Microsoft President Brad Smith delivered a remarkable speech at the RSA Conference February 14, 2017. Two ideas, two big memes, shot out into media reports: 1) we need a “digital Geneva Convention” that would protect civilians from nation-state attacks; 2) private tech firms should become a “neutral digital Switzerland” that look out for their customers regardless of the demands of governments.
Those catchy ideas generated some superficial media buzz. Cybersecurity and the Geneva Conventions. The Swiss flag flying over the Alps, signifying a lofty neutrality. Two nice metaphors. For now, the buzz seems to have passed. But we think it had some profound implications that should inspire more critical discussion and examination.
Let’s begin by emphasizing what Smith got right. It is important and welcome that the President of a major global provider of Internet-based services is openly identifying nation-states as dangerous attackers in cyberspace, and doing so in a way that does not exempt his own government. Even more important, Smith seems genuinely interested in detaching his company from national allegiances in favor of customer allegiance.
It is also interesting and thought-provoking that Smith is calling for new, global institutions, independent of nation-states, to call out attacks and identify state attackers. He cited the International Atomic Energy Agency as an example of such an independent agency. Perhaps this was a bit naive, but by harking back to the end of World War 2, a time of systemic institutional change, Smith is showing a keen awareness that we are in a period where some of the foundations of the global order are changing.
But Smith did not seem to be thinking about the problem deeply enough. The idea that the world’s governments will get together and create an international treaty that successfully commits states not to engage in cyberattacks seems more like a backwards-looking dream than a realistic option. Cyberspace (and other aspects of globalization) have created tensions and power shifts between (territorial) states and (global or multinational) activity. These changes call into question the feasibility and viability of 20th century-style treaties. Even assuming governments could agree on a treaty, their commitments can’t really be enforced upon sovereign states unless there is some kind of coalition backed by a powerful hegemon. Yet today, the world’s great powers are the primary perpetrators of cyber attacks and the world is increasingly multi-polar. Smith characterized the UN Group of Governmental Experts, which is developing “norms”, (which are basically set of verbally agreed-upon no-nos), as a “big step forward”. We beg to differ. It is a small step, and it may only be a small step sideways. And it’s an initiative that excludes most nonstate actors. The incentives of state actors to engage in cyberattacks, secrecy, and exploitation of undisclosed vulnerabilities remains. What countervailing power is proposed to reverse that direction?
There is a more fundamental re-ordering between public and private power underway, as well as reactionary trends towards nationalism, re-aligning state jurisdictions and cyberspace, and identity politics. The political party now in power in the U.S. didn’t even believe in giving up U.S. control of ICANN and the domain name root, much less in allowing major internet platforms to become “neutral digital Switzerlands.” If there is to be an independent agency, it will have to come from nonstate actors, it will not be an intergovernmental agency like the IAEA or the product of a formal intergovernmental treaty like the Geneva Conventions. And it will take a powerful transnational political movement to back it up.
We can only imagine the kind of pressure companies like Microsoft come under from law enforcement, intelligence and military agencies. That is why it is still difficult for cold-eyed skeptics to trust that such private companies really will put the rights and interests of their ordinary customers ahead of the demands of their states. Still, the fact that Microsoft’s President was willing to issue a 2017 version of the declaration of the independence of cyberspace is heartening. We should follow up on those ideas.