On 20 June 2017 ICT4Peace’s Daniel Stauffacher and Paul Meyer released a commentary: “WannaCry, the Digital Geneva Convention and the urgent need for Cyber Peace”. This commentary was subsequently published in the Neue Zürcher Zeitung (NZZ) on 26 July 2017 and in Le Temps, Geneva on 10 September 2017.

###

A commentary by Daniel Stauffacher, President, and Paul Meyer, Senior Advisor, of the ICT4Peace Foundation

The mass assault of the WannaCry malware that happened last May has once again demonstrated the continuing vulnerability of many individuals and institutions to cyber attacks. WannaCry further demonstrated how dubious states handle their cyberspace activities, especially if concerning malware: The cyber payload that contained the WannaCry malware took advantage of a vulnerability in a Microsoft Windows operating system that had previously been identified and developed by the US National Security Agency as an ‘exploit’ for a covert cyber operation.

The ubiquity of computer equipment means that traditional controls on the “hardware” of war are not feasible, however, in the past, the confidence building measures developed during the Cold War didn’t seem to be either. And still these measures have provided unprecedented levels of transparency and predictability to the European strategic landscape – although fake news and anonymous cyber attacks make them tremble these days.

This is the basis on which new and innovative measures for the cyber world have to be developed – as soon as possible and with concerted efforts by the private sector and civil society alongside states. These political measures, complemented by the application of the restraints already mandated by international humanitarian law, provide an initial basis for a cooperative security regime of responsible governmental and non-governmental behaviour in cyberspace.

In the wake of the WannaCry attack the President of Microsoft Corporation, Mr. Brad Smith, as one of the first, decried governmental cyber activities. Microsoft has – not only since then – been in the forefront of the concerned private IT sector in addressing the threat posed to the peaceful use of cyberspace by state cyber operations and in advocating for remedial action. This request is undoubtedly justified and important but not only states have to act now.  The IT sector, including Microsoft, has to switch from decrying to acting to better protect their users on a technical level. No doubt, governments and IT companies should launch a systematic dialogue, however, its setting has yet to be defined.

In a farsighted speech delivered earlier this year in San Francisco, the President of Microsoft called for a Digital Geneva Convention to respond to the increase in state conducted cyber attacks. Making the analogy with the 1949 Geneva Convention in which states agreed to a range of measures designed to protect civilians in times of war, Mr. Smith argued that it was time for states to take action to protect civilians in their cyber activities during peacetime.

A broader cross-regional collection of states will be necessary to realize a Digital Geneva Convention. Unfortunately disagreement and fundamental opposition dominate the current discussions. An effective implementation of such norms still seems to be a goal to achieved only in a far future.

Through the mechanism of the so called UN Groups of Governmental Experts (GGE), successive groups of 15-20 governmental experts drawn from UN member states, have been engaged for several years in considering what measures might be taken in cyberspace to prevent conflict and reduce risks to international peace and security. The 2015 GGE report was one of the most substantive to date in elaborating suggested norms and measures to govern state conduct in cyberspace. The report enumerated a series of confidence building measures to advance transparency and predictability regarding state action and to lessen the risk of cyber conflict. Notably among these was a commitment not to engage in cyber operations directed at critical infrastructure on which publics depend. These proposals seemed designed to create a code of conduct for all cyber activities similar to humanitarian actors and entities under the Geneva Convention. The proposals from the 2015 GGE however remain just that – a set of recommendations from a small set of experts that will require state acceptance and implementation to be effective.

In calling for the negotiation of a Digital Geneva Convention, Microsoft is looking for a more ambitious and far ranging set of constraint measures. States should not just refrain from targeting critical infrastructure, but forgo targeting technology companies and the private sector as a whole. He also called upon states to cease stockpiling vulnerabilities and to work with the private sector to remedy them. To support a Digital Geneva Convention, Microsoft envisions a neutral implementing organization akin to the International Committee of the Red Cross (ICRC). While this vision of the global IT industry serving the world as a “neutral Digital Switzerland” may seem farfetched to many (including some sceptical Swiss) it speaks to the need to bring pressure on governments to act responsibly in this vulnerable domain.

And at this point Switzerland still could step in: The country can offer its neutral ground in Geneva to launch a systematic dialogue for governments and IT companies.

Neither Microsoft, the IT sector nor representatives of the civil society can solely handle this global challenge. Without concerted efforts on an international level along with innovative guidelines implemented by the private sector and civil society alongside states Cyber Peace will always remain nothing more than an option.