Creating a Digital Geneva Convention

The opportunity

As the transformational power of cloud computing comes into focus, there are growing concerns about the rise of cyberspace as a battlefield. Effective cybersecurity is critical to international peace and economic stability; however, governments continue to invest in greater offensive capabilities in cyberspace, and nation-state attacks on civilians are on the rise. There is a growing urgency to develop new international rules to protect civilians from nation- state threats in cyberspace, in particular in times of peace.

In short, the world needs a Digital Geneva Convention.

The challenge

The process of creating the Digital Geneva Convention involves formidable challenges and will require political will and commitment from government leaders around the world. Some important foundations have already been put in place upon which we should look to build, including, for example, the rules and principles proposed in 2015 by the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

More work remains to be done, however, to further define the cybersecurity norms that have been already agreed upon, as well as to put forward new proposals. Input from the global information and communication technology (ICT) industry is critical to ensuring that the language of diplomacy accurately reflects the realities of defending technology users at global scale.

Furthermore, work is needed to advance transparency of, and accountability for, state behavior in cyberspace. Any successful implementation will require new mechanisms for dealing with politically sensitive allegations such as attribution. Governments and the private sector need a forum where they can provide evidence to support technical attribution and obtain validation through rigorous peer review. A pragmatic and flexible path to deliver that vision should be identified.

Policy recommendations

Although there are signs of alignment around a small number of international cybersecurity norms, more progress is needed. Process continues to be slow and does not keep pace with technological advances. If we are to avoid the potentially catastrophic effects of cyberwarfare, continuous engagement among relevant actors is essential, and governments must build international rules as they have done in other contentious areas of policy that touch upon sensitive geopolitical issues.

By building on the work done to date, governments, the technology sector and civil society groups can pave the way for a legally binding agreement that will ensure a stable and secure cyberspace. The key clauses at the center of this Digital Geneva Convention should commit states to:

Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals and electric companies).

Refrain from attacking systems whose destruction could damage the global economy (e.g., integrity of financial transactions) or otherwise cause major global disruption (e.g., cloud-based services).

Refrain from hacking personal accounts or private data by journalists and private citizens involved in electoral processes.

Refrain from using information and communications technology to steal the intellectual property of private companies, including trade secrets or other confidential business information, to provide competitive advantage to other companies or commercial sectors.

Refrain from inserting or requiring “backdoors” in mass- market commercial technology products.

Agree to a clear policy for acquiring, retaining, securing, using and reporting of vulnerabilities — that reflects a strong mandate to report them to vendors — in mass market products and services.

Exercise restraint in developing cyberweapons and ensure that any that are developed are limited, precise and not reusable. States should also ensure that they maintain control of their weapons in a secure environment.

Agree to limit proliferation of cyberweapons.Governments should not distribute, or permit others to distribute, cyberweapons, and should use intelligence, law enforcement and financial sanctions tools against those who do.

Limit engagement in cyberoffensive operations to avoid creating mass damage to civilian infrastructure or facilities.

Assist private-sector efforts to detect, contain, respond and recover in the face of cyberattacks. In particular, enable the core capabilities or mechanisms required for response and recovery, including computer emergency response teams (CERTs).