The modern digital world is as much characterized by nation-sponsored cyber-attacks as it is by criminal cyber-attacks – and Microsoft is calling for an international cyber Geneva Convention to protect business, users and critical infrastructure before it spirals out of control.
In a blog post this week, President and Chief Legal Officer Brad Smith describes The need for a Digital Geneva Convention “that will commit governments to protecting civilians from nation-state attacks in times of peace.” Within this model, he sees the tech industry as ‘a neutral Digital Switzerland’ occupying the role of the Red Cross. It is a popularized re-working of arguments presented By Scott Charney’s June 2016 paper, An organizing model for cybersecurity norms development.
Smith also spoke on the topic at this week's RSA Conference in San Francisco.
Smith believes that the time is right. “Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace.”
Key to this idea will be an international adoption of norms; that is, shared expectations of appropriate behavior. Various organizations have been working on such norms. “UN GGE, G20, US-Sino bilateral agreement all have worked toward shaping the appropriate and mutually agreed-upon behavior in the digital domain,” explains Andrea Limbago, Chief Social Scientist at Endgame and formerly Senior Technical Lead at the Joint Warfare Analysis Center.
“Are we at the beginning of a sea change in what the international community decides is acceptable behavior?” asked Jeff Moss, founder of Black Hat and DEF CON in September, 2016. “It doesn’t have to be a treaty; it can just be a norm. The next administration is going to have to drive those norms of behavior.”
But Brad Smith goes to the next step. He is arguing for just such an international treaty loosely modelled on the Fourth Geneva Convention. Is such a treaty feasible? It would require the international adoption of norms of behavior, coupled with the ability to definitively attribute wrongdoing.
Smith explains that the norms underpinning his convention “should commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property. Similarly, it should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
The first two elements are uncontroversial: governments should not attack other nations, and governments should assist the private sector in recovering from such attacks. The third, however, is difficult: it commits governments to effective cyber weapon disarmament.
The US/China bilateral agreement in late 2015 is cited as the green shoots of norms development. The two countries “made important progress in 2015 to ban intellectual property cyber-theft.” Noticeably, however, while commercial espionage was banned, political espionage was omitted. Smith’s norms, however, would effectively neutralize government agencies’ ability to hack and spy.
The US/China agreement ultimately led to several countries, including the US, voluntarily adopting ‘norms of state behavior in cyberspace’, explains Fortinet CISO Phil Quade, who previously served as Chief of the National Security Agency (NSA) Cyber Task Force. “These norms,” he explains, “helped to establish guidelines like not stealing intellectual property for commercial gain, not attacking critical infrastructure, not using CERTs for offensive actions, and cooperating with government law enforcement in their cybercrime investigations.” But, he added, they are “designed to exclude government intelligence activities.”
“Nation states have invested too much time, attention and money into cyber warfare and espionage machines to turn back the dial,” warns Eric O’Neill, currently Carbon Black's National Security Strategist, but formerly a member of the FBI’s Special Surveillance Group. It is unlikely that governments will include themselves in the norms they might otherwise endorse.
Accurate attribution is essential for the effective operation of norms. Without it, there would be nothing to stop individual nations flouting them with impunity. “Cyberespionage,” says O’Neill, “relies on the difficulty of attribution, anonymity, and ease of access from anywhere in the world. When the U.S. has caught Russia, North Korea, Iran and China spying, probing our critical infrastructure, attacking our business, and stealing our data, each country staunchly denied the acts.”
Put simply, irrefutable technical attribution is impossible. But based on accumulative intelligence – from SIGINT, field agents, geopolitical analysis and more – one nation’s intelligence community can definitively attribute attackers – but only to its own government. It will not reveal full information on its methods of attribution to foreign countries, leaving continuing room for doubt.
Smith’s, and indeed, Charney’s, solution is an independent international committee of experts. “In addition,” wrote Smith, “a Digital Geneva Convention needs to create an independent organization that spans the public and private sectors. Specifically, the world needs an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries.”
There are two problems here: firstly, can such an organization succeed in genuine attribution without full intelligence community cooperation; and secondly, will all nations accept that attribution? “I think the logistics that would need to be involved to somehow accurately monitor and identify who is doing what to who is nearly impossible,” comments Nathan Wenzler, chief security strategist at AsTech; “especially considering the ease in which a malicious actor can hide, obfuscate, redirect, bluff and otherwise mislead where they're performing attacks from. For an organization like this to be successful, accurate proof which all parties involved can agree is correct would be the key. But the very nature of technology today would make that difficult at best. And even if you can monitor all traffic accurately, there would still be difficulty in getting the political factions involved to agree with the findings.”
Cyber Geneva Convention
A cyber Geneva Convention (that is, the formalization of agreed norms and accurate attribution into a binding international treaty) seems unlikely. Even beyond attribution, how do you sanction nations that have flouted the norms? As Phil Quade comments, “Rogue governments tend not to pay much attention to ‘norms of behavior’.”
A treaty would require teeth. “Any plausible Cyber Geneva Convention would require agreement on sanctions for a nation member that violates the convention,” says O’Neill. “Because attribution is extraordinarily difficult, these penalties may lack teeth if the convention cannot enforce them.”
There are other problems. Quade again: “The norms are for a peacetime environment, yet the boundaries for what constitutes peacetime or wartime in cyberspace are rarely clear.”
There can be little doubt that the path to an international convention on norms of acceptable cyber behavior is difficult if not impossible.; yet it remains a dream worth pursuing. Andrea Limbago suggests the world is currently caught between the impossibility of a convention and the distinct need for one.
“In the near and even mid-term,” she said, “a digital Geneva Convention is neither feasible nor likely, but that does not detract from the necessity to pursue forums and agreements to shape those proper guardrails of behavior within the digital domain; that is, norms. Basically, there is an urgent need for working toward those same goals, while a Geneva Convention remains years, decades away if it will ever occur.”
She believes that the internet is at an inflection point, poised between what she describes as multi-stakeholder and cyber sovereignty. Keys to the former are global internet freedoms, a balance between security and privacy, social integration and an understanding of what is ‘off limits’.
The latter is complete economic, social and political government control of the internet within national boundaries. It is disguised as nationalism and typified by surveillance, censorship, propaganda and disinformation. And it is already happening in Russia, China, Iran and elsewhere. Even the United Kingdom can now be described as a surveillance state with the sweeping powers given to law enforcement and intelligence agencies via the Investigatory Powers Act.
The balkanization of the internet is already in progress. It will be a problem and a difficulty for individuals; but it could prove a disaster for the large international companies currently operating across national boundaries – such as Microsoft. Internationally agreed norms of acceptable cyber behavior ultimately leading to a cyber convention could maintain and improve the democratic nature of the multi-stakeholder global internet.