|
Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, we need a Digital Geneva Convention that will commit governments to implement the norms that have been developed to protect civilians on the internet in times of peace. (Brad Smith, President and Chief Legal Officer, Microsoft)
Microsoft’s call for a Digital Geneva Convention, outlined in Smith’s blog post, has attracted the attention of the digital policy community. Only two years ago, it would have been unthinkable for an Internet company to invite governments to adopt a digital convention.
Microsoft has crossed this Rubicon in global digital politics by proposing a Digital Geneva Convention which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’. Smith’s blog post initiates public discussion with many questions to be addressed. Here we will focus on a few of them.
The unthinkable has become almost inevitable
In the search for a more secure and stable Internet, global Internet companies need to work with governments. Any major fragmentation and disruption of the Internet would affect the core business model of Internet companies, based on global access to data. Governments are gaining more cyber-power to potentially disrupt the cross-border movement of data for different political ends ranging from security to censorship and taxation. If companies do not engage with governments and work together on reasonable policy arrangements, Internet companies could face major risks. More importantly, this would, in turn, also disrupt the now-global social and economic models based on a digital environment.
An element of surprise?
Microsoft has been particularly sensitive to the Internet as global public good.
In what can be described as a bold attempt to ensure observance of international law, Microsoft successfully opposed requests from US authorities to use the search warrant mechanism to access data stored on the company’s servers in Ireland. The Appeals Court’s ruling—which now stands, after the Court of Appeals for the Second Circuit denied a rehearing of the case—has had an enormous impact on the protection of data and the international operations of the major Internet companies.
Moreover, through its Global Security Strategy and Diplomacy Team, Microsoft is among the few ICT companies that have embraced diplomacy as an approach to shape global public policies After following closely the diplomatic dialogue shaping norms of state behaviour in cyberspace and confidence-building measures (CBMs), especially within the UN Group of Governmental Experts (GGE) and the Organization for Security and Co-operation in Europe (OSCE), Microsoft proposed a set of cyber-norms for states in 2015, which was further updated with the proposal of cyber-norms for the ICT industry in 2016.
The company’s proposal, therefore, did not come as a surprise. In this context, the proposal can be seen as the evolution of Microsoft’s diplomatic efforts in the field of international security and cyberspace.
What is the main aim of the Geneva Digital Convention?
The Geneva Digital Convention should create binding rules out of the voluntary norms on secure cyberspace developed by the UN GGE and regional organisations. A few additional norms could be added. Embedded within a convention, this set of norms could become a legal obligation, with the corresponding enforcement mechanisms. According to Microsoft’s proposal, the convention should motivate states to adhere to the agreed norms.
What should the proposed Geneva Digital Convention regulate?
Microsoft suggested six key principles for a Digital Geneva Convention: (1) no targeting of tech companies, private sector, or critical infrastructure; (2) assist private sector efforts to detect, contain, respond to, and recover from events; (3) report vulnerabilities to vendors rather than to stockpile, sell, or exploit them; (4) exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable; (5) commit to nonproliferation activities to cyberweapons; (6) limit offensive operation to avoid a mass event.
The six principles are typically based on national security, related to both defensive and offensive cyber-operations. They are a mix of policy and legal regimes. Principle 1 could be classified as the ius ad bellum principle, dealing with justification and prevention of conflicts; principles 3, 4, and 5 have a strong cyber-disarmament focus; principles 2 and 6 are applicable both in conflict and peacetime operations.
Policy issues related to the six principles are part of the mandate of the UN security bodies. The most active is the UN General Assembly’s First Committee, which is also the home of the UN GGE. Other UN bodies that may get involved in cyber security matters are the UN Conference on Disarmament and the UN Security Council.
Moving from the six principles, further in the text Microsoft’s arguments shift towards protecting citizens in the case of conflict—which in legal terms is known as ius in bello—or even broadly speaking towards what we might call human cybersecurity:
Just as the Fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace.
Human security is anchored in the protection of human well-being. It encompasses economic, food, health, and environmental aspects, among others. Since human well-being increasingly depends on digital space, the question of human cybersecurity is likely to come more into focus.
If Microsoft’s proposal aims to focus on human cybersecurity (focus on the protection of individual users), this will inevitably bring developmental aspects into discussion—ensuring the availability of tools and means for people to achieve cyber well-being (access to the Internet, development of local content, etc.), as well as human rights issues, including a potential right to safe access to the Internet (analogous to developments in other human security areas that inspired rights to water, food, etc).
While governments may become the main sources of threat with their increasing cyber capabilities, they should be also the main enablers of a safe Internet, which is considered a global public good. This can be achieved only with co-operation and shared responsibility between government and the private sector, with the Internet industry as the key Internet player. More than 90% of Internet traffic and activities are conducted by private sector. Currently, most of the threats to civilians online comes from cyber-criminals exploiting the vulnerabilities of Internet applications.
As a practical example of public-private co-operation, Microsoft’s proposed principle no. 3 on responsible disclosure of vulnerabilities would increase the overall resilience of products and cyberspace, reduce cyber-armament by states, and limit the proliferation of state-built cyber-arms available to criminals.
How could a Geneva Digital Convention be implemented?
Smith introduced ideas aimed to serve as a potential inspiration for a multistakeholder implementation of the Convention. The involvement of other actors, beyond governments, in the implementation of the Convention makes a lot of sense. While governments should ensure rule-based digital governance, shared responsibility should involve the private sector that runs most of the Internet and the technical community that sets most of technical standards. Here are a few building blocks from Smith’s blog post, with a few comments.
In addition, a Digital Geneva Convention needs to create an independent organization that spans the public and private sectors. Specifically, the world needs an independent organization that can investigate and share publicly the evidence that attributes nation-state attacks to specific countries.
An independent organisation should be a public-private partnership that can deal with attribution—the main challenge in addressing cyber-attacks. Potential inspiration can be found in the Montreux process for private military and security companies which consists of:
Smith also mentions the role of the International Atomic Energy Agency (IAEA) in nuclear non-proliferation as a possible inspiration for the future cybersecurity organisation. In this analogy between nuclear and cyber he stresses two elements: the centrality of technical expertise and public shaming for the violation of rules. (‘Only then will nation-states know that if they violate the rules, the world will learn about it.’)
A question of technical expertise needed for attribution will be at the centre of future discussions on the Microsoft proposal and, indeed, other proposals. Microsoft suggests that international capacity for digital forensic should be built on expertise and experience that the Internet industry has already developed in dealing with cyber-attacks against their clients. While this could be the key input, digital forensic for international cyber conflicts would need additional robustness since attribution to cyber-conflicts could lead to the name-shaming of states with severe geopolitical consequences.
Smith also suggests the Red Cross as an inspiration for the future cyber arrangement. The main analogy is to the International Committee of the Red Cross (ICRC), the pillar organisation of the Red Cross movement and implementer of the Geneva Conventions. The ICRC is a private organisation under Swiss law with a public mandate provided by the Geneva Conventions.
Other parts of the Red Cross movement could also provide some inspiration, such as national organisations that have an auxiliary role to governments. They are not part of government structures, but they are legally recognised by governments as public actors in the humanitarian field. The role of CERTs (Computer Emergency Response Teams) could be upgraded in this direction. They may not be part of government but their role could be recognised as a public role in protecting civilians and entities in the event of a cyber-attack.
Achieving neutrality in cyber arrangements
Neutrality is frequently mentioned in the Microsoft proposal. Neutrality (or the lack of it) can make or break any future cyber arrangement. Microsoft links the proposal to Geneva (‘Geneva Digital Convention’) and Swiss neutrality (‘neutral Digital Switzerland’). As Geneva and Switzerland are sought for the establishment of good offices and as a mediator in times of traditional conflict, it may extend this role to cyber conflict and crisis. The centrality of Geneva—as an important hub for digital policy, among other policy areas—also comes into focus in the Microsoft proposal.
Next steps
The future cyber governance architecture will be discussed in many contexts during 2017. The UN GGE will have to propose next steps after the conclusion of its mandate this year. The 12th Internet Governance Forum (IGF), which will be held in Geneva in December 2017, could be also a place where security, economic, technical, and other communities can converge to address Internet issues in a multidisciplinary way, without the pressure of reaching a binding commitment at the end of the meeting.
Microsoft’s proposal for the Geneva Digital Convention provides inspiring analogies and initiates discussion on the future of digital governance, in particular in the security field. While there are major differences among stakeholders, there is also considerable convergence and many common interests. Major actors from government and the business sector stand to lose in the absence of a unified and stable Internet. This common interest provides some optimism for the future discussions and negotiations on digital governance.
Article originally published on DiploFoundation’s website. Follow the latest in digital policy on the GIP Digital Watch observatory, and read February’s Geneva Digital Watch newsletter for additional analysis.
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byVerisign
These kinds of conventions have been batting around for the past 20 years since Abe Sofaer drafted his comprehensive convention. The Cybercrime Convention was difficult to achieve, but remains essentially unimplemented except as a domestic model. Arguably, some of what is described in this article is within the ambit of Art. 9 of the 1988 ITR.
Today, such a convention would face strident opposition from Trump. The interesting question is whether that would further its chances or not. A perhaps more interesting alternative is an instrument under the WTO.
The main question is whether there is a need for enforceable international rules on digital issues. Microsoft’s answer is yes. Other actors are quiet. The next question is: what should be regulated - data traffic, privacy, digital trade, access to networks? Typically, whatever approach you choose, you come to the same (or similar) policy issues relating to digital data.
Framing matters. It could be framed as human rights/humanitarian issue (Microsoft EXPLICIT proposal) or security issue (Microsoft IMPLICIT proposal) or human security (bridge between human rights and security) or trade (WTO line) or technological (ITRs) or…. Each framing has its own specificities.
You also mention WTO, where e-commerce negotiations face major difficulties because of the shadow cast by the Doha Round (e-commerce is framed as north/south issue).
From a substantive side, the most optimal way would be to have a multidisciplinary approach which will strike the right convergences and trade-offs between, for example, human rights and security considerations or trade and development ones.
A few years ago, there was a discussion on an Internet framework convention in the form of umbrella arrangements which would be supplemented by a specific protocol (along the lines of the Rio Climate Change Convention).
Today, there is no appetite for major international codifications. Trump is not an exception in this respect.
Most likely policy inertia will continue. A possible shift could happen analogous to what happened with radio-communication after the sinking of the Titanic in 1921. If there is a cyber ‘Titanic moment’ (major cyber disruption), a security-centered solution would be negotiated and implemented very fast.
Here is a possible ranking of the main candidates for this quick fix (from more to less probable):
- G20 would be the most likely solution given a proven record in dealing with crisis (the 2008 financial crisis) as well as with cyber issues (Antalia agreement on economic espionage). A possible G20 ‘digital convention’ could be approved by UN GA in order to get global support.
- UN GGE (UN First Committee and General Assembly) or a new set-up (after the end of the work of current UN GGE) is another main candidate which would provide a ‘security angle’ as reaction to a possible ‘Titanic cyber moment’.
- ITR has a provision as you indicated. However, I do not see this as a high contender given the geo-political dynamics.
- WTO is less likely because it would pose a strong shift from the core mission (trade)
- UN Human Rights Council is not likely policy space given – most likely – security angle to crisis situtation.
- IGF is the least probable candidate. IGF can create recommendations (WSIS art. 72) which could trigger such a negotiation process in existing or new policy spaces. IGF could also create space for the most informed and inclusive shaping of rules. IGF’s chances are the lowest as the process could be too slow as a ‘quick fix’ for a possible cyber-crisis.
Just noticed permutation. It should be 1912 instead of 1921.
The only real question is whether a cyber Titanic is likely to occur that has sufficient impact to produce some form of multilateral agreement. The likelihood seems very low over the next four years.