On February 14, Brad Smith, Microsoft President, and Chief Legal Officer, proposed the creation of a “Digital Geneva Convention” (DGC) to protect the civilian use of the Internet. It sounds like a good idea, but one can find alarming signs and implications within the proposal.
Smith wrote an extensive article explaining his concept. He established six essential functions the new organization would have, including things like “reporting vulnerabilities to vendors” and “limit offensive operation to avoid a mass event.”
They are all necessary, especially in these times when the Internet of Things, Artificial Intelligence, and Machine Learning are affecting many aspects of human society.
However, the lengthy piece pictures the world as a place where most countries are waging war in a digital space, and that it has been affecting regular citizens and companies alike.
There is nothing new in that line of argument as even Ex-President Barack Obama said countries used cyber espionage on one another. However, I will explain here why Smith’s words seem like a display of power by the tech industry.
We own the Internet
Too many people do not know it, but the Internet has a physical “body.” The cyberspace is sustained by things like submarine cables, data centers, servers, among many others.
All of those components comprise a massive infrastructure that makes the digital world possible, and private companies own most of it.
In fact, Brad Smith explained businesses, whose primary objective is to generate profit, “produced, operated, managed, and secured” the Internet. As he explains, that fact makes them a logical target during a digital world conflict.
We know a lot of secrets
He added that when a nation-state launched a cyber attack on another country, the first defense line consists of private companies. So, experts from Microsoft, Kaspersky, and others know who is messing with who and how often they try to do it.
In fact, Microsoft’s president confirmed the cyber attacks during the Presidential Elections of 2016, and that they were carried out by a nation-state. The article also talks about North Korea hacking Sony twice in 2014 and 2015.
Microsoft reports show that nation-states have registered domains using trademark names of private companies to perform hack attacks, steal intellectual property, and illegal probes for information.
Additionally, cyber security companies are the guardians of sensitive information, and even though they have no direct access to their customers’ secrets, their systems generate a byproduct that data analysts can use to tell all sort of things.
The world needs us to keep them safe
The Internet is not a safe place for information. Once a picture, a message, or a video touches the web, someone can steal it. Hacking has become so wide-spread that even amateurs can carry DDoS attacks and use things like the Mirai Botnet.
Online protection became a matter of muscle. It doesn’t matter how good a firewall is, somewhere in the world there is going to be a computer genius that will crack it.
Which is why any individual would need a complete infrastructure that protects his/her computer, detects infections, and threats them, to put it in a very general way. And, that costs a lot of money.
In fact, Smith says Microsoft spends $1 billion every year to keep their costumers’ data safe. The company has three entire subdivisions with a combined payroll of 3500 “security experts.” The Microsoft Threat Intelligence Center detects the threats, the Cyber Defense Operations Center deals with them, and the Digital Crimes Unit is the legal arm that acts in the real world.
So basically, tech organizations already have the means to protect entire nations from cybercrime. Smith even says the DCU has taken legal action in 49 countries to defend the intellectual property of third parties. According to the article, the DCU has even fenced off nation-state cyber attacks.
The implications of the “Digital Switzerland”
Individuals in the private sector often cooperate with one another, but they are always competing. Which means, most of its research and developments are their secret weapons. Indoors, some of these companies have infrastructures that rival the ones Federal agencies use.
However, the DGC proposal is also a call to work together for all the organizations that specialize in cyber security. Together, they can become so strong that they could render public agencies useless. Thus, making the state dependent on the DG.
Also, the DGC would have a board with International representants from both the private and public sectors, and they would be able to work anywhere in the world regardless individual policies and laws. In other words, the tech industry would stop influencing policy to become an actor.
From companies like Apple defending Net Neutrality from the FBI to Uber dismissing DMV mandates by deploying its self-driving taxi fleet without permission, technology corporations have been impacting the law-making process.
However, the DGC would act as a neutral government-like faction that can act based on their perspective. Of course, there are going to be parameters, but Smith compares the organization’s role to that of the Red Cross and Switzerland in the Geneva Convention.
Now, there are many ways individual countries can monitor the activities of the Red Cross and even humanitarian staff in their territory, but that is impossible in the cyberspace.
Not only many governments don’t have the means to deal with cyber warfare, but in most cases, they don’t understand the most basic of concepts regarding technology, something that is true even in the North American government.
But even if they understood the cyberspace, private companies own most of it. So, there is not much they can do if the DGC decides to take action.
The reader must understand the intention of this article is not to demonize Mr. Smith’s proposal nor to exploit some kind of sensationalism. It is but an analysis of the original piece that proposed the “Digital Geneva Convention.”
With that in mind, I think governments have to work with the private sector to do something about an impending cybersecurity crisis because they don’t have a choice.
Nevertheless, a global organization that can freely act under the premise of protecting the Internet and its users might be a risky move.
Source: Microsoft Blog