Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace. (Brad Smith, President and Chief Legal Officer, Microsoft)
Microsoft’s call for a Digital Geneva Convention, outlined in Smith’s blog post last week, has attracted the attention of the digital policy community. Only two years ago, it would have been unthinkable for an Internet company to invite governments to adopt a digital convention.
Microsoft has crossed this Rubicon in global digital politics by proposing a Digital Geneva Convention which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’. Smith’s blog post initiates public discussion with many questions to be addressed. Here we will focus on a few of them.
The unthinkable has become almost inevitable
In the search for a more secure and stable Internet, global Internet companies need to work with governments. Any major fragmentation and disruption of the Internet would affect the core business model of Internet companies, based on global access to data. Governments are gaining more cyber-power to potentially disrupt the cross-border movement of data for different political ends ranging from security to censorship and taxation. If companies do not engage with governments and work together on reasonable policy arrangements, Internet companies could face major risks. More importantly, this would, in turn, also disrupt the now-global social and economic models based on a digital environment.
An element of surprise?
Microsoft has been particularly sensitive to the Internet as global public good.
In what can be described as a bold attempt to ensure observance of international law, Microsoft successfully opposed requests from US authorities to use the search warrant mechanism to access data stored on the company’s servers in Ireland. The Appeals Court’s ruling – which now stands, after the Court of Appeals for the Second Circuit denied a rehearing of the case – has had an enormous impact on the protection of data and the international operations of the major Internet companies.
Moreover, through its Global Security Strategy and Diplomacy Team, Microsoft is among the few ICT companies that have embraced diplomacy as an approach to shape global public policies After following closely the diplomatic dialogue shaping norms of state behaviour in cyberspace and confidence-building measures (CBMs), especially within the UN Group of Governmental Experts (GGE) and the Organization for Security and Co-operation in Europe (OSCE), Microsoft proposed a set of cyber-norms for states in 2015, which was further updated with the proposal of cyber-norms for the ICT industry in 2016.
The company’s proposal, therefore, did not come as a surprise. In this context, the proposal can be seen as the evolution of Microsoft’s diplomatic efforts in the field of international security and cyberspace.
What is the main aim of the Geneva Digital Convention?
The Geneva Digital Convention should create binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. A few additional norms could be added. Embedded within a convention, this set of norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft's proposal, the convention should motivate states to adhere to the agreed norms.
What should the proposed Geneva Digital Convention regulate?
The six principles listed by Microsoft are typically based in national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3,4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.
Policy issues related to the six principles are part of the mandate of the UN security bodies. The most active is the UN General Assembly’s First Committee, which is also the home of the UN GGE. Other UN bodies that may get involved in cyber security matters are the UN Conference on Disarmament and the UN Security Council.
Moving from the six principles, further in the text Microsoft’s arguments shift towards protecting citizens in the case of conflict – which in legal terms is known as ius in bello – or even broadly speaking towards what we might call human cybersecurity:
Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace.
Human security is anchored in the protection of human wellbeing. It encompasses economic, food, health, and environmental aspects, among others. Since human wellbeing increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.
If Microsoft’s proposal aims to focus on human cybersecurity (focus on the protection of individual users), this will inevitably bring developmental aspects into discussion – ensuring the availability of tools and means for people to achieve cyber wellbeing (access to the Internet, development of local content, etc.), as well as human rights issues, including a potential right to safe access to the Internet (analogous to developments in other human security areas that inspired rights to water, food, etc).
While governments may become the main sources of threat with their increasing cyber capabilities, they should be also the main enablers of a safe Internet, which is considered a global public good. This can be achieved only with co-operation and shared responsibility between government and the private sector, with the Internet industry as the key Internet player. More than 90% of Internet traffic and activities are conducted by private sector. Currently, most of the threats to civilians online comes from cyber-criminals exploiting the vulnerabilities of Internet applications.
As a practical example of public-private co-operation, Microsoft’s proposed principle No. 3 on responsible disclosure of vulnerabilities would increase the overall resilience of products and cyberspace, reduce cyber-armament by states, and limit the proliferation of state-built cyber-arms available to criminals.
How could a Geneva Digital Convention be implemented?
Smith introduced ideas aimed to serve as a potential inspiration for a multistakeholder implementation of the Convention. The involvement of other actors, beyond governments, in the implementation of the Convention makes a lot of sense. While governments should ensure rule-based digital governance, shared responsibility should involve the private sector that runs most of the Internet and the technical community that sets most of technical standards. Here are a few building blocks from Smith’s blog post, with a few comments.
In addition, a Digital Geneva Convention needs to create an independent organization that spans the public and private sectors. Specifically, the world needs an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries.
An independent organisation should be public-private partnership that can deal with attribution – the main challenge in addressing cyber-attacks. Potential inspiration can be found in the Montreux process for private military and security companies which consists of:
- the International Code of Conduct for Private Security Providers (ICoC) – aimed at providing multistakeholder governance and international governance for private military and security companies.
- the ICoC Association, an organisational set-up, which certifies and monitors member companies and handles complaints of alleged violations of the code of conduct.
Smith also mentions the role of the International Atomic Energy Agency (IAEA) in nuclear non-proliferation as a possible inspiration for the future cybersecurity organisation. In this analogy between nuclear and cyber he stresses two elements: the centrality of technical expertise and public shaming for the violation of rules (‘Only then will nation-states know that if they violate the rules, the world will learn about it.’)
A question of technical expertise needed for attribution will be at the centre of future discussions on the Microsoft proposal and, indeed, other proposals. Microsoft suggests that international capacity for digital forensic should be built on expertise and experience that the Internet industry has already developed in dealing with cyber-attacks against their clients. While this could be the key input, digital forensic for international cyber conflicts would need additional robustness since attribution to cyber-conflicts could lead to the name-shaming of states with severe geopolitical consequences.
Smith also suggests the Red Cross as an inspiration for the future cyber arrangement. The main analogy is to the International Committee of the Red Cross (ICRC), the pillar organisation of the Red Cross movement and implementer of the Geneva Conventions. The ICRC is a private organisation under Swiss law with a public mandate provided by the Geneva Conventions.
Other parts of the Red Cross movement could also provide some inspiration, such as national organisations that have an auxiliary role to governments. They are not part of government structures, but they are legally recognised by governments as public actors in the humanitarian field. The role of CERTs (Computer Emergency Response Teams) could be upgraded in this direction. They may not be part of government but their role could be recognised as a public role in protecting civilians and entities in the event of a cyber-attack.
Achieving neutrality in cyber arrangements
Neutrality is frequently mentioned in the Microsoft proposal. Neutrality (or the lack of it) can make or break any future cyber arrangement. Microsoft links the proposal to Geneva ('Geneva Digital Convention') and Swiss neutrality (‘neutral Digital Switzerland’). As Geneva and Switzerland are sought for the establishment of good offices and as a mediator in times of traditional conflict, it may extend this role to cyber conflict and crisis. The centrality of Geneva – as an important hub for digital policy, among other policy areas – also comes into focus in the Microsoft proposal.
The future cyber governance architecture will be discussed in many contexts during 2017. The UN GGE will have to propose next steps after the conclusion of its mandate this year. The 12th Internet Governance Forum (IGF), which will be held in Geneva in December 2017, could be also a place where security, economic, technical, and other communities can converge to address Internet issues in a multidisciplinary way, without the pressure of reaching a binding commitment at the end of the meeting.
Microsoft’s proposal for the Geneva Digital Convention provides inspiring analogies and initiates discussion on the future of digital governance, in particular in the security field. While there are major differences among stakeholders, there is also considerable convergence and many common interests. Major actors from government and the business sector stand to lose in the absence of a unified and stable Internet. This common interest provides some optimism for the future discussions and negotiations on digital governance.