Microsoft calls for ‘digital Geneva Convention’
Company president urges tech neutrality
In a policy speech that put Microsoft front and center in the shifting ground of politics and nationalism, company President Brad Smith said tech companies must declare themselves neutral when nations go up against nations in cyberspace.
“Let’s face it, cyberspace is the new battlefield,” he told an overflow audience in the opening keynote at the RSA computer security conference.
Tech must be committed to “100% defense and 0% offense,” Smith said.
Smith called for a “digital Geneva Convention,” like the agreement reached in the aftermath of World War II that set ground rules for conduct during wartime and defined basic rights for civilians caught up in armed conflicts.
The speech was echoed in a blog post on Microsoft’s site that went up Tuesday morning.
The world’s governments need to pledge that “they will not engage in cyberattacks that target civilian infrastructure, whether it’s the electric grid or the political system,” Smith said.
The digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyberattacks aimed at civilian targets.
Smith listed a string of crossborder cyber incidents, beginning with the North Korean attack on Sony Pictures Entertainment in 2014 to thefts of intellectual property by China in 2015 and ending with last year’s alleged involvement by Russia in the U.S. presidential election. “We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith said.
Technology companies, not armies, are the first responders when cyberattacks occur, he said. They must not respond in kind or aid governments in going on the offensive, Smith said.
“Even in a world of growing nationalism, when it comes to cybersecurity, the global tech sector needs to operate as a neutral digital Switzerland,” Smith said. “We will not aid in attacking customers anywhere. We need to retain the world’s trust.”
He called for the creation of an autonomous organization, like the International Atomic Energy Agency that polices nuclear non-proliferation.
“We need to make clear that there are certain principles for which we stand, that we will assist and protect customers everywhere. We will not aid in attacking customers anywhere, regardless of the government that may ask us to do so,” Smith said.
Claudio Neiva, a network security research director with analyst firm Gartner, noted that it’s easier for Microsoft and other large companies to commit to taking no offensive cyberaction because they have the money and staff to pursue legal action. “They’re being offensive by using legal measures, so it’s just a different way of doing things,” he said.
“We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks.” Microsoft President Brad Smith