I had the opportunity to meet and speak yesterday afternoon in Geneva at the United Nations to discuss the global issues and challenges relating to cybersecurity. It provided an opportunity to connect with people from governments, international organizations, the NGO community and civil society more broadly on what in 2017 has clearly become one of the important issues of our time.
As technology continues to reshape the world, it’s clear that conflicts between nations are no longer confined to the land, sea and air. A cyber arms race is underway with nations developing and unleashing a new generation of weapons aimed at governments and civilians alike, putting at risk the critical data and digital-powered infrastructure that we all depend on for our daily lives.
In May, the nation state-sponsored WannaCry ransomware attack impacted more than 200,000 computers in more than 150 countries and showed the world the broad damage “invisible” cyber weapons can inflict. This didn’t just cause damage to machines. As the United Kingdom’s National Audit Office concluded just last week, WannaCry’s impact forced the National Health Service to divert ambulances and cancel over 19,000 appointments for people scheduled to see a physician or have a surgical procedure. WannaCry provided a wake-up call to the world. If we do not do more to address the risk of nation-state cyberattacks, the world will become a more dangerous place.
While technology companies like Microsoft have the first responsibility to address these issues, it would be a mistake to think the private sector by itself can prevent or stop the risk of cyberattacks any more than it can prevent any other types of military attacks. Nation-state investments in cyberweapons have advanced beyond the point where that is possible. That’s one reason the WannaCry attack also underscores the need for international norms and agreements to protect civilians from nation-state attacks and for a new Digital Geneva Convention that commits governments to defending and protecting civilians from state-sponsored cyber-attacks.
When we introduced the concept of a Digital Geneva Convention this past February, we acknowledged that it’s the type of initiative that requires as much as a decade of work. We also recognized that this type of agreement could take a variety of different forms and requires more than a single step.
That’s why it’s important to combine a focus on long-term measures like a Digital Geneva Convention with more immediate steps to build on existing international law to better protect civilians from cyberattacks now, not a decade in the future. We must recognize the current norms that already apply to cyberspace on which we can rely and identify the gaps in current norms so that we can fill them in for the future.
There clearly are important foundations on which the world can build. These include the United Nations Charter and the Fourth Geneva Convention. And it’s important to appreciate the encouraging examples of international organizations taking steps to build on agreements that exist today. For example, in 2015, the United Nations Group of Governmental Experts on Developments (UNGGE) confirmed that international law applies to cyberspace. In 2016, the Organization for Security and Co-operation in Europe adopted an enhanced list of “confidence-building measures (CBMs) to enhance security and stability in the cyber domain.” And earlier this year, the Group of 7 (G7) published a declaration recognizing the urgent need to establish international norms for responsible nation-state behavior in cyberspace.
We should recognize that there is a shared responsibility among governments, the private sector and civil society to modernize these principles and ensure their effectiveness in the 21st century. That in fact is the way these types of norms and rules have always advanced. For example, when technology advancements in firearms created new horrors, private citizens spearheaded the founding of the International Committee of the Red Cross in 1863. New rules emerged to protect medics as neutrals, enabling them to treat all wounded regardless of who they fought for. The Red Cross has since saved countless lives, and it endures today as a cornerstone of international humanitarian aid and a protector of civilians in times of war. The Fourth Geneva Convention’s rules to protect civilians in times of war provide a foundation to build from, and governments can help by clarifying how existing international law, including international humanitarian law, applies to cyberspace.
But we should also recognize that international humanitarian law was built in an age when military forces squared off on physical battlefields. Where there is no armed conflict on a traditional battlefield, some traditional international legal protections may not apply. While international law includes mechanisms like due diligence, the duty of non-intervention and countermeasures, the existence and meaning of these rules may be disputed. This can create a gap in existing international law’s ability to serve its humanitarian functions, allowing nation states to use offensive cyber means that put civilians at risk.
This is illustrated by questions that arise, for example, regarding the application of the United Nations Charter. While states have agreed in Article 2(4) of the charter that they will not use or threaten force against other states, the charter does not define what constitutes “force.” The text has been viewed as prohibiting only “armed” force – the sorts of violent consequences that militaries inflict on each other through injuries, death and destruction. Cyber weapons, however, have created new means to cause harm, not by blowing things up, but by disrupting the functionality of critical systems on which we all depend. We need to update international law to clearly prohibit nation states from damaging or destroying data and the machines on which we rely in the same way the charter limits them from damaging or destroying physical infrastructure.
These types of steps are seldom easy. This was illustrated recently when governmental delegates met to author the so-called Tallinn Manual 2.0 – an effort by international legal experts to clarify how existing international law applies to cyberspace. While they made important progress in some areas, they could not reach consensus on what the U.N. Charter has to say about losses of functionality in civilian infrastructure even when nothing gets physically broken.
These types of challenges are natural and understandable parts of what inevitably is a long and complex journey. As debates emerge over existing norms and new threats, it will be important for experts from governments, civil society, the private sector and academia to both help identify existing gaps and deploy new technologies and approaches to prevent the continued harm of civilians by cybercriminals.
Technology has come a long way since the days of rifles and cannons, yet one need is constant: as technology advances, the law must move forward with it. As in the 1800s, the private sector is again urging change and proposing new conventions to compel governments to create new standards and norms. And as in the 1800s, those outside government will need to play an active role to help. Just as volunteers were critical to support medics in treating the wounded, the tech sector today needs to serve as first responders to aid those impacted by a cyber-attack. Just as medics and volunteers needed the recognition of governments to act as neutrals, the tech sector today needs to act as a “neutral Digital Switzerland” to help civilians everywhere who are hurt in an attack. This is part of the thinking that is going into the tech sector’s efforts to increase cybersecurity collaboration and consider a more formal Tech Accord, so we can act effectively and in a globally responsible way.
The future of cybersecurity on the internet will require many steps by many people. We will need to continue to look to tech companies to act proactively to strengthen defenses and work closely with customers. We need governments to act together, both to adhere to current international norms and create new law to fill in the gaps. The world needs a Digital Geneva Convention, as well as many additional steps to move us toward creating a more secure world.