Microsoft president says the world needs a digital Geneva Convention

Mr Smith goes to Switzerland

UN General Assembly

Microsoft president Brad Smith appeared before the UN in Geneva to talk about the growing problem of nation-state cyber attacks on Thursday.

Smith, also Redmond's chief legal officer, last month publicly accused North Korea of the WannaCry ransomware attack.

During the UN session on internet governance challenges, Smith made the case for a cyber equivalent of the Geneva Convention. He started off by noting the sorry state of IoT security before arguing that tech firms and government each have a role to play in reining in the problem.

"If you can hack your way into a thermostats you can hack your way into the electric grid," Smith said, adding that the tech sector has the first responsibility for improving internet security because "after all we built this stuff".

Microsoft is doing its bit by using a combination of technology and legal action to seize hacked domains at the centre of attacks. Redmond has helped customers in 91 countries by seizing 75 such domains, Smith said.

In addition, Microsoft spends $1bn on security innovation a year.

International tensions are increasingly spilling out into cyberspace including alleged Russian meddling through leaks and social media propaganda during last year's US presidential election and attacks on banks hooked up to the SWIFT banking network and digital currency exchanges, supposedly by units of North Korean intelligence. Further back there's the infamous Stuxnet sabotage campaign against Iranian nuclear facilities, a joint US/Israeli operation.

"Nation states are making a growing investment in increasingly sophisticated cyber weapons," Smith said. "We need a new digital Geneva Convention."

"Government should agree not to attack civilian infrastructures, such as the electrical grid or electoral processes," he said, adding that nation states should also agree not to steal intellectual property.

Existing rules for political advertising in print and broadcast media should be extended to social media, Smith suggested. A framework to extend existing international law into the realm of cyber-conflict already exists in the shape of the Tallinn Manual.

Smith argued that tech companies needed to be neutral in cyber-conflict and help their customers wherever they might be.

Workers and consumers also have a part to play, particularly when it comes to resisting phishing emails.

"90 per cent of attacks begin with someone clicking on an email... We need to protect people from their bad habits," he noted. ®


Biting the hand that feeds IT © 1998–2017