The Microsoft Digital Geneva Convention

*We'll cut to the chase and just list the stuff that Microsoft thinks that governments and armies really shouldn't be doing.

*I'm not sure that governments and armies directly do much of any of this stuff. Generally they hire it out to cyberwar privateers and plausibly deniable secret ops. So banning it is like telling Queen Elizabeth I to knock it off with raiding the Spanish gold armadas. It pays great.

*But, you know, if we had a world order, maybe we'd have agreements at least vaguely like this. It's hard to argue that any of these depredations are good for us. But they're going on all the time. They're accelerating.

http://mscorpmedia.azureedge.net/mscorpmedia/2017/04/Policy-Paper-Digital-Geneva-Convention.pdf

A Digital Geneva Convention to protect cyberspace

(...)

Microsoft Policy Papers

The substance of a Digital Geneva Convention for Peacetime

Governments have established and followed international rules in other military and geopolitical areas such as non-proliferation. Cyberspace should not be different. The key clauses at the center of the Digital Geneva Convention should commit states to:

• Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals, electric companies).

• Refrain from attacking systems whose destruction could damage the global economy (e.g., integrity of financial transactions), or otherwise cause major global disruption (e.g., cloud-based services).

• Refrain from hacking personal accounts or private data held by journalists and private citizens involved in electoral processes.

• Refrain from using information and communications technology to steal the intellectual property of private companies, including trade secrets or other confidential business information, to provide competitive advantage to other companies or commercial sectors.

• Refrain from inserting or requiring “backdoors” in mass-market commercial technology products.

• Agree to a clear policy for acquiring, retaining, securing, using, and reporting of vulnerabilities – that reflects a strong mandate to report them to vendors – in mass market products and services.

• Exercise restraint in developing cyber weapons and ensure that any that are developed are limited, precise, and not reusable. States should also ensure that they maintain control of their weapons in a secure environment.

• Agree to limit proliferation of cyber weapons. Governments should not distribute, or permit others to distribute, cyber weapons and should use intelligence, law enforcement, and financial sanctions tools against those who do.

• Limit engagement in cyber offensive operations to avoid creating mass damage to civilian infrastructure or facilities.

• Assist private sector efforts to detect, contain, respond, and recover in the face of cyberattacks. In particular, enable the core capabilities or mechanisms required for response and recovery, including Computer Emergency Response Teams (CERTs). Intervening in private sector response and recovery would be akin to attacking medical personnel at military hospitals.

The pressing case for launching a dialogue

Effective cybersecurity is critical to international peace and economic stability. The Digital Geneva Convention can play the central role in safeguarding citizens around the world from state-led or state- sanctioned cyberattacks in times of peace. By building on the work done to date, governments, the technology sector and civil society groups can pave the way for a legally binding agreement that will ensure a stable and secure cyberspace. Everyone with an interest in advancing this process should commit to working with public sector and private sector partners around the world to find a practical way forward.