Microsoft President Brad Smith on Tuesday pressed the world’s governments to form an international body to protect civilians from state-sponsored hacking, saying recent high-profile attacks showed a need for global norms to police government activity in cyberspace.
Countries need to develop and abide by global rules for cyber-attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two, Smith said. Technology companies, he added, need to preserve trust and stability online by pledging neutrality in cyber conflict.
“We need a Digital Geneva Convention that will commit governments to implement the norms needed to protect civilians on the Internet in times of peace,” Smith said in a blog post.
Smith outlined his proposal during keynote remarks at this week’s RSA cyber-security conference in San Francisco, following a 2016 US presidential election marred by the hacking and disclosure of Democratic Party emails that US intelligence agencies concluded were carried out by Russia in order to help Republican Donald Trump win.
Cyber-attacks have increasingly been used in recent years by governments to achieve foreign policy or national security objectives, sometimes in direct support of traditional battlefield operations. Despite a rise in attacks on governments, infrastructure and political institutions, few international agreements currently exist governing acceptable use of nation-state cyber-attacks.
The United States and China signed a bilateral pledge in 2015 to refrain from hacking companies in order to steal intellectual property. A similar deal was forged months later among the Group of 20 nations.
Smith said President Donald Trump has an opportunity to build on those agreements by sitting down with Russian President Vladimir Putin to “hammer out a future agreement to ban the nation-state hacking of all the civilian aspects of our economic and political infrastructures.”
A Digital Geneva Convention would benefit from the creation of an independent organisation to investigate and publicly disclose evidence that attributes nation-state attacks to specific countries, Smith said in his blog post.
Smith likened such an organisation, which would include technical experts from governments and the private sector, to the International Atomic Energy Agency, a watchdog based at the United Nations that works to deter the use of nuclear weapons.
Smith also said the technology sector needed to work collectively and neutrally to protect Internet users around the world from cyber-attacks, including a pledge not to aid governments in offensive activity and the adoption of a coordinated disclosure process for software and hardware vulnerabilities.