In 2017, Microsoft President Brad Smith presented a project to bridge diplomacy and cyberwarfare: a Digital Geneva Convention. Cyber is considered the 5th battleground after land, sea, air and space. Broadly speaking, there are two types of cyberattacks: led by private actors or sovereign states. In both cases, computer programs and electronic devices are their weapons – including the ones in our pockets.
The proposal came a few months after President Donald Trump’s election in the US, whose victory has been stained by allegations of support from Russian intelligence and disinformation campaigns. Brad Smith explains that a ‘new arms race’ is taking place and that the Digital Geneva Convention would seek to protect civilians from sovereign-led cyberwarfare such as elections meddling.
One event is often considered the tipping-point in cyberwarfare. In 2010, the US led a cyberattack on Iranian nuclear facilities. Without firing a single shot, thanks to a computer worm called Stuxnet, they managed to neutralize around a thousand fuel enrichment centrifuges. According to New York Times correspondent David Sanger, this opened a pandora’s box for other states to ramp up their cyber capabilities.
The defence community considers that the new first step of warfare in the digital age consists of unplugging a country before actually sending ‘real’ troops. Consider how much harm was inflicted upon UK hospitals when they were attacked in 2015, allegedly by Russia. Of course, the British looked on the bright side of life and jokingly referred to the NHS as the ‘national hacked service,’ but this paints a scary picture of the potential damage to civilians a large-scale cyberattack could cause. The widespread adoption of cloud technologies and internet of things only adds to the urgency.
Imagine the ethical issues at play if a hostile state could remotely turn rogue electronic devices in thousands of people’s households, in the same fashion as the US made Iranian centrifuges spin much faster than they should. A black-mirror scenario of making thousands of people’s smartphones overheat and explode remotely does not seem so far-fetched. In that case our pockets would be filled with weapons… aimed against ourselves. This risk will only increase as, for instance, connected ovens, watches and self-driving cars become more popular.
What would Microsoft’s Digital Geneva Convention contain? To name a few proposals from its policy paper: refraining from attacking infrastructure that would affect the safety and security of civilians (e.g. hospitals, electric grids), from disrupting the global economy (e.g. financial institutions), to agree to a non-proliferation in cyberweapons, not to target data held by journalists or citizens involved in electoral processes.
Acknowledging that it would of course not be possible to immediately get sovereign-states on board, Microsoft started a number of initiatives to advocate for its proposal. It initiated a ‘Tech Accord’ making tech companies pledge to ‘commit to act responsibly, to protect and empower our users and customers, and thereby to improve the security, stability, and resilience of cyberspace.’ Other major tech players such as Facebook or Cisco have joined the Accord. Microsoft also launched the ‘Digital Peace Now’ initiative, in an effort to streamline and coordinate other actors joining its advocacy campaign.
Smith insists that companies such as his have a special responsibility regarding cybersecurity and warfare. In his own words: ‘The tech sector plays a unique role as the internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral digital Switzerland that assists customers everywhere and retains the world’s trust. (…) The world has literally, in that regard, been turned upside down from protecting civilians in times of war to attacking civilians in times of peace.’ The metaphor amounts to aiming at creating a Cyber-Red-Cross (called Computer Emergency Response Teams in the policy paper) against the new nature of cyberthreat, which is both clandestine and unpredictable.
There already were several initiatives emanating from the public sector, for instance the Tallinn manuals commanded by NATO and the Budapest Convention on cybercrime from 2001, but these did not get enough traction and became quickly outdated. They all essentially relied on the Charter of the United Nations which states that an act of aggression can only be considered to have taken place if armed forces are brought within the borders of another country. In the age of the internet, this definition is insufficient.
However, the proposal has several critics. At the time of writing, Amazon, Apple and Google have not signed the Tech Accord. This of course does not mean that they are against it, but signals some issues with the proposal. David Sanger summarized well the critics: ‘Cyberweapons are in the hands of states, terrorist groups, criminal groups, and teenagers. Most of those don’t sign treaties. (…) I find this the least bad idea in a series of bad ideas out there on how to go deal with cyber.’ Other critics accuse Microsoft, and by extension Silicon Valley, of double standards and conflicts of interest by trying to separate itself from government warfare.
It is well documented that the US military has, since the origins of Silicon Valley, been an important client and that the Pentagon had in the past commanded tech companies to include back-doors in their devices so it could spy on other countries – something it now fears China would be doing with Huawei. Furthermore, Dustin Lewis, senior researcher at the Harvard Law School Program on International Law and Armed Conflict explains that ‘A key question becomes whether the Microsoft proposal is likely to do more damage by questioning the applicability of international law or to have more beneficial effects by spurring interest in legal norms.’
Another major issue is that if the private sector would decide to absolutely refuse any involvement in cyberattacks, it would lead to ‘refusing to prevent things the whole worlds wants to prevent’ such as attacking a genocidal regime, as Sean Kanuck, cybersecurity director at the International Institute for Strategic Studies told the Financial Times. It has also been said that the constant analogy with traditional forms of warfare could back-fire and perpetuate an atmosphere of conflict in the cyberspace.
In spite of all this, Microsoft’s proposal for a Digital Geneva Convention has been widely positively welcomed. It is a well-needed initiative to create some sense of an international framework to regulate cybersecurity and cyberwarfare. Even if these efforts take years or decades to result in global multilateral agreements, it draws on concrete examples such as the 2015 China-US agreement to limit corporate cyberespionage.
It also forces conversations about the protection of civilians in that context, and the influence of the private sector in global affairs. Most importantly, it urges the international community to take action in a world in which, as Chinese President Xi Jinping put it: ‘without cybersecurity there is no national security.’