Microsoft: Proposed 'Digital Geneva Convention' Must Neutralize Nation-State Cyberattacks

Microsoft President and Chief Legal Officer Brad Smith's call for a "Digital Geneva Convention" convention would seek to forge ties with international governments and the tech sector committed to nonproliferation of cyberweapons and toward making "the Internet a safer place" with the goal of putting an end to nation-state attacks. Smith proposed the neutral organization, comparable with the International Atomic Energy Agency focused on non-proliferation of nuclear weapons, during his Tuesday RSA Conference keynote address.

Smith's "Digital Geneva Convention" would have the scope of a global convention that would, among other things, call on the world's governments to disengage from nation-state attacks against targets in the private sector, pledge to respond to vulnerabilities and put an end to the spread of vulnerabilities by sharing them with appropriate tech providers. Acknowledging the rise of nationalism, the "global technology sector needs to become a trusted and neutral digital Switzerland," Smith told RSAC 2017 attendees.

"We need governments to take the page out of the 1949 Geneva Convention, and other instruments that have followed," Smith continued. "We need an agency that brings together the best of the best and the brightest in the private sector, in academia and public sector. We need an agency that has the international credibility to not only observe what is happening but to call into question and even identify attackers when nation-state attacks will happen."

Smith emphasized that this organization must be global and neutral. This would help ensure that the group would focus on providing 100 percent defense and would not support offense-based counterattacks. Technology providers must also make clear that they will assist and protect all customers irrespective of the country they're from and commit to refusing to aid government-sponsored attacks on customers.

"These two principals have been at the heart and soul of what we've been doing. We need to stay on that path," he said. "We need to make the case to the world that the world needs to retain its trust in technology. And regardless of a government's politics, or policies or individual issues at any moment in time, we need to persuade every government that it needs a national and global IT infrastructure that it can trust."

In his remarks, echoed in a blog post, Smith emphasized the fact that the Internet is based on infrastructure provided by private companies and they are the "first-responders" to nation-state attacks, hence their responsibility to commit resources accordingly. Smith gave a plug to Microsoft's own efforts, which include its $1 billion per year spent on security, last year's release of Advanced Threat Protection to Exchange Online that identifies malware and suspicious patterns within the content of messages and, more recently, the addition of Office 365 Threat Intelligence. Smith also gave mention to Microsoft's new Office 365 Secure Score, the tool that helps administrators assess risk factors that was launched last week.

Where this will go remains to be seen but Smith's choice to use his opening keynote of RSAC 17 as the podium to propose this "Digital Geneva Convention" suggests he wanted it to be heard. RSAC is the largest gathering of security information professionals, policy makers and law enforcement officials and is perhaps the most viable vehicle to get talks started. It will require a strong show of force and a willingness of governments with conflicting interests to come together, which, of course, is no easy task. However, despite the obstacles, there's too much at stake by remaining idle.

Posted by Jeffrey Schwartz on 02/15/2017 at 12:36 PM