Lecture Report: Brad Smith on Cybersecurity

November 20, 2017

The 10th
annual Geneva Lecture took place on 9 November at the Palais Nations. The
keynote speech was given by the President and Chief Legal
Officer of Microsoft, Brad Smith, and
was on the increasingly relevant topic of what’s next for Internet Governance.

In laying the ground work for this eventual conclusion he recalled the “Spirit of Geneva” taking root on 29
October 1863 when the Red Cross was founded in the Swiss city, following the
Battle of Solferino four years
earlier
. This spirit has evolved as the
threats to human life and dignity have become ever more complex; airborne
warfare, chemical weapons and landmines to name but a few. A comparison was
drawn between international efforts to govern warfare and the evolution of
technology; as technology advances, humanity needs to rearrange itself to deal
with it.

On 12 May 2017, the Wannacry attack affected 230,000
computers in over 150 countries. This attack wasn’t limited to military targets
as conventional warfare now tends to be. Targets included regional governments
in India, Spanish utility providers and NHS Trusts in England and Scotland. A
further dimension is added to this already complex attack when you consider the
origin of the software. The software was developed by the USA’s National
Security Agency to exploit a weakness found in Microsoft’s Windows system. A
group of hackers, known as “The
Shadow Brokers’’ (TSB), then stole the software and made 
it freely available in April, saying it was a
“protest” about USA President Donald Trump. To date it is not known
who the TSB are or where they are located. TSB themselves have said they are
“not fans of Russia or Putin”, but some experts have suggested the
group may have links with the Russian government. Regardless of their
allegiance, the act of stealing software from a country and using it to target
civilian infrastructure is a new innovation in the history of warfare and this will
be looked back on as a watershed moment.

‘Cyberspace is the new battlefield’ was
undoubtedly the rallying cry of the day. In 1949, the Geneva Convention was
established to protect civilians from war, but what would that protection look
like today? As everything is so connected now, what will it mean for civilians
if hostile governments can pay hackers to attack their hospitals, wifi enabled
air conditioning units and traffic lights? Has the time come for there to be a
new Geneva Convention for the digital age?

Brad Smith says ‘Yes’. He went on to say that the technology
sector had the first responsibility to humanity on this different battlefield, one
with no clear boundaries. Microsoft spends over $1 billion on security
annually. Nevertheless, there is only so much you can do in the face of
fallible human nature. Over 90% of cybersecurity attacks begin through clicking
on a link. This is countered by the fact that Microsoft is now bringing the
fight to the courtroom. In August 2016, they filed a civil lawsuit for an
injunction to allow them to
seize
command-and-control (C&C) domains used by the hacking group Fancy Bear,
reported to have orchestrated election-related hacker attacks in the USA. As a
result, they can figure out which customers are being hacked and help them to take
preventative steps as well as strengthening their own software against similar
attacks. Over the last 16 months this has allowed Microsoft to seize 75 domains
and help customers in 91 countries. This is a prime example of a fortuitous
merging of justice and good business acumen. If a customer can see tangible
evidence that their provider is taking active steps to protect them, then they
are unlikely to look elsewhere. The fortuitous side-effect being that justice
is being served.

Microsoft has called for a new technology accord reflecting
the principles of Red Cross assistance. They will not support any government in
attacking a civilian anywhere and will assist any civilian who is injured in a
cyberattack anywhere. Brad Smith unequivocally stated Microsoft believes that
the spirit of Geneva provides a compelling example of what governments can
achieve when they come together around the bastion of a neutral Switzerland. The
growing investment and consequent increasing complexity in cyberattacks means
that governments and the technology community will have to come to together to
solve this problem.

Brad Smith believes that the coming together of governments
will result in the creation of a new Digital Geneva Convention which sets out
who (civilians) and what (electrical grid, hospitals, political process,
intellectual property of private companies) cannot be attacked. In addition,
the signatories will pledge to work together with the private sector to respond
to cyberattacks.

This all seems so far, so utopian. Everyone can get on board
with not attacking civilians, hospitals and the electrical grid. However,
external state sponsored meddling in the political process and theft of private
intellectual property is not a challenge unique to the digital age. History is
littered with the overt and covert attempts of one State’s attempt to influence
the governance in another. Mr Smith also touched on another historical issue,
that of anonymity which has become another red button issue in the cyber arena.

Mr Smith concluded by saying ‘we believe that Cybersecurity
needs to be a cause for our time’ and he is not wrong. But however
well-intentioned his view of a Digital Convention may be, it is hard to see how
it can be enforced in the current age of cyberattacks perpetrated by anonymous
hackers.
 

Watch the Lecture given by Brad Smith here.   

Phoebe
Whitlock
is currently a Junior Research
Assistant in the European division of the Telecommunications Development Bureau
at the International Telecommunications Union. The ITU is based in Geneva and
is the specialised agency of the UN for information and communication
technologies.