Cybercrime has impacted everyone from individuals who have been hacked or had their credit cards compromised to the countless businesses hit by large scale breaches. Digital security does not even stop at the company level as we saw in the recent United States election.
Microsoft (NASDAQ:MSFT) President and Chief Legal Officer Brad Smith believes that the tech industry has both the ability and responsibility to work together on protecting the world from digital attacks/cybercrime. In a piece posted on a Microsoft blog in advance of the annual RSA Conference, which brings together security professionals from around the world, he laid out his case for what he called a Digital Geneva Convention -- a commitment by the technology industry to collectively work across borders to keep the world safe from digital crime.
"Just as the Fourth Geneva Convention recognized that the protection of civilians required the active involvement of the Red Cross, protection against nation-state cyberattacks requires the active assistance of technology companies," he wrote. "The tech sector plays a unique role as the internet's first responders, and we therefore should commit ourselves to collective action that will make the internet a safer place, affirming a role as a neutral Digital Switzerland that assists customers everywhere and retains the world's trust."
How big is the problem?
Nearly three quarters (74%) of the world's businesses expected a cyberattack in 2016 with the economic impact of cybercrime expected to reach $3 trillion by 2020, Smith wrote. What's worse, the Microsoft executive said, is that crimes are not just being carried out by rogue elements or even unscrupulous businesses, they are now increasingly being carried out by nations.
"The Sony (NYSE:SNE) attack by North Korea in 2014 was not the first nation-state attack, but it represented a visible turning point," he wrote. "While prior attacks had focused on economic and military espionage, the Sony attack in 2014 involved retaliation for free expression in the form of a (not very popular) movie."
That breach and subsequent release of data was followed in 2015 by "even more visible international discussion about nation-state attacks aimed at the theft of companies' intellectual property," wrote Smith. In 2016, he added, the issue "broadened again to include hacking incidents connected to the democratic process itself."
What does Microsoft want done?
Smith called on the world's governments to come together. He wants them to agree on "international cybersecurity norms that have emerged in recent years, adopt new and binding rules and get to work implementing them." That's a bold ask given how hard it is to get consensus on anything on a global or at least near-global level. The Microsoft executive breaks it down into six major points:
- No targeting of tech companies, private sector, or critical infrastructure
- Assist private sector efforts to detect, contain, respond to, and recover from events
- Report vulnerabilities to vendors rather than stockpile, sell, or exploit them
- Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise, and not reusable
- Commit to nonproliferation activities to cyber weapons
- Limit offensive operation to avoid a mass event
You can see that this list is really just a bare bones guideline. Restraint, for example, can mean different things to different people. Still, what Smith and Microsoft are proposing would be a bold effort to engage the private sector in responding to nation-state cyber attacks while also creating a framework for how governments agree to use their own offensive digital attack abilities.
Why is this important to Microsoft?
Governments cannot battle cybercrime effectively without help from the private sector. Rogue nations however can do great damage with cyber attacks.
The Sony situation with North Korea involved a country using digitally stolen material to lash back at a business over the content of a movie. It was an event that showed that every company is vulnerable whether it be through the release of private communications, the theft of intellectual property, or even the corruption of software or hardware to do things it's not supposed to do (like spy on people, record data including credit card numbers, or pretty much any other dastardly thing you can think of).
Because cyberspace is intangible, it's not as easily governable as the real world. Different rules need to be created and that requires a much broader consensus between nations. Going forward however Microsoft is right that a new level of cooperation is required between both rival companies and the governments of the world.
Cybercrime, hacks, and digital attacks can potentially not only cripple businesses, but in theory change the fate of nations. How the technology community and nations work in fighting that together has to be worked out and ground rules created before the next disaster strikes.