Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Calls For 'Digital Geneva Convention' (usatoday.com)

Posted by msmash on from the time-to-sort-things dept.

Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.

17 of 148 comments (clear)

  1. Makes sense by AmiMoJo · · Score: 3, Insightful

    If you want peace you need to start by committing not to attack the other side, only to ever defend yourself.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Makes sense by skids · · Score: 2

      Clearly it isn't sufficient to just defend yourself if you want peace.

      In a multi-lateral situation you need to form a community that represents a plurality if not a majority of military power system-wide that agrees to act responsibly and be open enough that other nations can be pretty sure they aren't just appearing to act responsibly.

      Once you have that you shun the worst offenders among those not in the community to deprive but not destroy them, offering them paths back into favor if they start behaving like adults. Some (like North Korea) will take a while to get over their tantrum and realize sitting at the kids table isn't as much fun as it used to be, others will start reforming themselves earlier.

      Then once this all appears to be more or less working or at least maybe possible to get working, you get people angry that they don't have an in-ground pool and that they get called assholes for refusing to frost wedding cakes for gay people to elect an erratic know-nothing to direct one of the leading voices in the community to ignore the fact that one of the kids just wiped snot on the silverware. Wait no, skip that step, it must be a typo, nobody would want that.

      Anyway, as much as I detest the business culture MS stands for, I think they are right... responsible nations need to establish what acceptable behavior is, and then start to apply some peer pressure.

      --
      Someone had to do it.
  2. Just as long as.... by downright · · Score: 3, Insightful

    Just as long as.... as unleashing Clippy on the world is deemed a war crime.

  3. Why? So we can violate that too? by xxxJonBoyxxx · · Score: 3, Insightful

    Why not a "digital land mine treaty" while we're at it?

  4. Good luck at that... it isn't just nations... by ctilsie242 · · Score: 3, Interesting

    Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students. Unlike conventional weapons that require expensive physical objects, a massive DDoS can be launched from a cast-off 486 as the top level command console as it can from a high-end supercomputer.

    The main focus needs to be on "Great Wall of xxx", "xxx" being the country. If this isn't thought of now, it will be done by the government when some cyber-terrorism event happens that gets knee-jerk reactions going (think the USAPATRIOT act.) China has their Great Firewall. Iran is building their own Internet. Australia is in the process of building their nationwide firewall. Blocking attacks from other countries is going to be an issue sooner or later.

    A second focus needs to be on LARTing IoT makers to follow a ground up security design. A hub (or hubs for redundancy) and spoke system, so IoT devices do their communication through a hardened hub that only allows the devices to communicate with what sites the signed manufacturer's manifest allows (and 0.0.0.0/0 is not allowed directly.) As it stands now, there is actually a punishment for IoT makers to design any security in their products. Mainly because if v1.0 has a security hole, when IoT maker makes 1.1, all the owners of Device 1.0 will upgrade or else face being pwned. If the IoT maker did updates, they would lose out on that revenue, plus to them, every dollar spent on security is a dollar with no ROI. Unless pressure is placed on IoT makers, we will be seeing exponentially worse DDoS attacks when every fridge, microwave, smart TV, sex toy, and doorbell be used for it.

    1. Re:Good luck at that... it isn't just nations... by unixisc · · Score: 2

      This is what struck me as well. They explicitly want to address government sponsored cyberattacks, while ignoring cyberattacks by everybody else. Interesting approach for a company that has a very cavalier attitude towards privacy

  5. Useless idea by Nunya666 · · Score: 3, Interesting

    Thanks to the NSA and CIA, and such "rules" will have so many back doors that they will be useless.

    1. Re:Useless idea by Opportunist · · Score: 2

      Well how would they know what rules to break if no rules exist? You take the fun out of being a three letter agency!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. In the words of Ed Grooberman... by Lead+Butthead · · Score: 4, Funny

    "Well, the best defense is a good offense. Do you know who said that? Mel the Cook on Alice."

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  7. Enforcement by Oswald+McWeany · · Score: 5, Insightful

    How do you enforce a digital Geneva convention?

    You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.

    Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.

    --
    "That's the way to do it" - Punch
  8. Re:The US failed to ratify the Geneva Conventions. by Rakarra · · Score: 5, Informative

    The US is a signee of all four Geneva Convention treaties. There were three additional protocols, though the US has only ratified the third, but not the other two. The various treaties that the US has signed:
    GC I: Amelioration of the wounded and sick in the armed forces (1949)
    GC II: Amelioration of the wounded, sick, and shipwrecked in the naval forces (1949)
    GC III: Treatment of prisoners of war (1929/1949)
    GC IV: Protection of civilian persons in times of war (1949)
    P III: Protection of anyone wearing Red Cross, Red Crescent, or Red Crystal to denote medical/religious personnel (2005)
    Signed but not ratified:
    P I: Protection of victims of international armed conflicts (1977).
    P II: Protection of victims of non-international armed conflicts (1977)

    The Geneva Convention treaties are signed by a number of countries who seek to use them as a weapon against their enemy ("they broke the convention treaties, they should be tried for war crimes!") while they don't follow them themselves.

  9. Nice by iampiti · · Score: 3, Funny

    how about an agreement that forces the OS makers off the user's data? No? You mean you'd have to significantly alter Win 10 to pass those new rules?

  10. Re:The US failed to ratify the Geneva Conventions. by ceoyoyo · · Score: 3, Informative

    The Geneva convention and it's relatives and predecessors have been enforced. Yes, it tends to be after the fact, but the war crimes tribunal hasn't had a lack of work. The international community does tend to enforce the rules, either directly or via sanctions, and it appears to have had a major effect in the world.

    It's really only a big problem with the offenders are Russia, the US or China. Even then, those powers are hesitant to break international law directly: see for example the US dissembling over the use of torture.

  11. No, we need a right to strike back by Khyber · · Score: 2

    A guaranteed right for civilians to strike back against state-sponsored attacks that should not be targeting them should be enshrined into law. All forms of warfare. Collateral damage? No fucking longer, because it will be your ass.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  12. Friendly challenge by hackwrench · · Score: 2

    I've twice tried to submit a story where we could all get together and issue our friendly challenges regarding Slashdot but they were declined. Eventually I'll likely work up the gumption to try again. Anybody else like to have a go?

  13. Re: The US failed to ratify the Geneva Conventions by cyber-vandal · · Score: 2

    Where do you buy security breeches? The normal ones I wear are forever letting me down.

  14. How about digital NATO instead, by John.Banister · · Score: 2

    where all the signatory companies agree to spend a minimum percentage of gross profits on making their products secure. And, they could agree to cooperate with other digital defense treaty companies on security matters.