Microsoft calls for “digital Geneva Convention”
In a major policy speech aimed at rising nationalism, Microsoft president Brad Smith said tech companies must declare themselves neutral when nations go up against nations in cyberspace.
“Let’s face it, cyberspace is the new battlefield,” he told an overflow audience in the opening keynote at the RSA computer security conference.
Tech must be committed to “100% defense and zero percent offense,” Smith said.
Smith called for a “digital Geneva Convention,” like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts.
The speech was echoed in a blog post on Microsoft’s site that went up Tuesday morning.
The world’s governments need to pledge that “they will not engage in cyberattacks that target civilian infrastructure, whether it’s the electric grid or the political system,” Smith said.
This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
While Europe and other nations are also experiencing a rise in nationalist feelings, it is no accident that Smith’s talk comes just three weeks after Donald Trump was inaugurated the 45th president of the United States. Trump’s aggressive stance — warning Iran, for instance, that it’s been put “on notice” — has caught the attention of the world and made tech companies uncomfortably aware that their realm — cyberspace — is also a likely battlefield when hostilities break out.
Smith listed a string of increasingly threatening cross-border cyber incidents, beginning with the North Korean attack on Sony Pictures Entertainment in 2014 to thefts of intellectual property by China in 2015, ending with last year’s Russian involvement in the U.S. presidential election.
“We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith said.
Technology companies, not armies, are the first responders when cyber attacks occur, he noted. But they cannot and must not, respond in kind, or aid governments in going on the offensive, Smith said.
He called for the creation of an autonomous organization, something like theInternational Atomic Energy Agency that polices nuclear non-proliferation.
“Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith said.
“We will not aid in attacking customers anywhere. We need to retain the world’s trust.”
What this appears to mean in the near term is that tech companies should refuse to aid governments, even the government of the country they are based in, in attacking other nations. That could mean not building backdoors into programs sold in other countries and not taking part in work to create cyberweapons.
Some of this groundwork has already begun. In 2015 the United Nations made a recommendation for cybersecurity norms around country-sponsored cyber attacks.
Later that year the United States and China vowed to cooperate on cybersecurity and specifically the touchy issue of intellectual property theft. That was followed by the Group of 20 affirming the same principals.
Claudio Neiva, a network security research director with analyst firm Gartner, did note that it’s easier for Microsoft and other large companies to commit to taking no offensive cyber action because they have the money and staff to pursue legal action.
“They’re being offensive by using legal measures, so it’s just a different way of doing things,” he said.
Microsoft, which does business in 190 countries, clearly sees itself as an international company responsible to its global customers.
“The world’s governments need to pledge that “they will not engage in cyberattacks that target civilian infrastructure, whether it’s the electric grid or the political system,” Smith said.”
what world does this guy live in?
“tech companies should refuse to aid governments, even the government of the country they are based in, in attacking other nations. That could mean not building backdoors into programs sold in other countries and not taking part in work to create cyberweapons.”
im looking at you nsa..