Written byDave Aitel
Microsoft President and Chief Legal Officer Brad Smith has been pounding the pavement all year asking for a “global cyber Geneva Convention” in the face of threats facing his employer’s software and the greater internet at large.
It’s a pipe dream and I’ll tell you why.
Any global effort works best when there are clear answers. For instance, there is a clean line between “nuclear war” and “not nuclear war.” The cyber domain is different. While there is some consensus within Microsoft that’s driven by business concerns and hyped as social concerns, there isn’t the same consensus within or between global governments. We don’t even know the trade-offs that would be implied by the things Microsoft is asking for: a barrier on the trade of “cyberweapons” resulted in massive outcry when it was codified in the Wassenaar Arms Control Arrangement last year, some of which came from the very same people at Microsoft who rightfully realized it would severely slow progress on defensive technology as well.
To put it more clearly, the problem is a fractal. The U.S. government cannot agree on any one cyber issue, but if you drill down, neither can the Department of Defense, and if you go deeper, the NSA cannot agree with itself on these issues. No matter how far down the chain you go, there are competing initiatives.
Both sides are right in their own way. This is why we both fund efforts to stand up and break down Tor. When Hillary Clinton was Secretary of State, she gave a speech advocating a censorship-free Internet while also trying to prosecute Julian Assange. Every aspect of the cyber problem is linked and multifaceted, and we come down on both sides of the argument every time.
What Microsoft is driving at is a world where all hacking is off limits for governments forever, and vulnerability research would be strictly controlled in order to prevent it from “getting into the wrong hands.” Even if Smith and Microsoft are successful in that endeavor, it would only result in empty words rather than a more secure global society. Aside from the obvious fact that governments are unlikely to give up the ability to perform cyber operations, and that the lines in cyber resemble a toddler’s finger painting, this is the wrong fight for Microsoft to wage.
In order to understand why a “global cyber Geneva Convention” would miss the mark, let’s look Microsoft’s possible motivations and how we got to this point overall.
The nightmare scenario Microsoft is trying to protect themselves from has nothing to do with the ShadowBrokers’ ETERNALBLUE exploit, which was fed into the WannaCry ransomware worm. Keep in mind, every worthy SIGINT team around the world could use their own internal exploits to release two WannaCry-level worms a month in perpetuity until Microsoft could no longer sell their OS.
The real scenario that scares Microsoft is the Shadow Brokers having the capability to access internal Microsoft information. The group could hypothetically leak that information, which would possibly include the giant volumes of vulnerability information in the Microsoft Bug Database.
So while it may be Russia’s GRU or some other elite nation-state hacking group, Microsoft — like every other company on the planet — lives at the will of the highly talented and well-financed digital spy apparatus. That’s a level of risk that Microsoft can’t have on the balance sheet.
So for Microsoft to push for a “global cyber Geneva Convention” is a selfish distraction from where governments’ should be concentrating when it comes to establishing future norms in cyberspace. While Microsoft’s efforts here are largely focused on preventing the release or use of software vulnerabilities, our real strategic issues have little to do with software bugs.
One such vulnerable area is cyber economic espionage: What changed with the Chinese-U.S. agreement is not what organizations were targeted or what information was taken from those targets. What changed — in theory at least — is what the Chinese do with that information on their end: Do they give it to competitors of U.S. companies, or do they use it only for strategic intelligence needs, as we hope they do under threat of massive sanction? In other words, we have no way to police their behavior on this issue by looking at our own systems and networks.
Moreover, supply chain attacks are even more dangerous for businesses. All you have to do is look at Cisco and what they have learned from their routers being trojaned before being delivered to customers. Yet when this happens with Huawei equipment, you don’t see a policy from the Chinese government saying they do the same thing.
Those two examples just scratch the surface. We haven’t discussed the chaos around cryptographic backdoors, customer data warrants, custom software versions like the “Red Flag” OS Microsoft was forced to build in China, internet censorship, software export control and data localization.
These topics demonstrate the difficulty of any international agreement that focuses on norms that are very important to our industry, especially in an environment where almost all the real data is cloaked under high levels of classification. But the bigger issue with a “digital Geneva Convention” is that the focus is on vulnerabilities and “hacking” instead of the much bigger questions surrounding the circulatory barrier between private and public interests.
While the U.S. government has been quite open about its efforts to help the private sector wherever possible, (VEP, ICOnTheRecord, self-limiting how long we store traffic from foreigners, sanctions efforts, etc.), there’s no sign that the world is ready to follow our lead. The ShadowBrokers’ activities are widely assumed to be a Russian-led effort, yet other Governments have been quite aggressive in bypassing any and all norms in the cyber area. Even the much-touted United Nations and NATO agreements have been about “broad principles,” which are unenforceable in any practical way.
Ideally, a “global cyber Geneva Convention” would result in a sustainable global framework that handles these strategic issues. How vulnerabilities are handled is both too small an issue in comparison and unlikely to be followed by the majority of the world’s governing bodies. This week, as we face down Russian efforts to attack power plants, recognized norms seem as far away as humans on Mars, no matter how nice they would be for Microsoft’s shareholders.
The painful truth that we would learn from any honest discussion around limits tied to offensive capabilities is not that the world’s governments disagree with each other, but that every government disagrees internally. This is as true in Germany and China, as it is in the U.S. It is also true that corporations’ place in our world and our how our wars are conducted has changed, and that has come with how the internet has changed in how humans organize.
Microsoft has always been a leader when it comes to information security, and this is as true with the legal issues surrounding them as it is technologically. A “global cyber Geneva Convention” is never going to happen, and we should not treat the idea as if it was a realistic way forward until we, internally, can agree on a single and coherent position.
Dave Aitel is the CEO of Immunity Inc., and the organizer of Infiltrate — an annual security conference focused solely on offense. A former NSA “security scientist” and a past contractor on DARPA’s Cyber Fast Track program, he is also a member of the U.S. Department of Commerce’s Information Systems Technical Advisory Committee.