You Are the Target of Today’s Cyberwars
A Microsoft executive argues that civilians bear the brunt of hostile countries’ cyberattacks, and need protections.
--
On Valentine’s Day, a Microsoft executive offered a love note to the internet. He called it a Digital Geneva Convention: a new philosophy for the web to protect everyday people from the malicious attacks of hostile countries.
Brad Smith, Microsoft’s president and chief legal officer, argues that as nations engage in increasingly sophisticated cyberattacks, “the targets in this new battle — from submarine cables to data centers, servers, laptops and smartphones — in fact are private property owned by civilians.” (By civilians, he also means companies.) If the attackers had used guns and bullets, the aggrieved country’s military would have sprung into action. But in the realm of cyberattacks, nations extend no such protections.
This is the oversight that Smith seeks to fix by drawing an analogy to the treaties that govern traditional war. The Geneva Conventions form the backbone of humanitarian law, protecting civilians and wounded military personnel during times of combat. Smith believes governments need to back a similar agreement to cover victims of cyberattacks by nations — even though the targets now are human-generated data, not lives.
Concerns over Russia’s meddling in the US election have made it abundantly clear that state-sponsored cyberattacks have advanced to a new level. Any one of us, by virtue of our personal or professional associations, can become a target of a hostile country’s online skullduggery. Though we all bear some responsibility for securing our digital lives, the bulk of our online self-defense lies outside our control, in the hands of the companies controlling our data. Protections for civilians caught in the crosshairs now need to evolve, as well.
Microsoft’s Smith is urging global tech companies to act as a “neutral Digital Switzerland” committed to “100 percent defense and zero percent offense.” Such an alliance might not on its own keep state-sponsored hackers at bay. But given how vital tech companies are to our digital infrastructure, we might have no other choice.
When North Korea attacked Sony Pictures in 2014, it was seen as nothing less than a foreign power’s assault on freedom of expression. “We cannot have a society in which some dictator someplace can start imposing censorship here in the United States,” said President Barack Obama at the time. In retaliation, the US imposed new financial sanctions and may have caused a blackout of North Korea’s internet. That was just an early hint of what was to come.
Since then, a purported hacking collective known as Fancy Bear, which several security firms believe receives support from the Russian government, has racked up an impressive record of high-profile attacks. Beyond hacking the Democratic National Convention and the German government, Fancy Bear also appears to have gone after private companies and individuals. It has compromised the French TV station TV5Monde; several people associated with Bellingcat, the citizen-journalist group that investigated the downing of a Malaysian plane over Ukraine; and, in late October, many Microsoft customers.
So perhaps it’s no surprise that Microsoft is feeling sensitive to the actions of state-sponsored hackers.
Under Smith’s plan, a Digital Geneva Convention would “commit governments to avoiding cyberattacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property.” He argues that governments need to step up because global tech companies have been drafted as “first responders” to the assaults of digital spies and saboteurs. In his post he cites a 2016 case in which Microsoft identified a nation-state-sponsored group that was conducting attacks using internet domains with names that spoofed the trademarks of companies. (Though he chose not to name the group, the example bears a striking resemblance to the Fancy Bear incident mentioned above. Microsoft declined to comment.) Smith says that Microsoft has worked with a federal court to take down 60 domains associated with nation-state attacks in 49 countries.
But tech companies cannot fight this war alone. That is why Smith’s plea has already generated some buzz. Eugene Kaspersky, a prominent Russian cybersecurity expert and head of Kaspersky Lab, hailed it as a “historic” call to action. US cybersecurity experts also praised Smith for calling attention to the need for protection against nation-state cyberattacks, but almost in the same breath noted that a Digital Geneva Convention would be hard to execute.
“He wants governments to agree to lay off the internet,” says Bruce Schneier, a security technologist and author of the blog Schneier on Security. “I think it’s a great idea, because I do think we need norms for what is off limits. But the devil is in the details, and there are a lot of details.”
For example, Smith calls for an independent organization to hold countries accountable for cyberattacks. No existing body even attempts that, says Herbert Lin, a senior research scholar for Cyber Policy and Security at Stanford’s Center for International Security and Cooperation. The next best thing might be a pledge that Obama and China’s president Xi Jinping made in 2015, promising that “neither country’s government would conduct or support cyber-enabled theft of intellectual property.” Two months later, that agreement led the Group of Twenty to affirm the same principle.
A cynical “Game of Thrones” saying comes to mind here: “Words are wind.” But if you don’t ever say the words, you can’t start shaping behavior.
“There’s general consensus that the Obama-Xi agreement has achieved some desired outcomes — such as acceptance of the norm of no direct or indirect government support of cyber-enabled theft of IP or economic data,” says Amy Chang, a cybersecurity researcher at the Harvard Kennedy School. “That alone is a benefit of agreements like this one.”
Leading tech companies don’t actually need governments in order to take a stand themselves. Their independence has the effect of moderating government actions to some degree, says Scott Borg, director of the US Cyber Consequences Unit, a nonprofit research institute. “Major tech companies are supplying the world, not just one country,” Borg says. “So it’s very important that they be as neutral as they can and maintain as high a level of trust as possible. They need to do that as a service to the world and, of course, to protect their business.”
In the end, a “Digital Switzerland” might be the smartest way for tech businesses to claim the moral high ground. But even Switzerland, while neutral, has never renounced its arms. Tech companies may soon find themselves embracing a similar armed neutrality.
