A cyberspace convention
23 June 2017 |
At the RSA conference in February, Brad Smith, president of Microsoft, made a somewhat unusual suggestion.
Smith said that cyberspace needs a digital version of the fourth Geneva Convention which protects civilians in times of wear.
“Just as the Fourth Geneva Convention has long protected civilians in times of war,” Smith wrote in his blog, “we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace.”
“What would make anyone think that a digital version of the fourth Geneva Convention would work any better than the real thing?”
“And just as the Fourth Geneva Convention recognised that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies. The tech sector plays a unique role as the internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.”
At the recent Data Summit in Dublin, Microsoft hosted a roundtable discussion on the matter amid the presentations around data protection, privacy, regulation and innovation. As the session was carried out under Chatham House rules, suffice to say that present were data security experts from Microsoft, journalists, analysts and summit attendees who had been invited to join.
The proposal, adding to what is outlined above, is that states would sign up to a legally binding agreement under international law that would ensure that governments, or their proxies, adhere to a set of rules for cyberwarfare, and the use of cyberweapons in peace time.
States would undertake not to attack critical infrastructure, would not require backdoors in software or hardware, and would not interfere with private sector mitigation of cyberattacks.
Private sector organisations would also adhere to this, and Microsoft has already stated its policy of being “100% defensive and 0% offensive” when it comes to cyberweapons and cyberwarfare.
Figures were provided to give context to the discussion. According to a UN group of governmental experts on cybersecurity, more than 30 countries have developed cyberweapons, with more having developed defensive capabilities. By 2020, Gartner expects businesses worldwide to be spending more than $100 billion on cybersecurity.
A RAND Corporation study was cited that suggests any such convention would require a body to be set up to determine attribution of cyberattacks, which should be funded publicly but staffed privately by private sector companies.
There would be a Vulnerability Equities Process (VEP), similar to that in operation by the US government, which would determine whether to withhold or disclose information about computer software security vulnerabilities. Under the VEP, it would be evaluated whether to disclose a vulnerability obtained or discovered—so that the software developer has a chance to fix the problem—or to withhold the information to use it for purposes including law enforcement, intelligence gathering, and exploitation.
The international body for attribution would work on a model similar to the International Atomic Energy Agency (IAEA), it has been suggested.
The debate around the table went back and forth as to how all of this might work in principle, as well as practice, but the entire discussion came back to one fundamental point: the Geneva Convention is flouted at will or completely ignored even by supposedly civilised nations. From Srebrenica to Rwanda, Syria to North Korea and now Turkey and Yemen, appalling atrocities have been committed, often unpunished.
Even the United States itself has a poor record in this respect, as it circumvents such things with labels such as “unlawful combatants” to deny rights and treatments set out in these charters.
So, the question was asked, what would make anyone think that a digital version of the fourth Geneva Convention would work any better than the real thing?
The overall consensus was no—there is no reason to believe that a digital Geneva Convention would be any more adhered to than its spacetime counterpart, but it would do good and be of benefit.
It would, it was argued, show up regular violators against whom the bloc of observant nations could make sanctions and other punitive measures. As well, of course, as investigating actions to identify individuals for punishment who could be brought to The Hague for trial.
For my part, I am deeply sceptical of such a proposal.
To my mind, an international body to deal with cyberattack attribution would only work as a UN body, and should be funded by the public and private sector. It should be staffed with people of relevant skills, irrespective of their employment status, and they should be seconded for specific periods.
This body, like the IAEA, should have powers to investigate without hindrance and with the expectation of full cooperation from nation states and their proxies. The findings of the body should be of a sufficient level to allow them to be used in evidence in court, and supporting the work of the UN Security Council.
Only then could the use of cyberweapons be recognised, documented and punished, if need be, on the international stage. And they will be used, increasingly, in the future.