Growing consensus on the need for an international treaty on nation state attacks

Photo of part of Earth as seen from space

This week, the Group of 7 (G7) published a declaration recognizing the urgent need to establish international norms for responsible nation state behavior in cyberspace. It’s encouraging to see the commitment of this leading group of nations, but sobering to witness the growing imperative to act. Earlier this year at the RSA Conference in San Francisco I outlined the framework for a Digital Geneva Convention aimed at protecting and defending civilians against nation-sponsored attacks.

Over the past few weeks, we’ve discussed the framework for a Digital Geneva Convention with government officials, industry peers and customers around the world. I am encouraged by the response and the consensus that is forming around these concepts. These discussions have informed three documents that Microsoft is publishing today that outline why the world needs a Digital Geneva Convention – a set of binding agreements between nations backed by a tech sector accord and supported by an independent attribution organization to identify wrongdoing – and the steps needed to make it real.

Every day we are reminded why we need an international treaty to protect civilians, infrastructure and private companies from state-sponsored cyberattacks. Nation state conflict — which started on the land, moved to the sea and found its way into the air — has moved to cyberspace with governments increasingly using the internet to hack, spy, sabotage and steal. This battle is waged on private property: in the datacenters, cables and servers of private companies like Microsoft, and on the laptops and devices owned by private citizens. And increasingly, private companies and individuals are finding themselves in the crosshairs.

While the G7’s declaration is encouraging, it could go further in two areas:

First, the G7 declaration is focused on voluntary, non-binding state behavior during peacetime. The challenge with voluntary norms is that they are just that: “voluntary.” I believe we need to push ourselves further and set our sights higher to pursue a legally binding framework that would codify rules for governments and thus help prevent extraordinary damage. (It is important to note that such a framework should not be used by governments to introduce new limits on content or create exceptions from the protections guaranteed by fundamental human rights.)

Second, the tech sector itself has an important role to play. As the owners and operators of cyberspace, we serve as both the frontline and first responders during attacks. Over the next few months we will continue to work even more broadly across the tech sector to discuss a set of principles that can create the foundation for an industry accord outlining what, as an industry, we will do and what we won’t to protect our customers and help law enforcement. One principle that resonates strongly within the tech industry is a commitment to assist and protect customers everywhere, and never to assist in attacking them. As I said at RSA, this means a 100 percent commitment to defense and zero percent to offense.

All the norms, rules and agreements in the world won’t matter if attackers can’t be held accountable. That needs to start with attributing an attack to the perpetrator, even if it is a state or a state-sponsored group. The G7 acknowledges the importance of attribution in its statement; however, it focuses on the states’ ability to make their own determinations in this regard. To preserve and increase trust in the online environment, such an organization needs to be independent. It should be a public-private group, drawing on the strengths of both technology companies and governments to investigate cyberattacks and identify those behind them. There are many precedents from which we can learn, including inter-governmental bodies such as the International Atomic Energy Agency (IAEA).

It has been a privilege to talk with so many engaged individuals and groups on something so central to the future of the internet. Creating a Digital Geneva Convention will take time, but the G7 declaration is an encouraging step forward.  The next few months will require further dialogue and partnership between governments – including governments not represented in the G7 –  and the tech sector to ensure that the internet continues to function as a global tool of economic, social and political development.


Tags: ,