Originally published on CyberScoop, this is just an archived version for the timeline!
Why a global cybersecurity Geneva convention is not going to happen
Microsoft President and Chief Legal Officer Brad Smith has been pounding the pavement all year asking for a " Cyber Geneva Convention" in the face of threats facing his employer's software and the greater global Internet at large.
It's a pipe dream and I'll tell you why.
Any global effort works best when there are clear answers. There is a clean line between “nuclear war” and “not nuclear war.” The cyber domain is different. While there is some consensus within Microsoft driven by business concerns and hyped as social concerns, there is none within or between global governments. We don’t even know the trade-offs that would be implied by many of the things Microsoft is asking for - a barrier on the trade of “cyber weapons” resulted in massive outcry when it was codified in the Wassenaar Arms Control Arrangement last year, some of which came from the very same people at Microsoft who rightfully realized it would severely slow progress on defensive technology as well.
To put it more clearly, the problem is a fractal. The U.S. Government cannot agree on any one cyber issue, but if you drill down neither can the DoD, and if you go deeper, even the NSA cannot agree with itself on these issues. No matter how far down the chain you go, there are competing initiatives and both sides are right in their own way. This is why we both fund efforts to stand up and break down Tor. When Hillary Clinton was Secretary of State, she gave a speech advocating a censorship-free Internet while also trying to prosecute Julian Assange. Every aspect of the cyber problem is linked and multifaceted, and we come down on both sides of the argument every time.
What Microsoft is driving at is a world where all hacking is off limits for governments forever, and vulnerability research would be strictly controlled in order to prevent it from "getting into the wrong hands." Even if Smith and Microsoft are successful in that endeavor, it would only result in empty words rather than a more secure global society. Aside from the obvious fact that Governments are unlikely to give up the ability to perform cyber operations, and that the lines in cyber are more blurry than a toddler’s finger painting this is the wrong fight for Microsoft to be fighting.
In order to understand why a "global cyber Geneva Convention" would miss the mark, let's look at Microsoft's possible motivations and how we got to this point overall.
The nightmare scenario Microsoft is trying to protect itself from has nothing to do with the Shadow Brokers' EQUATIONBLUE exploit, which was fed into the WannaCry ransomware worm. Keep in mind, every worthy SIGINT team around the world could use their own internal exploits to release two WannaCry-level worms a month in perpetuity until Microsoft could no longer sell their OS.
Beyond that Microsoft has to wonder if the Shadow Brokers has the capability to access internal Microsoft information. The group could leak that information, which would possibly include the giant volumes of vulnerability information in the Microsoft Bug Database, dwarfing anything an intelligence agency had found and exploited.
So while it may be Russia's GRU or some other elite nation-state hacking group, Microsoft — like every other company on the planet — lives at the will of the highly talented and well-financed digital spy apparatus. That's a level of risk that Microsoft would like to wipe off the balance sheet. It is telling that the United States Government cannot protect American businesses from even the smallest, weakest countries, in cyberspace, as Sony Pictures Entertainment demonstrated clearly, partially through policy paralysis.
So for Microsoft to push for a "global cyber Geneva Convention" is a selfish distraction from where governments should be concentrating when it comes to establishing future norms in cyberspace. While Microsoft's efforts here are largely focused on preventing the release or use of software vulnerabilities, our real strategic issues have little to do with software bugs.
One such vulnerable area is cyber economic espionage. What changed with the Chinese-U.S. agreement is not what organizations were targeted or what information was taken from those targets. What changed — in theory at least — is what the Chinese do with that information on their end. Do they give it to competitors of U.S. companies, or do they use it only for strategic intelligence needs, as we hope they do under threat of massive sanctions? In other words, we have no way to police their behavior on this issue by looking at our own systems and networks. This is the kind of international regulation that is essentially on the honor system.
Supply chain attacks are even more dangerous for Microsoft’s businesses. All you have to do is look at Cisco and what they have learned from their routers being trojaned before being delivered to customers. This is an area where Chinese companies also struggle - take Huawei as the prime example, but Anti-Virus company Kaspersky is now fighting for its life in this space as well.
Those two examples of massive policy adjustments waiting to happen just scratch the surface. We haven't even discussed the chaos around cryptographic backdoors, customer data warrants, custom software versions like the "Red Flag" OS Microsoft was forced to build in China, Internet censorship, software export control and data localization.
These topics demonstrate the difficulty of any international agreement that focuses on norms that are very important to our industry, especially in an environment where almost all the real data is cloaked under high levels of classification. But the bigger issue with a "digital Geneva Convention" is that the focus is on vulnerabilities and "hacking" instead of the much bigger questions surrounding the circulatory barrier between private and public interests. You either deal with all of the issues in this area, or none, as they are all interlinked.
While the U.S. government has been quite open about its efforts to help the private sector wherever possible, (VEP, ICOnTheRecord, self-limiting how long we store traffic from foreigners, sanctions efforts, etc.), there's no sign that the world is ready to follow our lead. Shadow Brokers is widely assumed to be a Russian-led effort, yet other governments have been quite aggressive in bypassing any and all norms in the cyber area - even the much touted United Nations and NATO agreements have been about "broad principles," which are unenforceable in any practical way.
Ideally, a "Cyber Geneva Convention" would result in a sustainable global framework that handles these strategic issues. How vulnerabilities are handled is both too small an issue in comparison and unlikely to be followed by the majority of the world's governing bodies. This week, as we face down Russian efforts to attack power plants, recognized norms seem as far away as humans on Mars, no matter how nice they would be for Microsoft’s shareholders.
The painful truth that we would learn from any honest discussion around limits around cyber offensive capabilities is not that the world's governments disagree with each other, but that every government disagrees internally. This is as true in Germany and China, as it is in the U.S. It is also true that corporations’ place in our world and our how our wars are conducted has changed, and that has come with how the internet has changed in how humans organize.
Microsoft has always been a leader when it comes to information security, and this is as true with the legal issues surrounding them as it is technologically. A Global Cyber Geneva Convention is never going to happen, and we should not treat the idea as if it was a realistic way forward until we, internally, can agree on a single and coherent position.