State-sponsored hackers may have meddled in political campaigns from the US to France to the Netherlands. And while nations are finding it tough to cooperate on the issue, Microsoft is pushing for more global cooperation, not less, in proposing a Digital Geneva Convention to prevent cyberwarfare.
By invoking the Geneva Convention, Microsoft appears to want to learn from the past. And history shows that while the company is right to propose action, international agreements alone won’t fix our vulnerabilities in cyberspace. Our best chance of success starts with voluntary industry standards.
Microsoft’s president and chief legal officer, Brad Smith, pitched Microsoft’s ideas for international cooperation at the RSA security conference in February. Microsoft has continued to promote this agenda at conferences and in policy briefs released last month. The G7 also jointly declared the need for international norms on nation-state behavior in cyberspace.
Microsoft has suggested three components to promote international cooperation and prevent warfare in cyberspace. First, the company argues, nation-states should agree to refrain from cyberattacks as part of what the company envisions as the Digital Geneva Convention. Second, industry should sign what the company calls a Tech Accord, which would create a shared set of principles and behaviors to protect citizens. Third, a new, neutral nongovernmental organization would investigate attacks and attribute them to perpetrators (though not respond to them or enforce compliance). All three components, Microsoft has argued, are necessary to build consumers’ trust in technology.
What does the past tell us about the future chances of success?
In 1864, European countries rallied together to pass the first Geneva Convention, a treaty governing how countries would treat wounded and sick soldiers in armed combat. The agreements have been modified multiple times in the decades since. Most importantly, in 1949, the Fourth Geneva Convention was extended to protect civilians during wartime. Nearly 200 countries are currently signatories to all or part of the Geneva Conventions. Now Microsoft hopes to create something just as widespread to protect civilians from cyberwarfare.
In addition to the Geneva Convention, Microsoft can also look to international agreements on communications technology for guidance on governing cyberwarfare. In the 1860s, the International Telegraph Union (ITU) was established to govern electric telegraphic traffic between states. International agreements governing telecommunications continued through the development of radio, satellite, television, and the internet.
As a professor of history, I’ve spent years looking at these types of agreements, including reams of documents on esoteric fights over now-redundant technologies. Without boring WIRED readers with the minutiae, let me suggest two important lessons from the details of the past. First, governments have only ever agreed successfully to technical standards, not to standards regulating content. Second, voluntary agreements by communications technology companies have been vital for protecting citizens.
A century ago the government opted to regulate the radio industry in order to prevent interference and allocate spectrum. In the 1920s, Europeans and Americans debated whether spectrum should be apportioned by nation or by type of user. American radio companies lobbied the State Department to allocate spectrum by usage. In 1927, the Washington Conference opted for the American approach rather than the Europeans’ preferred system of allocating it to individual nations. The negotiations showed that American commercial radio companies could exert considerable influence over international agreements.
We can’t know how the European system would have affected radio. But the international agreement that did emerge allowed radio to become indispensable to millions of people around the world.
Governments are traditionally good at agreeing on technical standards that enable the integration or interoperability of communications infrastructures. By 1901, for example, the ITU had standardized the telegraphic code for around 2 million terms in multiple languages.
But governments have been less successful at mandating abstract principles like freedom of information. International agreements reached in Atlantic City in 1947 still exempted communications carriers from transmitting messages that endangered state security, public order, or decency. In the wrong state’s hands, this meant that certain content could be censored if it was defined as dangerous.
To be successful, any Digital Geneva Convention should focus on technical standards that prevent intrusions, rather than abstract principles that cannot be enforced. Just as 90 years ago industry played a key role in advising government how to address complex technical issues, today the technology industry could work together to identify standards that can stop attacks. Companies have collaborated on such issues before, through a process called voluntary consensus standard setting. The concept was first used by the International Electrotechnical Commission created in 1906. It’s been critical to the advancement of engineering and computing and has been used successfully by private bodies like the Institute of Electrical and Electronic Engineers and the World Wide Web Consortium.
Of Microsoft’s three proposals to foster international collaboration, its Tech Accord may resonate best with the public. Trust will be critical for convincing citizens that new accords protect them on the web, and a recent Pew Research survey found that Americans have more confidence in the ability of cell phone manufacturers, credit card companies, email providers, and other tech firms (except for social media companies) to protect them from cyberattacks than they do in the government.
Microsoft has emphasized that its proposals are still a work in progress. Here, history can help by suggesting which models have and have not worked to regulate older communications technologies in the past. Major tech companies might consider continuing the long history of collaboration and cooperating with Microsoft to create a Tech Accord. That can build the public’s trust and provide a platform for international agreements.
History cannot predict the future. But it can suggest why certain initiatives may prove more fruitful than others. Keep going, Microsoft, and you might just get there in the end.