Microsoft called for a Geneva Convention for cybersecurity, indicating that states need to agree on digital standards that protect the private sector and prevent major cyber incidents.
“Across the tech sector, companies are racing to provide stronger cybersecurity protection for customers, including from nation-states,” Brad Smith, president and chief legal officer of Microsoft, wrote in a blog post Tuesday. “Each of our advances is making an important contribution. But we’re nowhere close to being able to declare victory.”
Microsoft proposed that some components of the cybersecurity agreement include no targeting of technology companies or critical infrastructure, assist the private sector in detecting and responding to cyber incidents, report vulnerabilities to companies, exercise restraint in developing cyber weapons, commit to containing the spread of cyber weapons, and limit offensive operations to avoid a mass event.
Microsoft cited the North Korean attack on Sony as one reason that the private sector needs cooperation from the government when responding to a cyber threat. Smith said that technology companies are the first responders to attacks from state actors, and citizens are the first to be affected. Microsoft has worked with other companies such as Amazon and Google to combat phishing attacks and notify each other of abuses they see on one another’s network.
“The time has come to call on the world’s governments to come together, affirm international cybersecurity norms that have emerged in recent years, adopt new and binding rules and get to work implementing them,” Smith said. “In short, the time has come for governments to adopt a Digital Geneva Convention to protect civilians on the Internet.”
The U.S. State Department has already been working to gain support from other nations for its framework for international cyber stability, which outlines responsible conduct in cyberspace. The framework tells states not to attack other nations’ critical infrastructures during peacetime and encourages states to work together to combat common cyber threats.
Both the State Department and Microsoft believe an agreement like this is necessary because of the increase in recent cyberattacks. The estimated economic loss from cyber crime is estimated to reach $3 trillion by 2020, according to Smith.
Along with this type of Geneva Convention agreement, Microsoft said that an independent organization made up of government and business leaders should form to investigate and share evidence of attacks on specific countries.
“While there is no perfect analogy, the world needs an organization that can address cyber threats in a manner like the role played by the International Atomic Energy Agency in the field of nuclear non-proliferation,” Smith said.
He said that the private technology sector should act as a neutral party in the event of state-sponsored cyberattacks, rather than taking sides according to home country. The technology companies should focus only on protecting their customers and never act offensively.
This proposal follows news of Microsoft’s continuous victories in court that allow the company to protect consumer data stored overseas from U.S. law enforcement agencies.
“Our company is not unique. As an industry, we’ve brought people together in ways that can promote mutual understanding and respect,” Smith said. “We need to harness this global understanding to protect people everywhere, earning their confidence as the world’s Digital Switzerland.”