The world needs a digital Geneva Convention to counter state-sponsored hacking against citizens, Microsoft Corp. President Brad Smith said today at the RSA Conference on information security in San Francisco.
Smith (pictured) said in a blog post that the world’s governments need to come together to agree to rules for protecting civilians in a new kind of conflict that involves attacks in times of peace, not just declared war.
“Cyberspace is the new battlefield,” he told attendees at the conference, which is expected to draw more than 45,000 people working in security. “Nation-state hacking has evolved to attacks on civilians in times of peace. This is not the world the Internet’s creators imagined 25 years ago.”
Just as other organizations stepped up in 1949 to ensure that rules of engagement don’t hurt people not involved directly in wars, tech firms need to take an active role in this new set of rules, he added in the blog post: “Just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies,” he said.
Smith’s call for the new organization follows a year of unprecedented attacks by nations on others, most prominently Russia’s apparent hacking and release of Democratic Party emails that U.S. intelligence officials said were likely motivated by a desire to help Donald Trump win.
He noted that there’s already a foundation for new international rules: In July 2015, government security experts from 20 nations recommended cybersecurity norms for nation-states “aimed at promoting an open, secure, stable, accessible and peaceful ICT environment,” such as barring governments from “engaging in malicious activity using information and communications technology or similarly damaging other nations’ critical infrastructure.” But so far, there is no widespread international agreement involving nations.
Smith suggested in comments during his keynote speech at the RSA Conference that President Trump could sit down with Russian President Vladimir Putin to “hammer out a future agreement to ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures.” (No one in the audience hazarded a laugh.)
Smith said he envisions an independent organization that would disclose and investigate evidence of particular countries conducting cyberwarfare. He compared the organization to the International Atomic Energy at the United Nations. “Such a convention should commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property,” he said in the blog post. “Similarly, it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.” He added that governments shouldn’t “stockpile vulnerabilities.”
Smith also called on technology companies to work together to shield Internet users from cyberattacks by governments, as well as to avoid helping governments from activities aimed at those users that is not deemed appropriate. “We will not aid in attacking customers anywhere,” he said. “We need to retain the world’s trust.”
Not least, he said, individual users and companies need to be far more careful. “Every company has at least one employee who will click on anything,” he said.