Cyber-attacks are on the rise, threatening power grids, driving up geopolitical tensions, and even crippling hospitals. Countries should agree a new “Digital Geneva Convention” to contain the risk and set up a new international organisation to police the new rules.
These proposals from Microsoft’s chief legal officer, Brad Smith, also say that neutral companies dealing with the fallout should win protected status, like a technological Red Cross. Opinions differ on where the gaps are, if any, in international law, and whether Microsoft is a credible voice on the issues or just looking after its own vested interests.
In a public speech in Geneva, Smith argued that cyberspace is a new battlefield and not properly governed by international law. Nation states and murky hacker groups have shown their potential to take out public infrastructure and services, sow political discord, and sabotage businesses, causing extensive social and economic harm.
Experts in international law and the International Committee of the Red Cross, however, give his proposals a cool reception. Cyberspace may throw up some legal dilemmas (for example, how to distinguish military and civilian data travelling on the same network), but it is far from a legal vacuum. Microsoft's proposal for tech companies to be recognised as "first responders" on the cyber battlefield, borrowing language from the Red Cross, has met with surprise and scorn from critics.
Smith spoke to hundreds of diplomats, officials, and visitors at the UN in Geneva, recalling the city’s heritage as “a place where the world has come together” on difficult issues. Introducing Smith’s talk, the head of the UN in Geneva, Michael Moeller, said “algorithms can be as powerful as tanks, bots as dangerous as bombs”. Smith said the global technology sector should reposition itself as “a trusted and neutral digital Switzerland”.
Recounting the bloody Battle of Solferino in 1859, which led to the creation of the Red Cross, Smith said a hi-tech arms race is accelerating in cyberspace and international law isn’t configured to tackle the challenge. He raised examples of cyber-attacks affecting Iran, Ukraine, and the WannaCry malware attack that scrambled 200,000 computers, including some in the British health service.
The laws of armed conflict
Firstly, ICRC is the guardian of international humanitarian law and its representative at the event argued firmly that the law of armed conflict already governs cyber operations. As an example, ICRC’s Philip Spoerri said attacks against essential civilian infrastructure in wartime already constitute violations of international humanitarian law, unless the infrastructure is a military objective.
Spoerri said there may be value in clarifying other parts of international law about actions that don’t meet the threshold of armed conflict, but noted that political appetite seemed lacking.
Other international law
While telling the story of the laws of armed conflict as a scene-setter, Smith’s proposals also appeared to cover the less well-defined area of international law in peacetime.
Hacking and sabotage may not count as acts of war, but equally they “do not occur in a legal vacuum”, according to a major study. “States have both rights and bear obligations under international law”, according to the Tallinn Manual, updated in February. This NATO-supported review interpreted existing international law as already being applicable and came up with 154 “rules” that can apply to cyber operations in peace or war.
The field is nevertheless politically charged. Issues around attributing the source of attacks, defining the threshold for what constitutes an “armed attack”, and the right to self-defence and countermeasures, once opened for debate, have become controversial. An intergovernmental expert group to confirm ground rules on the applicability of international law in cyberspace failed to reach agreement in June, partly due to a polarised international climate.
Dustin Lewis, senior researcher at the Harvard Law School Program on International Law and Armed Conflict, told IRIN: "the legal and political aspects are difficult, if not impossible, to completely dissociate".
Motivations
Microsoft’s proposals are flawed, critics say, both from a legal point of view and due to conflicts of interest. Since security holes in Microsoft’s software are often exploited, it would benefit commercially from wider protection from liability. Also, at a time when Silicon Valley is under scrutiny for wielding a dangerous level of unregulated power, Microsoft’s attempt to rebrand as a neutral paramedic on the cyber battlefield may appear a convenient distraction.
Microsoft proposes tech companies could sign up to an accord of neutrality and cooperation that would justify a special legal status. Smith suggests they could pledge: “we will not aid in attacking customers anywhere”, and adopt a “100% defense” strategy. However, under the Geneva Conventions, whether an individual is working in military defence or in attack makes little difference to whether or not they “make an effective contribution to military action”.
This means that Microsoft engineers, for example, fixing a military computer could potentially be a military target. Microsoft has won 1,432 contracts with the US Department of Defense alone in the last five years, worth $888 million, according to public data.
A prominent critic of the technology giants, Evgeny Morozov, suggests the proposal is “entirely selfish”. Writing for the Guardian, he claimed “the conflict of interest here would be mind-boggling: the more insecure Microsoft’s software, the greater the demand for its cybersecurity services to protect it”.
Another critical article, from a NATO-affiliated think tank, also suggests Microsoft’s interest stems from self-interest: that cyber-attacks in peacetime are “bad for the business of transnational ICT (tech) companies in that they reveal exploits of vulnerabilities in their products.” Smith confirmed that Microsoft was in part seeking regulatory clarity regarding their customers’ data.
A senior UN human rights official, Kate Gilmore, was warmly applauded at the event when she said that governments were outsourcing too many decisions on critical issues to the corporate sector. She said there was “an accountability framework that is not fit for purpose” for “corporates larger than countries”.
Outlook
The issues aren’t only legal.
Lewis told IRIN that “currently there is insufficient political consensus… concerning when and under what circumstances certain relevant parts of international law are applicable".
The Harvard researcher suggested Microsoft’s foray into the arena might even make things worse: “A key question becomes whether the Microsoft proposal is likely to do more damage by questioning the applicability of international law or to have more beneficial effects by spurring interest in legal norms.”
Microsoft's proposals
For states
No targeting of tech companies, private sector, or critical infrastructure
Assist private-sector efforts to detect, contain, respond to, and recover from events
Report vulnerabilities to vendors rather than stockpile, sell, or exploit them
Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable
Commit to nonproliferation activities to cyberweapons
Limit offensive operations to avoid a mass event
For technology companies
No assistance for offensive cyber operations
Assistance to protect customers everywhere
Collaboration to bolster first-response efforts
Support for governments’ response efforts
Coordination to address vulnerabilities
Fighting the proliferation of vulnerabilities
bp/ag
