complained for years that China’s military helped steal corporate secrets. China has always denied such claims, but U.S. officials and security companies say the incidence of attacks from the country has dropped (although some experts remain skeptical of the cause). The G20 later signed a similar compact.
Smith’s sentiments about the importance of diplomacy in tackling what is often seen as a technical problem were echoed Tuesday by Michael McCaul, chair of the House Homeland Security Committee.
Countries would always differ in their attitudes on privacy and security, but coördination is necessary to prevent cyberattacks causing serious harm, said McCaul, also speaking at RSA. “The U.S. should be engaging with overseas partners,” he said. “We must develop clear rules of the road when it comes to cyberwarfare.”
McCaul cited evidence that Russia had used hacking to try to influence the U.S. presidential election as an example of the consequences of loose policies on cyberattacks. Russian-backed hackers have also been accused of taking down power grids in Ukraine last year.
Mikko Hypponen, chief security officer with F-Secure, and who has helped chart the rise of government malware, told MIT Technology Review that the idea of something like a digital Geneva Convention is plausible. But despite rating the U.S.-China agreement as a success, he’s skeptical that anything like it will come anytime soon.
Hypponen recommends looking to a different period in history as a model for how the next few years of the cyberwar era will play out. “This arms race is in the early days,” he says, because nations still sense they have much to gain over competitors by aggressively expanding digital espionage and attack capabilities. “I believe we will get to disarmament and control in the end as we did with nuclear weapons, but it’ll take a while.”