Microsoft’s president wants a Geneva Convention for cyberwar
Microsoft is calling for a Digital Geneva Convention, as global tensions over digital attacks continue to rise. The tech giant wants to see civilian use of the internet protected as part of an international set of accords, Brad Smith, the company’s president and chief legal officer, said in a blog post.
The manifesto, published alongside his keynote address at the RSA conference in San Francisco on Tuesday, argued for codifying recent international norms around cyberwarfare and for establishing an independent agency to respond to and analyze cyberattacks.
What’s more, he called on the tech industry to band together to protect users.
Such an agreement is necessary, in his opinion, because warfare in cyberspace involves infrastructure that’s controlled and operated by private companies like Microsoft. Furthermore, some attacks, like the 2014 Sony hack widely attributed to North Korea, have targeted civilians.
“There’s an additional consequence that results from all this,” Smith wrote. “The tech sector today operates as the first responders to nation-state attacks on the internet. A cyber-attack by one nation-state is met initially not by a response from another nation-state, but by private citizens.”
Smith cited an attack the tech titan dealt with last year when it discovered a nation-state actor using domains aping trademarks it holds. Microsoft then got a court order allowing it to redirect the traffic going to those domains, blocking the attack.
“Since last summer, in response to one extended such nation-state attack, we have taken down 60 domains in 49 countries spread over six continents,” he wrote.
Smith called for tech companies to unite on cybersecurity issues to protect users. Furthermore, he called for the industry to promise not to assist with offensive attacks.
“Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith wrote. “We will assist and protect customers everywhere. We will not aid in attacking customers anywhere. We need to retain the world’s trust. And every government, regardless of its policies or politics, needs a national and global IT infrastructure that it can trust.”
He also wants those tech companies to contribute to an agency that would play a role similar to the International Atomic Energy Agency. Such an agency would, in his vision, include participants from governments, private industry, academia and civil society. That new group would be empowered to investigate attacks and attribute particular actions to certain nations.
All of this is complicated by the current geopolitical climate. In one of his first actions as president, Donald Trump withdrew U.S. support from the Trans-Pacific Partnership, a sweeping free trade agreement negotiated under the watch of his predecessor that included the participation of Australia, Canada, Japan, and other nations.
It’s unclear if Trump would be inclined to take part in a multilateral diplomatic exercise, such as the one Smith is suggesting. Such a convention on cybersecurity norms is made doubly difficult by reports that Russian President Vladimir Putin ordered attacks on the U.S. Democratic National Committee in an attempt to get Trump elected.