Skip to Content

Do We Need a Digital Geneva Convention?

Microsoft calls for an international treaty to prevent companies and citizens from getting tangled up in nation-state cyberattacks.
February 15, 2017
Microsoft president Brad Smith

The Geneva Convention, signed by war-weary nations in August 1949, now binds 196 countries to protect civilians in war zones. Microsoft’s president, Brad Smith, argues that the U.S. and other countries now need to draw up a digital equivalent to protect civilians and companies caught in the crossfire of constant cyberwar.

In recent years, computing and security companies have uncovered or been the victims of malware and network attacks that appear linked with military or intelligence agencies. Smith told an audience at the world’s largest security conference Tuesday that international diplomacy is needed to mitigate the negative effects on private companies and citizens.

Smith's Proposed Requirements

  • 1. No targeting of tech companies, private sector, or critical infrastructure.

  • 2. Assist private-sector efforts to detect, contain, respond to, and recover from events.

  • 3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.

  • 4. Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.

  • 5. Commit nonproliferation activities to cyberweapons.

  • 6. Limit offensive operations to avoid a mass event.

“Nation-state hacking has evolved into attacks on civilians in times of peace,” said Smith at the RSA Conference in San Francisco, echoing the language of the Geneva Convention. “We need to call on the world’s governments to come together [as] they came together in 1949 in Switzerland.” Smith, who is also Microsoft's chief legal officer, has recently lobbied for legal reforms to update privacy and security protections for the Internet era (see "Microsoft's Top Lawyer Becomes a Civil Rights Campaigner").

Smith listed six requirements such an agreement might lay on countries, for example not to target private companies or critical infrastructure with digital campaigns.

He said the 2014 attack that crippled Sony Pictures—an attack the U.S. blamed on North Korea—was an example of the kind of event that shows the need for international agreement on hacking. North Korea is believed to have targeted Sony because of its displeasure with the movie The Interview, which satirized its leader, Kim Jong-Un.

Smith cited a 2015 agreement signed by China and the U.S. pledging not to conduct or encourage corporate cyberespionage as evidence that international diplomacy can rein in what happens in cyberspace. Security experts and the U.S. government had complained for years that China’s military helped steal corporate secrets. China has always denied such claims, but U.S. officials and security companies say the incidence of attacks from the country has dropped (although some experts remain skeptical of the cause). The G20 later signed a similar compact.

Smith’s sentiments about the importance of diplomacy in tackling what is often seen as a technical problem were echoed Tuesday by Michael McCaul, chair of the House Homeland Security Committee.

Countries would always differ in their attitudes on privacy and security, but coördination is necessary to prevent cyberattacks causing serious harm, said McCaul, also speaking at RSA. “The U.S. should be engaging with overseas partners,” he said. “We must develop clear rules of the road when it comes to cyberwarfare.”

McCaul cited evidence that Russia had used hacking to try to influence the U.S. presidential election as an example of the consequences of loose policies on cyberattacks. Russian-backed hackers have also been accused of taking down power grids in Ukraine last year.

Mikko Hypponen, chief security officer with F-Secure, and who has helped chart the rise of government malware, told MIT Technology Review that the idea of something like a digital Geneva Convention is plausible. But despite rating the U.S.-China agreement as a success, he’s skeptical that anything like it will come anytime soon.

Hypponen recommends looking to a different period in history as a model for how the next few years of the cyberwar era will play out. “This arms race is in the early days,” he says, because nations still sense they have much to gain over competitors by aggressively expanding digital espionage and attack capabilities. “I believe we will get to disarmament and control in the end as we did with nuclear weapons, but it’ll take a while.”

Keep Reading

Most Popular

This grim but revolutionary DNA technology is changing how we respond to mass disasters

After hundreds went missing in Maui’s deadly fires, rapid DNA analysis helped identify victims within just a few hours and bring families some closure more quickly than ever before. But it also previews a dark future marked by increasingly frequent catastrophic events.

What are AI agents? 

The next big thing is AI tools that can do more complex tasks. Here’s how they will work.

What is AI?

Everyone thinks they know but no one can agree. And that’s a problem.

What’s next for bird flu vaccines

If we want our vaccine production process to be more robust and faster, we’ll have to stop relying on chicken eggs.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.