Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

Do We Need a Digital Geneva Convention?

Microsoft calls for an international treaty to prevent companies and citizens from getting tangled up in nation-state cyberattacks.

Microsoft president Brad Smith

The Geneva Convention, signed by war-weary nations in August 1949, now binds 196 countries to protect civilians in war zones. Microsoft’s president, Brad Smith, argues that the U.S. and other countries now need to draw up a digital equivalent to protect civilians and companies caught in the crossfire of constant cyberwar.

In recent years, computing and security companies have uncovered or been the victims of malware and network attacks that appear linked with military or intelligence agencies. Smith told an audience at the world’s largest security conference Tuesday that international diplomacy is needed to mitigate the negative effects on private companies and citizens.

Smith's Proposed Requirements
  • 1. No targeting of tech companies, private sector, or critical infrastructure.
  • 2. Assist private-sector efforts to detect, contain, respond to, and recover from events.
  • 3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.
  • 4. Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.
  • 5. Commit nonproliferation activities to cyberweapons.
  • 6. Limit offensive operations to avoid a mass event.

“Nation-state hacking has evolved into attacks on civilians in times of peace,” said Smith at the RSA Conference in San Francisco, echoing the language of the Geneva Convention. “We need to call on the world’s governments to come together [as] they came together in 1949 in Switzerland.” Smith, who is also Microsoft's chief legal officer, has recently lobbied for legal reforms to update privacy and security protections for the Internet era (see "Microsoft's Top Lawyer Becomes a Civil Rights Campaigner").

Smith listed six requirements such an agreement might lay on countries, for example not to target private companies or critical infrastructure with digital campaigns.

He said the 2014 attack that crippled Sony Pictures—an attack the U.S. blamed on North Korea—was an example of the kind of event that shows the need for international agreement on hacking. North Korea is believed to have targeted Sony because of its displeasure with the movie The Interview, which satirized its leader, Kim Jong-Un.

Smith cited a 2015 agreement signed by China and the U.S. pledging not to conduct or encourage corporate cyberespionage as evidence that international diplomacy can rein in what happens in cyberspace. Security experts and the U.S. government had complained for years that China’s military helped steal corporate secrets. China has always denied such claims, but U.S. officials and security companies say the incidence of attacks from the country has dropped (although some experts remain skeptical of the cause). The G20 later signed a similar compact.

Smith’s sentiments about the importance of diplomacy in tackling what is often seen as a technical problem were echoed Tuesday by Michael McCaul, chair of the House Homeland Security Committee.

Countries would always differ in their attitudes on privacy and security, but coördination is necessary to prevent cyberattacks causing serious harm, said McCaul, also speaking at RSA. “The U.S. should be engaging with overseas partners,” he said. “We must develop clear rules of the road when it comes to cyberwarfare.”

McCaul cited evidence that Russia had used hacking to try to influence the U.S. presidential election as an example of the consequences of loose policies on cyberattacks. Russian-backed hackers have also been accused of taking down power grids in Ukraine last year.

Mikko Hypponen, chief security officer with F-Secure, and who has helped chart the rise of government malware, told MIT Technology Review that the idea of something like a digital Geneva Convention is plausible. But despite rating the U.S.-China agreement as a success, he’s skeptical that anything like it will come anytime soon.

Hypponen recommends looking to a different period in history as a model for how the next few years of the cyberwar era will play out. “This arms race is in the early days,” he says, because nations still sense they have much to gain over competitors by aggressively expanding digital espionage and attack capabilities. “I believe we will get to disarmament and control in the end as we did with nuclear weapons, but it’ll take a while.”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today
Microsoft president Brad Smith

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.