Digital Geneva Convention
an unlikely Digital Humanist steps into the ring to pacify the cyber realm
Brad Smith, Microsoft’s President and Chief Legal Officer has called for a Digital Geneva Convention, to protect users and establish methods to hold nation-states accountable for state-supported cyber attacks.
In coincision with the second iteration of the Tallinn Manual - an academic study which looks at how international law applies to state cyber conflicts — Brad Smith made a declaration that sees a corporate giant throw its weight behind a policy of digital humanism. Microsoft’s proposal as outlined by their CLO aims to “commit governments to implement the norms needed to protect civilians on the Internet in times of peace,” and is the latest in a series of events intended to press nation-states towards formally establishing a code of conduct for state policy involving the cyber domain.
The declaration is clear: there must be a collaborative “protective defence”, created and managed from the private-sector, but which also has the necessary state-endorsed investigatory abilities to establish attribution. This collaborative defence organism would act as a digital UN Peacekeeping force: neutral from state; serving only to protect the citizens and hold states accountable for their involvement in cyber aggressions.
Why a Cyber Geneva Convention?
The fourth Geneva Convention detailed the protections of civilians and prisoners during times of war. The war itself is not in evidence; to the mind of Microsoft, this is the point. Smith proposes a new convention affording protections for all during times of peace. The explicit recognition of affording rights akin to wartime to civilians outside of war is reflective of the way with which cyber operations are conducted by states.
In recent years state-supported cyber operations are becoming increasingly valuable political tools. In 2008 Russia was the suspect antagonist behind a massive cyber attack on Estonia’s financial system; then, in 2011, a suspected US-Israeli advanced cyber weapon named the ‘Stuxnet Worm’ was uncovered accidentally by an Iranian engineer at a targeted nuclear plant. As recently as February of 2017, the Ukrainian government has accused Russia of conducting cyber operations to target critical infrastructure. Each of these incidents, attacks on public infrastructure, occurred during notional peace time between states;each had the capacity to be devastatingly damaging to the targeted state and their population.
It is important to note the contrast in response: had these attacks been conducted outside of the cyber domain and instead by more traditional military actions, the consequences would have been resounding and global, thoroughly in tune with a pre-existing set of real-world humanist ideals that are insured with a great deal of history. Had Russia physically destroyed servers or critical infrastructure using troops, there would be grounds aplenty to classify these as acts of war. Yet, because these attacks were conducted in the cyber domain, law dictates that there is necessarily a difference. This is why Brad Smith has explicitly noted the importance of a Digital Geneva Convention standing during peace times; because, if recent operations are anything to go by, state cyber attacks are just as, if not more, likely to be conducted in times of peace, as they are during times of war. Left in an unreformed system, civilians of part digital-societies will always be in the crossfire: as vitally as it would be in the physical world, adequate protections must be afforded to them at all times.
The potential for the establishment of a normative framework
At present, the cyber domain could be characterised more as a “cyber wild-west” then a structured system with rules applicable to every user. There is no framework agreeable to all states to; thus there is a disparity in the way states view their position in this domain. This disparity creates a multi-tiered system whereby states are left to decide how they should conduct themselves, a notion that carries inherent dangers. Such ambiguity in an essentially legal framework breeds opportunity for actions which may be illegal in the physical world; however, because they are not explicitly banned in the cyber domain, states can justly conduct such questionable operations without fear of prosecution.
A Digital Geneva Convention would codify a set of rules which all signatories would have to abide by, thereby reducing the opportunity for states to conduct explicitly illegal actions without having to face consequences from the international community. Although there is an argument to be had about the effectiveness of international law in practice, some semblance of a structure should bring a sense of civility to a currently unclear area of international law.
This declaration has come at an opportune time. Recently America and China, who have conducted aggressive cyber operations against each other have agreed to stop state-sponsored cyber attacks on private businesses and this in turn led to a similar agreement by other states. Although this is not an agreement to stop state attacks against critical infrastructure, it is progress that has been longed for by many involved with cyber technologies and is evidence that states are willing to commit to agreements which are beneficial for all users and not just the states themselves.
Considering the high-state of tensions in the international community at present, a Digital Geneva Convention could be greatly beneficial for the health of state relations. The convention necessitates cooperation over conflict where all states are accountable to not only other states, but the private sector which includes civilians across the world. The process of working towards a general convention may subvert the general feelings of animosity by showing world leaders that cooperation is possible regardless of the current international environment.
It is not only established “cyber-integrated” states that would benefit from a Digital Geneva Convention. At present 60% of people do not have access to the Internet and it stands to reason that some states have not developed an as advanced-cyber infrastructure as others. The creation of a Digital Geneva Convention could mean users and states developing their cyber capabilities would enter a regulated domain with clear rules which can assure a level of protection to aid governments as they further develop methods to integrate cyber-capabilities in their foreign and domestic policies.
Brad Smith and Microsoft deserve credit for trying to steer nation-states towards formal legislation in the cyber domain. It is often the case that private businesses are at the forefront of cyber attacks from many states wishing to access private data and although cyber security can help protect businesses, it can only go so far. The introduction of a Digital Geneva Convention as proposed by Smith is a sure way of changing how states conduct cyber operations and would hopefully lead to states being less pursuant of using cyber attacks as a means to conduct aggressive foreign policies.
Original link to Brad Smith’s declaration: https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/
Side note from the author: A follow-up article addressing the important role of the private sector in Smith’s declaration will follow over the coming weeks.
