A Digital Geneva Convention: Nobel Prize-Worthy Or Dangerous?

Microsoft on 19 December presented its Digital Geneva Convention during the 12th Internet Governance Forum in Geneva. With cybersecurity being one of the top issues at the forum, the company received a lot of interest for the idea of developing the convention as a multi-stakeholder draft. But there were also voices of caution from individual governments as well network-operating people.

The trend that more and more destruction is delivered through private sector products, like exploited vulnerabilities in Microsoft software, motivated the US company to come up with its idea for a Digital Geneva Convention. The Internet Governance Forum (IGF) is taking place from 17-21 December.

The original Geneva Convention established humanitarian standards for times of war.

Nichols explained that software companies nowadays practically face a run for the vulnerabilities in their software once they are out on the market.

“Earlier you could work collaboratively with security experts on these vulnerabilities. But now you compete for them with other people,” the other people being governments as well as criminals, he said. “This is an added dimension we did not have before.”

The issue list for the potential convention published first in February 2017 therefore includes a “clear policy for acquiring, retaining, securing, using, and reporting of vulnerabilities” and refrain from state obligations for providers to insert backdoors into their software. Another area to be regulated via the convention is at least “restraint in developing cyber weapons” and a limit to proliferation of cyber weapons.

“More than 30 governments have offensive capabilities and that number will grow,” Nichols said. By bringing the Digital Geneva Convention to the IGF, Microsoft wanted to get a multi-stakeholder dialogue started to prepare for a draft document, Nichols said. Earlier examples like the nuclear non-proliferation treaty showed that non-governmental actors could be the ones to initiated successful treaty acts – and be awarded Nobel Peace Prizes.

Reactions from the government side during the panel discussion were rather cautious on the “Convention” idea. “In the long run, it certainly is desired,” said Ben Hiller, cyber security officer at the Organization for Security and Cooperation in Europe (OSCE). In the current climate, though, he was doubtful that governments would be willing to talk about such a treaty. The OSCE is helping its member countries currently to develop mechanism on how to deal with large cybersecurity incidents. “We don‘t have time to look for a treaty, there are a lot of things that need to be done in practice,” he said.

Tobias Feakin, ambassador for cyber affairs at the Australian Ministry of Foreign Affairs and Trade, pushed back against trade negotiations, pointing out that there is a lot of work already underway by governments. While the UN Group of Governmental Experts (UN GGE) failed to agree on a joint declaration this fall, there was the earlier agreement on 11 principles of responsible behaviour of states in cyberspace, he noted. Additional work is ongoing with the so-called Tallin Manual and an initiative by the Dutch government, he said.

“Australia has put that into its national strategy to show its commitment,” said Feakin. The issue in question is to convince some of the other actors to implement, and especially also be transparent about, offensive capabilities they are collecting. On treaty negotiations, Feakin said, “be careful what you wish for it as we might end up in decade-long negotiations.” By the time governments might have agreed, technology will have gone further and malicious actors will have exploited the grey space for years, he said.

There is not much to gain from a cyber treaty, warned also one of the technical experts in attendance. Former Internet Architecture Board Chair Andrew Sullivan warned against hopes for what a treaty could achieve. “The problems are in the technical design, so they need to be fixed in the protocols,” he said. Companies and users as well have to make efforts in designing and how they use the system. He also is not convinced that a neutral attribution council would help to bring more transparency to what is going on, as attribution is easy in 90 percent, but highly difficult in the really hard cases. Involving the national CERTS as arbiters, as  some proposed could even be dangerous, as it would politicize the work of these “paramedics” of the net.

Yet not all governments think that way, as became clear during the IGF opening panel discussion. Bangladesh‘s Minister of Information Technology, Hasanul Haq Inu, called for cybersecurity regulation and cyber peace talks as well.

“The Microsoft initiative can be a start,” he said. Even the UN Under-Secretary-General for Economic and Social Affairs Liu Zhenmin was quite decisive in calling for “better regulation for the internet.” Cybersecurity regulation on the UN level was necessary in the interest of citizens, he said.

“It will not create instant protection,” Nichols from Microsoft acknowledged after the 19 December panel, saying the GGE and other work is a good start. But “we have to bring it to the next level.”

 

Image Credits: Monika Ermert