SAN FRANCISCO — With nation-states now conducting cyber attacks against civilians, it’s time for a digital equivalent to the Geneva Convention, Microsoft President Brad Smith said in his RSA Conference keynote here today.
What he’d like to see is an equivalent to the Fourth Geneva Convention in 1949, in which nations agreed on protections for civilians in time of war.
This probably isn’t something that will happen on its own. Smith’s point was that people and companies have to push for it. “Now is the time for us to call on governments to protect civilians on the Internet in times of peace,” Smith said.
It’s specifically the nation-states’ use of cyber attacks that this convention would address, Smith said. Cyber attacks have always been problematic, but what’s worrisome is that they’ve evolved beyond the worlds of enthusiasts or even normal criminals to become a tool of war.
Smith cites the 2014 Sony hack as a turning point, not only because it was carried out by North Korea (North Korea denies it), but because the attack was against a nongovernment target for reasons other than espionage.
A more recent example, possibly with deeper ramifications, was last year’s hack of the Democratic National Committee, believed to have been conducted by Russian government hackers.
“It is a different kind of battlefield than the world has seen before,” Smith said. Security experts “are not only the plane of battle, we are the world’s first responders.”
Check out our complete coverage of RSA Conference 2017.
What would Smith hope to see come out of a Digital Geneva Convention? He’d like for governments to agree not to target civilians, much as in the real Geneva Convention, and for them to pledge to work with the private sector to fix vulnerabilities. An agreement to not stockpile vulnerabilities would be a key step too, he said.
This could be policed by an independent organization similar to the International Atomic Energy Agency, which seeks to avoid proliferation of nuclear weapons. Smith envisions the digital organization being populated by experts from the public sector and academia, people who could investigate attacks and hold nation-states accountable for them.
The technology industry itself would have to live up to some promises too, he said.
“Even in an age of rising nationalism, we as a global technology sector need to become a trusted and neutral digital Switzerland,” he said. “We need to be a global industry that the world can rely on to play 100 percent defense and zero percent offense.”
Chris Young, senior vice president of Intel Security (soon to be spun off as McAfee) followed Smith’s keynote, highlighting a few of the industry-collaborative efforts that have been coming together. They’re small steps, he noted, but they work toward the common goal of making technology safer — and more importantly, they show that big industry names can work together.