Slashdot Mirror
Microsoft Calls For 'Digital Geneva Convention' (usatoday.com)
Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks. In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon was worrying. From a report on USA Today: In the cyber realm, tech must be committed to "100% defense and zero percent offense," Smith said at the opening keynote at the RSA computer security conference. Smith called for a "digital Geneva Convention," like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts. In the 21st century such rules are needed "to commit governments to protect civilians from nation-state attacks in times of peace," a draft of Smith's speech released to USA TODAY said. This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.
If you want peace you need to start by committing not to attack the other side, only to ever defend yourself.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Just as long as.... as unleashing Clippy on the world is deemed a war crime.
Why not a "digital land mine treaty" while we're at it?
Good luck with that, MS. The adversaries out there are not just nations who might have something to gain by playing fair or following rules due to game theory, but terrorist groups, criminal organizations, heck, even disaffected college students. Unlike conventional weapons that require expensive physical objects, a massive DDoS can be launched from a cast-off 486 as the top level command console as it can from a high-end supercomputer.
The main focus needs to be on "Great Wall of xxx", "xxx" being the country. If this isn't thought of now, it will be done by the government when some cyber-terrorism event happens that gets knee-jerk reactions going (think the USAPATRIOT act.) China has their Great Firewall. Iran is building their own Internet. Australia is in the process of building their nationwide firewall. Blocking attacks from other countries is going to be an issue sooner or later.
A second focus needs to be on LARTing IoT makers to follow a ground up security design. A hub (or hubs for redundancy) and spoke system, so IoT devices do their communication through a hardened hub that only allows the devices to communicate with what sites the signed manufacturer's manifest allows (and 0.0.0.0/0 is not allowed directly.) As it stands now, there is actually a punishment for IoT makers to design any security in their products. Mainly because if v1.0 has a security hole, when IoT maker makes 1.1, all the owners of Device 1.0 will upgrade or else face being pwned. If the IoT maker did updates, they would lose out on that revenue, plus to them, every dollar spent on security is a dollar with no ROI. Unless pressure is placed on IoT makers, we will be seeing exponentially worse DDoS attacks when every fridge, microwave, smart TV, sex toy, and doorbell be used for it.
Thanks to the NSA and CIA, and such "rules" will have so many back doors that they will be useless.
"Well, the best defense is a good offense. Do you know who said that? Mel the Cook on Alice."
ELOI, ELOI, LAMA SABACHTHANI!?
How do you enforce a digital Geneva convention?
You unfriend any nation state from your nation's facebook page if they break the convention? The regular Geneva Convention is hard enough to enforce, a digital one will be even harder because it's harder to prove an actor is really from a location or nation. Even if an assailant traced back to Russia is caught breaking the convention online and Russia "fails to catch" the person responsible they can claim he was a Ukrainian acting on behalf of Ukraine from within their borders.
Even the regular Geneva Convention isn't really respected anymore. You've got the US brazenly violating it in Gitmo. Iraqi troops during the gulf war were violating it. No-one really takes it seriously anymore.
"That's the way to do it" - Punch
The US is a signee of all four Geneva Convention treaties. There were three additional protocols, though the US has only ratified the third, but not the other two. The various treaties that the US has signed:
GC I: Amelioration of the wounded and sick in the armed forces (1949)
GC II: Amelioration of the wounded, sick, and shipwrecked in the naval forces (1949)
GC III: Treatment of prisoners of war (1929/1949)
GC IV: Protection of civilian persons in times of war (1949)
P III: Protection of anyone wearing Red Cross, Red Crescent, or Red Crystal to denote medical/religious personnel (2005)
Signed but not ratified:
P I: Protection of victims of international armed conflicts (1977).
P II: Protection of victims of non-international armed conflicts (1977)
The Geneva Convention treaties are signed by a number of countries who seek to use them as a weapon against their enemy ("they broke the convention treaties, they should be tried for war crimes!") while they don't follow them themselves.
how about an agreement that forces the OS makers off the user's data? No? You mean you'd have to significantly alter Win 10 to pass those new rules?
The Geneva convention and it's relatives and predecessors have been enforced. Yes, it tends to be after the fact, but the war crimes tribunal hasn't had a lack of work. The international community does tend to enforce the rules, either directly or via sanctions, and it appears to have had a major effect in the world.
It's really only a big problem with the offenders are Russia, the US or China. Even then, those powers are hesitant to break international law directly: see for example the US dissembling over the use of torture.