Verdict: Why we need a Digital Geneva Convention

By Microsoft

By Tom Burt, Vice President and Deputy General Counsel, Digital Trust, Microsoft.

Digital transformation offers the world the promise of unprecedented innovation, which will transform all our lives.
Unfortunately, digital transformation also enables cybercriminals. The very tools and techniques that can transform a business, can also accelerate offensive capabilities for crime and conflict.

Cybercrime is growing at an exponential rate around the world, and nation-states are using these tools to engage in a new form of warfare.

The rush to develop new cyberweapons is not being matched by enough government investment in cyber defense. For the technology companies that are building the products that power the global economy, the risks of cyberweapons challenge our operations; distorts our threat models; and limits our ability to protect our customers.

The destructive force of cyberweapons should not be underestimated. They are hard to keep secure, easy to deploy, cause harm that spreads far beyond the intended target, and once exposed can be reused by other nations or cybercriminals for years and decades to come.

When governments build physical weapons, they rigorously keep them secure and evaluate the potential collateral damage. Similar consideration is not always given to cyberweapons. Moreover, government cyber offensives have used private-sector innovation – without the latter’s knowledge or permission – to concoct virtual weapons that impose wide-spread public destruction.

Governments must join with the private sector to increase their investments in strategic defensive capabilities or else the transformative benefits of cloud computing for global business and all of civil society may never be fully realised.

They must also learn from this summer’s WannaCry attacks and recognise that the harm caused when cyberweapons are leaked into the hands of cybercriminals.

We must evolve the law

One issue is fundamental and outranks all other considerations: ensuring that civilians and enterprises never have to fear that they will be the victims of cyber attacks – whether in times of peace or war.

In February, Microsoft called for the adoption of a Digital Geneva Convention, built around a narrow set of commitments that, if implemented, could make a difference in the stability of our online environment. For example, we proposed a commitment by governments to refrain from attacking hospitals, utilities, financial institutions, and other systems and critical infrastructure that would threaten the safety and security of private citizens or the stability of the global economy.

Governments should limit the proliferation of cyberweapons and create a framework to work with technology companies to detect and contain cyberattacks and assist in recovery.

Just as the Fourth Geneva Convention protected battlefield medics as neutrals, private sector security incident response teams should be protected from attack in a modern era of cyberwar.

And just as that Convention protected peaceful civilians even in times of war, the private sector should be protected from the ravages of cyberwar.

Nations must know that they face a high risk of exposure whenever they engage in offensive activities online. To ensure this, governments and non-governmental organisations should join with private industry to build the capabilities, processes and frameworks required for credible attribution.

There are many paths towards this goal. One we have suggested is the creation of an independent international organisation similar to the International Atomic Energy Agency. It would have the authority to investigate suspected nation-state cyber-attacks and would provide evidence-based public attribution to those responsible.

This organisation must be resolute in its political neutrality, with its findings subject to rigorous peer review and protected from government interference. Its sole responsibility will be to identify violators; governments must take on the task of determining an appropriate international response.

Finally, we have argued for the creation of a cybersecurity tech accord. Technology companies have a key role to play in protecting civilians in cyberspace. We are the creators and operators of the digital infrastructure within which cyberattacks take place, and we are also the first responders.

Many of us already take this responsibility seriously and invest heavily in the security of our products and services, and in promoting the lessons we learn to the widest audience possible. However, no single company can do this alone. We believe that by coming together, committing to a set of principles and demonstrable actions, the tech sector (and other interested enterprises) can minimise the risks of harm to civilians from cyberweapons unleashed by nation-states.

The power of dialogue

Achieving concrete action has been a challenge. Even where there has been initial progress, such as in the United Nations Governmental Group of Experts on Information Security (UNGGE), we have hit blockades or dead ends. Not only have the conversations stopped, some nation states are actively withdrawing from critical processes and retreating into a world of isolation or a confusing web of bilateral agreements.
Some nations are actively withdrawing from critical processes.
This stalling of the dialogue on cybersecurity norms is reflective of broader international and national political trends. Governmental unease with the pace of innovation is deepening into distrust of others. We stand at the edge of a precipice.
If we fail to come to grips with the essential policy changes needed, national and international communities could fragment, refusing to communicate across their differences rather than building bridges to ensure trust.

Today the world needs dialogue on state behavior in cyberspace more than ever. We need a dialogue amongst governments, whether they are cyber powers or only just embracing online connectivity. We need a dialogue that engages all of civil society and the technology community. And most importantly we need all of those groups to work collectively to address these important issues.

We have no choice – we must find a path to a future of global cybersecurity that protects civilians and businesses from the grave danger of unchecked cyberwarfare. Conferences are critical to this process.

The alternative is to resign ourselves to increasingly frequent state-backed attacks, which will cause massive damage and disruption, undermining the digital transformation that offers so much opportunity to all world citizens.

Only by pushing for more, better, and broader dialogue can we make cyberspace safe. If we fail to make that dialogue real, then we’re letting a fuse burn down to a powder keg of cyberwar and the inevitable destruction of the real opportunity of the 21st Century.