Cyberattacks by nation states are becoming so unrestrained that civilians urgently need the protection of an internet version of the Geneva Convention, Microsoft’s chief legal officer Brad Smith told an audience at this week’s RSA conference in San Francisco.
According to Smith, the lack of international norms over how nations should behave on the internet was leading the world, little by little, into dangerous territory.
A warning light was the massive hack of Sony in 2014, widely seen as a revenge attack by North Korea. By 2016, the Russians were being accused of undermining democracy itself by hacking and leaking data during the US presidential election, he said.
With attacks plausibly connected to nations multiplying, mostly out of sight, tech companies were struggling to respond to something much bigger than them. In only a few years, civilians and public infrastructure had become fair game, he said:
We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks.
Heading off trouble would require a digital version of the Fourth Geneva Convention, agreed in 1949 to protect civilians from harsh treatment during wartime, he added:
The time has come to call on the world’s governments to come together, affirm international cybersecurity norms that have emerged in recent years, adopt new and binding rules and get to work implementing them.
Under this, governments would agree to avoid attacking critical infrastructure, or hacking and stealing intellectual property to undermine economies.
The idea of writing down cyber-rules goes back at least to 2012, when Britain’s then Foreign Secretary William Hague used the Budapest Conference on Cyberspace to sketch out some first principles.
Despite a follow-up UN-brokered agreement covering 20 nations agreed in 2015, events in the real world suggest most of this has ended up as fine words. Attacks have accelerated dramatically, leaving well-behaved nations to wonder whether they shouldn’t be joining in order to dodge the bad side of a zero-sum game.
Imposing rules on cyberspace is inherently difficult, starting with the slippery issue of attribution. If you can’t be certain who was behind an attack, how can a nation be held to account under a convention?
In Smith’s view, this is why the rules would have to be administered by an independent global body with enough power to “investigate and share publicly the evidence that attributes nation-state attacks to specific countries”.
It’s a suggestion that aims a side-swipe at the consensus that internet security is best left to the private sector under the supervision of nations and government agencies – a status quo backed, of course, by the US.
But what if these same government agencies are part of the problem? It’s like the old adage of gamekeepers who enjoy a bit of poaching on the side. The lure of cyberwarfare is simply too great for some nations because it is a cheap, low-risk way of evening up economic, military and geopolitical disadvantage. Covert cyberwarfare has become the great leveller.
As appealing as a Digital Geneva Convention sounds, it is more likely that bad internet behaviour by nations will eventually be curbed by real-world events. Someone will eventually miscalculate and a price will be paid. All we can be sure of is, should that day arrive, nobody will emerge unscathed.