As many of us learned back in our days of grammar school the Geneva Convention is “is a body of Public International Law whose purpose is to provide minimum protections, standards of humane treatment, and fundamental guarantees of respect to individuals who become victims of armed conflicts.” Basically, this means that those who cannot protect themselves during times of war are protected. At the recent RSA Conference in San Francisco, Brad Smith, Microsoft’s President and Chief Legal Officer, presented a need for a new Geneva Convention but this one would be for those in the digital world, a Digital Geneva Convention(DGC). Smith stated that right now there are very few laws in the digital world. Also, that if a crime is committed in the cyber world it is very hard to pinpoint who is behind the act, even if we have a strong feeling who is behind it proving exactly who did it is nearly impossible (see the DNC email hacking of 2016 were Russia was blamed and the Sony hack of 2015 where North Korea was blamed). In instituting such a agreement among the nations of the world would be the first of its kind in the cyber world. There have been some agreements made on a smaller scale and with some nations. In September of 2015 the US and China signed an agreement that stated both governments pledged not to support the theft of intellectual property through cyberattacks and in July of 2015 20 countries within the United Nations proposed “limiting norms” that nations should abide by on the Internet. But until this Digital Geneva Convention proposal discussions on a “cyber peace treaty” have either been very slow or none at all.
The DGC is broken into 6 specific requirements;
- No targeting of tech companies, private sector, or critical infrastructure,
- Assist private sector efforts to detect, contain respond to, and recover from events,
- Report vulnerabilities to vendors rather than to stockpile, sell or exploit them,
- Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable,
- Commit to nonproliferation activities to cyberweapons,
- Limit offensive operation to avoid a mass event.
On top of these requirements Brad Smith also recommended a committee be formed who would span the public and private sectors. It would be an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries. The organization would consist of technical experts from across governments, the private sector, academia and civil society with the capability to examine specific attacks and share the evidence showing that a given attack was by a specific nation-state. Only then will nation-states know that if they violate the rules, the world will learn about it. This global committee would act as a Digital Switzerland, they will assist and protect customers everywhere no matter where they are located or to what government they are affiliated to. Above all the most important trait is that they will never assist or aid in attacking anyone anywhere.
Brad Smith stated the need for these types of requirements and this committee being formed is because the tech sector already plays the role of “first responders” for the internet and they need certain protections in place to feel safe from those looking to perform any malicious acts. Acting like how the Red Cross acts when there is a physical natural disaster, Smith is stating that when a cyberattack happens by a nation-state it is initially met by private citizens and not another nation-state.
Many people however, have had some reservations in the Digital Geneva Convention. The largest reservation many have is with the current state of the political climate across the globe. Many feel the tensions among a lot of the countries are too high that many would not be willing to enter an agreement like this. Others also believe Microsoft is being self-serving with the way the language of the DGC was written. Microsoft would benefit if the DGC is enacted because they would fall under the category of civilian and would be protected.
No matter how you feel about the Digital Geneva Convention we can all agree some sort of rules and regulations need to be put in place where civilians are protected from cyberattacks during times of peace. Everyone has the right to feel safe when browsing the web.
If you would like to read the full post by Brad Smith, Microsoft’s President and Chief Legal Officer, click here.