Last week, the President of Microsoft sent a Valentine to individuals deeply concerned about cyber-security. On February 14, 2017, he wrote a long blogpost calling on the world’s governments to set up international rules to protect the internet. Because of his thoughtful analysis, he is a sweetheart, although the roses being sent to him come with a few thorns. While the blogpost is a call to action among corporations to protect consumers; Smith does not address corporate inaction regarding the problem of widening use of malware. While he calls for a set of global rules on the use of cyber-attacks, he does not delineate how to stop governments from being major consumers and exporters of malware.
Brad Smith wrote, “Just as the fourth Geneva Convention has long protected civilians in times of war, we now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace. And just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies. The tech sector plays a unique role as the internet’s first responders and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world’s trust.”
Smith throws out a lot of ideas, many of which are thoughtful and persuasive. Smith begins by explaining why he and his company were called to action. He notes that the problem of cyber-hacking is getting worse. But we don’t really know if that is true, or if cyber-hacking is more visible because more entities are reporting (after the fact). Smith nonetheless argues that things are getting worse because more nation states are using a wide range of tactics to attack firms, governments and individuals. Other key observers such as the global club of internet users, the Internet Society share his concerns. Kathy Brown, President and CEO of the Internet Society agrees with Smith that business has a special role to play. But she adds that business must collaborate with other stakeholders because “we have a collective responsibility to secure the data ecosystem, to protect not only ourselves but also the global Internet that we all depend on.
Smith then goes on to state that the tech sector “Operates as the first responders to nation-state attacks on the Internet.” He notes that Microsoft uses both a command center to identify threats but uses legal processes to “disrupt the nation-state’s use of these domains within 24 hours…We have taken down 60 domains in 49 countries spread over six continents.” He notes that many companies are “racing to provide stronger cybersecurity protection for customers,” but he doesn’t explain how firms can cooperate to stop this threat. It is not their fault, but there are no clear incentives for firms to collaborate against state cyber-misdeeds. Instead, firms have incentives to protect only “their customers” rather than the internet as a whole.
By focusing on companies’ role to foster trust to fight cyber-attacks, Smith ignores the collective responsibility of companies for the malware market. Firms did not create malware (which arises out of weaknesses, gaps, or mistakes in code). But many of these firms and governments perpetuate the market for malware by paying researchers a bounty to find it. Microsoft differs from other companies in that it does not pay for individual vulnerabilities but rather for new attack and defensive techniques. But Microsoft also requires that researchers can only write about the bug and its fix after the company fixes the vulnerability.
Smith wants governments to protect civilians on the internet with a Digital Geneva Convention. He believes that such a convention should affirm recent cybersecurity norms as global rules, as China and the US have tried to do in their recent cyber-security agreement. Moreover, some analysts argue we don’t really know enough about these types of hacks, who is doing them and the types of exploits hackers are using or have used. He also wants governments to commit to avoiding cyber-attacks that target critical infrastructure or steal intellectual property. Clearly governments do not yet agree as to what kind of cyber-attack is ok and what is not ok. For example, is the infrastructure that supports the Internet out of bounds? Core infrastructure that is used by civilians should also be off limits. Yet Ukraine’s electrical grid was attacked in December 2016. Finally, this convention “should require that governments assist private sector efforts to detect, contain, respond to and recover from these events, and should mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.”
But is a Geneva Convention the only response to the problem of government cyber-attacks against individuals? As global stakeholders of the internet, we must do more. First, we should strengthen counterweights to the use of malware. For example, we need to praise firms and governments that are honest about attacks. Secondly, we need to improve how we attribute attacks. Thirdly, we should praise governments that refrain from malware use and educate policymakers on the unanticipated side effects of malware purchase and use. Finally, we need to shame governments that use malware in ways that undermine democracy and human rights by misusing malware to interfere in elections, monitor and surveil their own citizens, or to destroy or steal intellectual property. Ultimately, we need to make malware use against individuals (as opposed to malware used for testing or research purposes) illegal and rare.