In interactions with the Indian media last week, Microsoft CEO Satya Nadella raised an issue that did not get much resonance in Delhi. It was about the urgent imperative of drawing up a cyber code of conduct for the world. Nadella said he was hopeful that a new set of rules involving the tech companies and governments could be negotiated in Geneva. He would like it modelled after the Fourth Geneva Convention of 1949 that protects civilians during wartime. Nadella wants a “digital Geneva convention” that will protect individual Internet users and civilian infrastructure from cyber attacks by nation states during peacetime.
Nadella’s pitch is part of a campaign launched by Microsoft since the beginning of this year to convince governments to negotiate global rules of the road for the digital domain. Last week, Brad Smith, president and chief legal officer of Microsoft, made the case in much greater detail before the international community in Geneva.
Smith invoked the memory of Jean Henri Dunant, whose efforts led to the First Geneva Convention of 1864 that barred attacks on sick and wounded soldiers, along with medics and volunteers engaged in their evacuation. Dunant also founded the International Committee of the Red Cross that provides the neutral institutional framework for the implementation of the First Geneva Convention, and the three others that followed in the steady expansion of the international humanitarian law.
If Dunant was moved to address the problems created by new technologies for warfare in the mid-19th century, the Microsoft leadership is saying the world must now address the mounting challenges from the emerging digital warfare and the impending cyber arms race between the major powers.
As societies become increasingly dependent on the Internet, the costs of criminal activity and international rivalries could turn out to be crippling. Microsoft estimates that cyber hacking is likely to cost the global economy nearly $ 3 trillion by 2020. Even more worrying is the growing militarisation of the Internet that is leading to the development of capabilities to cripple the cyber infrastructure of adversaries. Governments across the world are also turning the cyber domain into a medium for espionage, theft of intellectual property, interventions in political processes, and provoking social unrest.
Microsoft proposes building upon emerging norms on cyber security — developed between the US and China as well as in multilateral forums — to draft a comprehensive digital Geneva Convention. The company points to its own investments in the development of technology to prevent cyber attacks, and similar efforts by other high tech majors like Facebook and Google. It has highlighted several principles that governments and tech companies must adopt to secure the cyber space (See box).
Diplomats, however, are doubtful if governments can be nudged into signing a Convention that limits their strategic options amidst the current tensions between the major powers, and their active development of offensive cyber capabilities. Meanwhile, growing cyber capacities for asymmetric warfare among states and non-state actors make it even harder to construct an international consensus.
Sceptics suggest that Microsoft may be presenting its own interests and those of the big tech companies as universal interests. While no one doubts that the top tech companies will continue to have a big role in producing, managing and securing the cyber domain, many governments may not be ready to accept that large transnational tech companies must be treated as independent actors and put at the heart of the international regulation of digital space.
There is considerable variation in the views of the major powers on the nature of the cyber domain and the role of states in it. Russia and China, as well as many developing nations, have begun to put the state at the centre of managing the cyber space. Even in the developed capitalist states, the national security apparatus is unwilling to give up its freedom of action and defer to some of the private sector conditions, for example on avoiding backdoors to smartphones, and reporting system vulnerabilities to vendors like Microsoft.
More broadly, in Europe and North America, there is increasing distrust of the mega tech companies. On both the left and right, there is deep resentment against the extraordinary dominance of these corporations. Civil society activists agree that addressing the question of cyber attacks is very important, but insist that the tech companies can’t be exempted from the principle of separating private profit and public good.
While critical questioning is in order, there is no denying that the world has addressed such questions in the past: for example, on the adoption of telecommunication technologies, the regulation of atomic energy, and the banning of chemical and biological weapons. The scientific community and industry have, indeed, contributed to the evolution of global norms on emerging technologies.
The issues raised by Microsoft do deserve serious and critical attention in India. The outcomes from this debate could have a lasting impact on India’s own digital future in both commercial and national security realms. The tech companies based in Bengaluru and the government in Delhi must join hands to shape the discourse on the digital Geneva Convention and secure India’s national interests.
AVOID targeting high-tech companies, the private sector or critical infrastructure
ASSIST private sector efforts to detect, contain, respond to and recover from cyber attacks
REFRAIN from stealing proprietary information from private companies and pass them on to their competitors
REPORT system vulnerabilities to private vendors and not stockpile, sell or exploit them for political or financial gain
NOT INSERT ‘backdoors’ in mass market commercial products
EXERCISE restraint in developing cyber weapons; any that are developed should be limited, precise in their targeting and not be reusable
LIMIT offensive operations to avoid mass and indiscriminate cyber attacks
ACTIVELY PREVENT proliferation of cyber weapons through the use of intelligence, law enforcement and sanctions
CREATE an independent organisation, consisting of technical experts from across the governments, the private sector, academia and civil society, that can investigate cyber attacks and publicly share evidence on who was responsible. It would be akin to the International Atomic Energy Agency that maintains the firewall between civilian and military uses of nuclear energy
HI-TECH COMPANIES SHOULD:
REINFORCE government efforts with an accord among themselves to become a “neutral Digital Switzerland” that will protect customers everywhere, and not aid cyber attacks on users anywhere.