Microsoft calls for establishment of a digital Geneva Convention

As the public grows more concerned with state-sponsored hacking, Microsoft is calling on tech companies to form a so-called “Digital Geneva Convention” by promising to protect users from nation-state attacks and vowing to never mount offensive cyber attacks. Microsoft is also pushing governments around the world to establish norms for engagement in digital warfare.

Microsoft president and chief legal officer Brad Smith announced the initiative today at the RSA Conference. “We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith wrote in a blog post accompanying the announcement. “Conflicts between nations are no longer confined to the ground, sea and air, as cyberspace has become a potential new and global battleground.”

Smith pointed to the 2014 Sony hack, attributed to North Korea, and the 2016 election hacks, attributed to Russia, as examples of attacks that occurred without any meaningful international norms. He nodded to the 2015 agreement between the United States and China that banned the cyber-theft of corporate intellectual property, but said that international governments need to do more to establish rules of engagement online.

Smith said the U.S.-China agreement should serve as a model for the U.S. as it responds to Russian hacking, calling it an opportunity for President Trump to “sit across the table” from Russian President Vladimir Putin and address the hacks.

“Just as the United States and China overcame mutual challenges and made important progress in 2015 to ban intellectual property cyber-theft, the United States and Russia can hammer out a future agreement to ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures,” Smith said.

Smith said the technology industry needs a treaty similar to the Geneva Convention to protect civilians from harm as governments begin to fight their wars online. This process has been underway in the United Nations and the U.S. government, but it’s unclear how U.S. efforts will progress under the new presidential administration.

If government’s don’t take action, Smith said, companies need to make sure they are protecting users. Although he framed the rise of nation state attacks as an opportunity for a U.S. president to create norms, Smith didn’t mention Trump by name and condemned the kind of nationalism that was a driving force during his campaign.

“In age of nationalism, we need to be a trusted and neutral digital Switzerland,” Smith told the RSA audience. “We need to make clear that there are certain principles for which we stand. We will assist and protect customers everywhere — that is what we do. We will not aid in attacking customers anywhere, regardless of what government asks us to do so.”

Smith said the industry has the opportunity to come together and push for digital attack norms, as the industry united in support of Apple during its encryption case and and in support of immigration under Trump’s recent executive order. Smith said the stories of immigrant founders and employees in Silicon Valley should serve as inspiration for designing rules for digital engagement. “As we think about addressing nation state attacks, that is a powerful force that should inspire us and upon which we can build,” Smith said of immigration.

“The tech sector plays a unique role as the internet’s first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place,” Smith wrote. “Just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies.”