Microsoft has called on governments around the world to create a “digital Geneva Convention” as a way to normalize international cybersecurity rules and protect civilian use of the Internet.
President Brad Smith, who is also Microsoft’s chief legal officer, addressed the issue at the annual RSA conference held earlier this week in San Francisco, saying that governments — with the assistance of technology companies in the role of NGOs — need to establish international rules to protect civilians from cyberthreats during peacetime.
“The tech sector plays a unique role as the Internet’s first responders, and we therefore should commit ourselves to collective action that will make the Internet a safer place, affirming a role as a neutral Switzerland that assists customers everywhere and retains the world’s trust,” Smith wrote in an appeal posted online.
Seventy four percent of the world’s businesses expect to be hacked every year, with the economic losses from cybercrime averaging US$3 trillion per year, according to Microsoft.
Cyberattacks historically have focused on military and economic espionage, Smith noted. However, the 2014 attack on Sony was considered revenge against the company for the unflattering depiction of North Korean dictator Kim Jong Un in a film.
While cyberattacks in 2015 involved nation-states going after companies’ intellectual property, attacks in 2016 targeted various Democratic party and government institutions in the U.S., threatening the democratic process itself.
Microsoft spends more than $1 billion a year combating cybersecurity threats, Smith said, chiefly to guard against phishing schemes launched via email.
In response to increased nation-state attacks, Microsoft since last summer has taken down 60 domains in 49 countries, spread out across six continents, he pointed out. Officials from 20 countries around the world in 2015 recommended cybersecurity norms for nation-states designed to promote and open, secure, stable accessible and peaceful information and communications technology environment, Smith noted. The U.S. in China that year reached an agreement to refrain from conducting or supporting cyber-enabled theft of intellectual property. The group of 20 later affirmed the same principle.
Microsoft has collaborated with rival firms, including Google and Amazon, to combat cloud abuse, including spam and phishing sites, he said.
Microsoft is not alone in promoting cybersecurity cooperation among government institutions.
The Electronic Privacy Information Center earlier this week announced a new Democracy and Cybersecurity project, designed to address growing alarm about the impact of cyberattacks on democratic institutions.
The organization has urged the U.S. Congress to update federal data protection laws, and to establish a data protection agency designed to address the increased risks of identity theft and data breaches, said Marc Rotenberg, executive director of EPIC.
“Increasingly, we see a closer connection between cybersecurity and the protection of democratic institutions,” he told the E-Commerce Times. “EPIC is pursuing open government cases, Hill outreach and engagement with experts.”
The organization has filed two Freedom of Information Act requests in connection with the 2016 presidential election, when the Russian government undertook a campaign to influence the outcome in now President Donald Trump’s favor, based on the findings of all of the major U.S. intelligence agencies. The attacks included the release of hacked data from the Democratic National Committee and other related organizations linked to the Hillary Clinton campaign.
Microsoft’s effort to promote a global body laudable, but it would be too limited in scope to make much of a dent in the cybersecurity problem, suggested Ed Cabrera, chief cybersecurity officer at Trend Micro.
“A Geneva convention for cybersecurity … only addresses a small subset of the malicious activity that impacts consumers and enterprises on a daily basis,” he told the E-Commerce Times. “A much larger threat to global cybersecurity are [attacks] that emanate from cybercriminal undergrounds.
What is needed is a global cybersecurity strategy that “leverages the power of public-private partnerships,” Cabrera said. Such an effort could disrupt, degrade and deny the ability of cybercriminals to leverage their attacks.
A Department of Homeland Security spokesperson declined to comment on Microsoft’s proposal.