Microsoft President Brad Smith is calling for a new Digital Geneva Convention and a related international organization that would allow governments and private businesses to fight cyberattacks by nation-states.
At the recent RSA Conference in San Francisco, Smith — who is responsible for Microsoft’s corporate, external and legal affairs, and serves as the company’s chief compliance officer —told an audience of IT security professionals that the time has come for the tech industry to call on governments “to do more.”
“War has migrated to a new battlefield. … Cyberspace is owned by the private sector. It is private property. It is a different kind of battlefield,” Smith said. “Now is the time for us to call on governments to protect civilians on the internet in times of peace. … What we need now is a Digital Geneva Convention.”
Under the proposal, governments would agree to an international framework that would halt nations from targeting tech companies, the private sector, or critical infrastructure with cyberattacks. They would also: assist private sector efforts to detect, contain, respond to, and recover from events; report vulnerabilities to vendors rather than stockpile, sell, or exploit them; exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable; commit to nonproliferation activities regarding cyber-weapons; and limit offense operations.
With the agreement, Smith said the world needs an international organization “that brings together the best and the brightest in the private sector, academia, and the public sector, with the international credibility not just to observe, but to call the question and even identify the attackers when nation-state attacks happen. That is the only way that governments will come to recognize that this is not a program that will continue to pay off.”
Smith said that “constant and turbulent change” on cybersecurity issues is driving the need for new solutions — particularly as nation-states become more involved in making attacks. He cited the 2014 cyberattack on Sony Pictures as a turning point, with attacks by nation-state actors growing more pronounced in the years since.
In that incident, confidential information – including a string of sensitive e-mails among the film studio’s executives – were hacked by a group supported by the government of North Korea. The government was angry over the portrayal of North Korean leader Kim Jong-Un in the movie “The Interview.” This was “an attack on a private company for freedom of expression around a not terribly popular movie,” Smith said. “In the 2 1/2 years since, we’ve seen the issues evolve even further.”
Despite the proliferation of attacks, Smith said that “there is progress on which we can build.” Two years ago, he said, experts from 20 nations put together a new set of norms, and a few months later, the United States and China “sat down across the table and came up with a new pledge and plan to put the cyber-theft of intellectual property out of bounds.” The efforts were later endorsed by the G-20.
“Let’s face the obvious, there are new issues that we need governments to come together on in 2017,” Smith said. “There is an opportunity for a new president to sit across the table from the president of Russia and address the attacks that concern the world. We then need to build on that with a global convention.”
Government action alone won’t solve the problems, Smith said. The technology industry is now “in the plain of battle, and we are the world’s first responders,” he said. “Instead of nation-state attacks being met by other nation-states, they are being met by us.”
The tech industry, Smith said, needs to act collectively to do more – coming together as the International Committee for the Red Cross did in 1949 following the signing of the last Geneva Convention. “We need to sign our own pledge in conjunction with the world’s nation-states,” Smith said. “We need to pledge that we will protect customers, that we will focus on defense.”
A global tech sector accord would include: No assistance in offensive actions; collaborative and proactive defense by tech companies; collaborative remediation after attacks; software patches available to all; coordinated disclosure practices for vulnerabilities; support for intergovernmental defensive efforts.
“We need to become a trusted and neutral digital Switzerland. We need to be a global industry that plays 100% defense, 0% offense,” Smith said. “We need to say that we will assist and protect customers everywhere. We will not aid in attacking customers anywhere.”
Watch Smith’s full remarks here.