Vol. 39 Contributing Editor
Microsoft just called for a monumental shift in international law—at a conference for coders and cryptographers. Brad Smith, Microsoft’s President and Chief Legal Officer, delivered the keynote address at February’s RSA Conference in San Francisco, urging governments to create a “Digital Geneva Convention”.
The vulnerability of companies and customers to state-sponsored hacking is acute, Smith argued. The 2014 North Korean hacking of Sony Pictures marked one startling incident; China’s thefts of American companies’ intellectual property, another. And the allegedly Russian-sponsored hacking of the Democratic National Committee remains fresh in the public’s mind. Even in state-on-state digital espionage, privately-owned property like submarine cables, data centers, laptops is often hit in the crossfire—sometimes intentionally, sometimes as collateral damage. Moreover, because 90% of the Internet’s infrastructure is managed by the private sector, “[a] cyber-attack by one nation-state is met initially not by a response from another nation-state, but by private citizens.”
Microsoft’s Proposed Solution
Microsoft’s proposed solution is a tripartite international legal regime. First, governments should enact a Digital Geneva Convention regulating proper state behavior in cyberspace and creating civilian protections.  Microsoft recommends six commitments, in particular:
- No targeting of tech companies, private sector, or critical infrastructure.
- Assist private-sector efforts to detect, contain, respond to, and recover from events.
- Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.
- Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.
- Commit nonproliferation activities to cyberweapons.
- Limit offensive operations to avoid a mass event.
In a ratified convention, these would become binding legal obligations.
Second, and to help enforce the convention, Microsoft recommends the creation of an independent organization to investigate and publicly share evidence attributing attacks to specific countries. Similar to the International Atomic Energy Agency (IAEA), this entity would hopefully shame states into compliance with the convention.
Third, Microsoft calls on the technology sector to become a “digital Switzerland”—a neutral space insulated from state cyber-hostilities.  Companies should protect and assist all of their customers in case of cyber-attacks, anywhere in the world, and regardless of the attackers’ identities.
Bold as Microsoft’s announcement seems, the legal foundation for a Digital Geneva Convention already exists.
The Budapest Convention on Cybercrime (2001) defines a number of computer-related crimes—including hacking for economic benefit—and facilitates international cooperation among law enforcement agencies. More recently, in 2014, the UN General Assembly charged a group of governmental experts with developing updated global cybersecurity norms. Among the group’s eventual recommendations were prohibitions on government engagement in malicious activities or intentionally damaging critical infrastructure using information and communications technology.
Individual states have affirmed these values, too. In September 2015, the U.S. and China pledged to abstain from “cyber-enabled theft of intellectual property…with the intent of providing competitive advantages to companies or commercial sectors” against each other. Two months later, the G20 Summit also voiced its support for this same pledge.
Nor is it unheard of for a private company to urge changes in international law. Google and Facebook have lobbied the U.S. Federal Communications Commission to support international measures improving Internet access. Tech companies also lobbied heavily both for and against the Trans-Pacific Partnership (TPP) trade agreement. Whether a company has ever initiated a proposal for an international convention or treaty is unclear. But the fact that this idea originated with a corporate behemoth like Microsoft (and other cybersecurity experts) should not decrease the likelihood of implementation.
The bigger risk to a potential Digital Geneva Convention, if the idea gets off the ground, is international disagreement about its substance. Some experts worry that authoritarian nations will try to legitimize their censorship and control of the Internet by creating loopholes to the treaty. Others support Microsoft’s call for restrained development of cyber weapons, seeing an outright ban as impossible. Enforcement of the treaty would also be difficult—unlike nuclear weapons, for instance, states could easily conceal hacking facilities or hackers’ connections to governments. An IAEA-like cyber monitor would struggle to get permission to enter a government’s computer systems in an investigation. Moreover, some states might resist ratifying a Digital Geneva Convention, instead increasing their competitive cyber-advantage while other states pledge restraint.
Despite these hurdles, Microsoft’s call for a Digital Geneva Convention has been supported by cybersecurity experts. 2017 presents several opportunities for the idea to gain traction. The 12th International Governance Forum—a gathering of government, academic, and private sector stakeholders—is one major venue to push the idea forward. Additionally, the UN’s Group of Governmental Experts will need to report again on cybersecurity norms to the General Assembly this year. The Group might consider Microsoft’s proposals as it drafts.
As Microsoft itself acknowledges, an international agreement would not be enough to protect against state-sponsored cyber-attacks. In fact, its third proposal, for a “digital Switzerland”, is perhaps the likeliest to succeed; the private sector can adopt standards for itself faster than the international community. Still, Microsoft’s proposal is heartening to cybersecurity advocates. By sparking a dialogue between the private and public sectors, on an idea of grandiose scale, Microsoft has brought state-sponsored attacks on companies and customers into the sunlight and might just spark enough dialogue to radically move international law.
 Brad Smith, The Need for a Digital Geneva Convention, Microsoft On The Issues, (Feb. 14, 2017), https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.001u6ui1s730eta109o254ovxqqof.
 Deborah Charles, NSA Chief Says U.S. Infrastructure Highly Vulnerable to Cyber Attack, Reuters (June 12, 2013, 2:32 PM), http://www.reuters.com/article/us-usa-cybersecurity-idUSBRE95B10220130612.
 Smith, supra note 1.
 Smith, supra note 1.
 Jovan Kurbalija, Digital Geneva Convention: Multilateral Treaty, Multistakeholder Implementation, The Huffington Post (Feb. 27, 2017, 10:35 AM), http://www.huffingtonpost.com/entry/digital-geneva-convention-multilateral-treaty-multistakeholder_us_58b443c0e4b02f3f81e44a35.
 Council of Europe, Convention on Cybercrime, E.T.S. No. 185 art. 8, http://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf.
 U.N. General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, ¶ (f), U.N. Doc. A/70/174, at 8/17 (July 22, 2015).
 The White House – Office of the Press Secretary, Fact Sheet: President Xi Jinping’s State Visit to the United States, (Sept. 25, 2015), https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
 G20 Leaders’ Communiqué, Antalya Summit, ¶ 26 (Nov. 15-16, 2015), http://g20.org.tr/g20-leaders-commenced-the-antalya-summit/.
 Tom Simonite, Facebook’s Internet Drone Team is Collaborating with Google’s Stratospheric Balloons Project, MIT Technology Review (Oct. 6, 2015), https://www.technologyreview.com/s/542161/facebooks-internet-drone-team-is-collaborating-with-googles-stratospheric-balloons/.
 See e.g., Dustin Volz, U.S. Tech Firms Urge Presidential Candidates to Embrace Trade, High-Tech Visas, Reuters (May 5, 2016, 10:21 AM), http://www.reuters.com/article/us-usa-election-technology-idUSKCN0XV2R1. But see Sam Thielman, Hundreds of Tech Companies Line Up to Oppose TPP Trade Agreement, The Guardian (May 20, 2015, 10:28 AM), https://www.theguardian.com/us-news/2015/may/20/hundreds-tech-companies-oppose-tpp-trade-agreement.
 Tim Johnson, Would a New World Accord Make the Lawless Internet Safe Again?, McClatchy (Feb. 23, 2017, 6:00 AM), http://www.mcclatchydc.com/news/nation-world/national/national-security/article134249834.html.
 Bruce Schneier, An International Cyberwar Treaty is the Only Way to Stem the Threat, U.S. News & World Report (June 8, 2012, 4:14 PM), https://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-only-way-to-stem-the-threat.
 Tom Simonite, Do We Need a Digital Geneva Convention?, MIT Technology Review (Feb. 15, 2017), https://www.technologyreview.com/s/603639/do-we-need-a-digital-geneva-convention/.
 See e.g., id.; Eugene Kaspersky, A Digital Geneva Convention? A Great Idea, Forbes (Feb. 15, 2017, 11:30 AM), https://www.forbes.com/sites/eugenekaspersky/2017/02/15/a-digital-geneva-convention-a-great-idea/#4bad2d671e6e; Johnson, supra note 12; Jeremy Hsu, You Are the Target of Today’s Cyberwars, Backchannel (Mar. 2, 2017), https://backchannel.com/todays-cyberwars-target-civilians-and-we-need-protections-ba32a4bd496e#.dzvh5zkji.
 Kurbalija, supra note 5.
 U.N. Office for Disarmament Affairs, Developments in the Field of Information and Telecommunications in the Context of International Security, https://www.un.org/disarmament/topics/informationsecurity/.