Does the world need a digital Geneva Convention?

Arthur Piper, IBA Technology Correspondent

Businesses and governments are experiencing ever-increasing levels of data theft, security breaches and worse. Global Insight assesses the merits of a digital Geneva Convention.

The world seems to be at war in cyberspace. State-sponsored hacking is on the rise and experts believe that it could be the biggest threat to both governments and businesses in 2018. After years of taxpayer investment in government cyber capabilities, most major states seem to have gone on the offensive – according to the cyber consultancy firm Venafi – and they are enjoying major returns on their investment in the form of increased data theft, security breaches and worse, says Venafi Senior Threat Intelligence Analyst Jing Xie wryly.

‘With every major nation state expanding both offensive and defensive cyberwar spending, public and private critical infrastructure and communication providers should expect to be caught in the crosshairs of cyberwarfare,’ he says. Citizens could easily be caught in the melee, too, as state-backed hackers target democratic elections, launch malware and ransomware attacks against public services, and target government and corporate communications networks.

A freelance cyber consultant – who tellingly preferred not to be named – likened the global cyberwarfare situation today to state-sponsored piracy in 15th- and 16th-century Europe. In those days, British buccaneer figures such as Sir Walter Raleigh and Sir Francis Drake trod and sometimes crossed the fine line between hero and pirate in their exploits in the New World, often illegally attacking Spanish interests. ‘It’s as chaotic in cyberspace now as it was on the seas in the 16th century,’ he says, ‘and getting to a tipping point in terms of the frequency and intensity of attacks where something needs to be done.’

In modern times, co-ordinated progress to global standards of state non-aggression were only cemented in 1949 by the Geneva Convention. Microsoft’s President Brad Smith has, for over a year, been calling for a digital Geneva Convention to help contain today’s situation. His convention would get its legal clout from six key principles (see box: Six principles of a digital Geneva Convention) that aim to bring to an end the excesses of state-sponsored cyberconflict.

Speaking at the World Economic Forum’s Davos event in Switzerland in January this year, he said: ‘This is supposed to be a time of peace... so the world has literally, in that regard, been turned upside down from protecting civilians in times of war to attacking civilians in times of peace.’ Not surprisingly, perhaps, the suggestion has thrown a lot of heat but little light on a workable solution. The mix of proposals seem to muddy the boundaries between international humanitarian law, which draws a distinction between combatants and civilians, trade law and non-proliferation protocols, according to Maria Gurova, a policy analyst at the Geneva Centre for Security Policy. She does not believe the proposal in its current form would work. That is partly because national and international legal norms on digital technologies are too far apart, despite ongoing efforts to build workable bridges between nation states.

With every major nation state expanding cyberwar spending, public and private critical infrastructure and communication providers should expect to be caught in the crosshairs’

Jing Xie
Senior Threat Intelligence Analyst, Venafi

Such co-operation has been slow in coming, although there has been some progress. In September 2015, for example, the United States and China signed an understanding where both governments agreed not to support the theft of each other’s intellectual property through cyberattacks. Cybersecurity experts said they saw a downturn in cyberattacks from China – perhaps Chinese experts had a similar experience.

Six principles of a digital Geneva Convention

  1. ‘There should be no targeting of high-tech companies, the private sector or critical infrastructure.
  2. The private sector should be assisted in efforts to detect, contain, respond to and recover from cyber attacks.
  3. System vulnerabilities should be reported to vendors rather than stockpiled, sold or exploited.
  4. Restraint should be exercised in developing cyber weapons, and any that are developed should be limited, precise in their targeting focus and not reusable.
  5. There should be no proliferation of cyber weapons.
  6. Offensive operations should be limited to avoid mass and indiscriminate cyber attacks.’

Source: ‘The proposed “Digital Geneva” Convention: Towards an Inclusive Public-Private Agreement in Cyberspace?’ Maria Gurova, Geneva Centre for Security Policy

 

In addition, 20 countries from a United Nations’ group proposed ‘limiting norms’ in an attempt to curb online activity that could damage national critical infrastructure, or the use of cyberdefence experts to go on the offensive. If Venafi’s claims are true, that seems to have been less successful.

Gurova sees a way forward in the shorter term through Smith’s most novel suggestion, that ‘system vulnerabilities should be reported to vendors rather than stockpiled, sold or exploited’. Such a move could provide a way for the private sector to play a leading role in helping to build public-private partnerships to combat cyberattacks.

It is an idea that has some traction with vendors who face a run on the vulnerabilities in their software each time they release a new product or a new version of an old one. But others say that, if the problems are technical, they need a technical – not legal – fix. Former Internet Architecture Board Chair Andrew Sullivan has previously warned against hopes for what such a treaty could achieve. ‘The problems [hackers exploit] are in the technical design, so they need to be fixed in the [software] protocols,’ he says.

But further support for Smith’s call to arms directed at the private sector has come from humanitarian groups – not always happy to see corporate intervention in their terrain. Nevertheless, they acknowledge that large technology companies are the only ones with the clout, cash and knowledge to lead to practical solutions in this area. ‘The technical know-how, resources and reach of the private sector are a requisite for making sense of this new theatre of conflict in terms of where and how it takes place, and for whom this matters and why,’ Joseph Guay and Lisa Rudnick of The Policy Lab think tank said recently. It’s the technology companies that will need to define what constitutes a cyberattack and, therefore ‘who should be afforded rights and protection under international law’.

Having successfully put the issue of creating a digital Geneva Convention on the global agenda, Brad Smith may yet find himself in the unenviable position of having to write it.

Arthur Piper is a freelance journalist specialising in risk, law and technology. He can be contacted at arthur@sdw.co.uk