Cybersecurity has risen to the top of both national and international agendas. As the President of China, Xi Jinping, said in 2014, “without cybersecurity there is no real national security”. (1) The first documented national security directive on communications and computer security was prompted by a Hollywood movie, War Games, that unsettled the then US President Ronald Regan already in 1983. (2) However, 9/11 and the ‘War on Terror’ ended up relegating cyberspace to a secondary security consideration.
The cyber-attacks against Estonia in 2007 brought some attention back to the digital territory, particularly around the legal aspects of cyber warfare and military operations. The boom of the digital economy and the datafication of businesses and society has now put the private sector at the center of cybersecurity debates. Recent data mismanagements, such as the breach that affected some 57 million Uber customers or the revelations that Facebook compromised the data of millions of their users, highlight the central role that the private sector plays in cybersecurity. Undeniably, corporations are key players in the digital realm — whether it is as distributors of malicious software, victims of cyber-attacks, or first responders to security breaches.
In this climate of cyber insecurity, Microsoft put forward last year the idea of a ‘Digital Geneva Convention’ to regulate cyber-attacks, sparking both criticism and support. This proposal exposes a fundamental question that has been long overlooked. What is the role the private sector should play in cybersecurity policy, and how can this co-exist with the traditional responsibilities of states?
The cyber weapons market and the militarisation of cyberspace
The first part of understanding cybersecurity is grasping the breadth of the threat. The digital space has become a very crowded domain, with cyber threats coming from a range of sources.
The security company Symantec reported that they encountered 357 million variants of malicious software, or malware, in 2016. The market for malware is booming, and it caters to different budgets and purposes. A password-stealing ‘Trojan’ can be bought for as little as $25, while ransomware kits that freeze or steal files demanding a ransom can reach $1,800. Other offers include Distributed Denial of Service (DDoS) attacks, making an online service unavailable by flooding it with traffic from multiple sources. The fees vary depending on the target and the duration of the attack. (3)
Some firms have also found a market niche in offering intrusion products, which work by installing malicious software onto a device. UK human rights watchdog Privacy International’s in-depth research of the global surveillance industry reveals 528 companies involved in the design and distribution of this technology — all located in traditional arms exporting states.(4) While malicious software is not new, the trade at commercial scale is.
Like any other underground market, the malware economy is difficult to estimate. Despite figures not being publicly available, researchers have made solid attempts at studying the market for cyber weapons, particularly those transactions concerning ‘zero-day’ vulnerabilities — flaws unknown to the software maker that can be then exploited until the weakness is found and patched (5).
Edward Snowden’s disclosures revealed that the US National Security Agency (NSA) uses and purchases zero-days, having budgeted in the past at least $25 million to purchase software vulnerabilities (6). The CIA also maintains its own arsenal of cyber weapons, according to 8,761 files published by Wikileaks in March 2017. The vulnerabilities market is not only restricted to the US, though. At least Israel, Britain, Russia, India, Brazil, North Korea, Malaysia, Singapore, and Middle Eastern intelligence services also participate in the market as buyers (7).
However, the most immediate cybersecurity problem is not the trade but the stockpiling of vulnerabilities. When state actors purchase software vulnerabilities and they do not inform the companies that have the capacity of patching them; users, economies, and societies become more vulnerable to hacking and cyber-attacks. When a vulnerability is kept secret, malicious actors can discover or steal it, and subsequently use it against any target of their liking or sell it. In addition, cyber weapons differ from physical weapons in that when the malware is deployed, parts of the code can be repurposed and integrated into new malware that can even be more harmful than its predecessor (8).
Large-scale cyber-attacks such as ‘Stuxnet’, the US-Israeli malware that caused the centrifuges of an Iranian nuclear plant to malfunction, or more recently ‘NotPetya’, which built on the ransomware ‘Petya’ that primarily attacked Ukraine, have put under the spotlight the role that states are playing in cyber arms proliferation. At the core is a tension between national security and public cybersecurity. ‘Heartbleed’, a major security vulnerability that was made public in 2014 and rose suspicions of having been earlier discovered by the NSA, prompted the White House to affirm that they have a bias towards disclosing vulnerabilities rather than stockpiling them (9).
However, this policy was challenged last year by Microsoft in light of the NSA computer codes leaked by Shadow Brokers. Some of this malware, such as the exploit ‘Eternalblue’, which takes advantage of a vulnerability in a Microsoft protocol, was later partially incorporated into ‘NotPetya’ and ‘Wannacry’ cyber-attacks. The latter alone affected more than 150 countries, targeting among many others the National Health Service in the UK, power companies in Spain, a library in Oman, and the Norwegian soccer team. It is worth noting though, that according to the most comprehensive research to date, the figures of non-disclosed zero-days by the US Government are only in the single digits every year (10). This discrepancy in the level of vulnerabilities stockpiles shows the opacity surrounding offensive cyber capabilities.
States are not only developing their own cyber arsenals, they are also creating cyber armies or funding loosely affiliated groups that can perpetrate sophisticated attacks. For instance, the Pentagon has increased its cyber staff from 1,800 people in 2014 to 6,000 in 2016 (11). China has built information operations units to research and deploy defensive and offensive cyber capabilities, (12) while Russia maintains a network of ‘volunteers’ (13).
The intensification of states’ activities is prompting reflections around the militarisation of cyberspace. Notably, during the Warsaw Summit of July 2016, NATO recognised cyberspace as a “domain of operations in which NATO must defend itself as it does in the air, on land, and at sea.”(14) The US had already made such a declaration five years earlier (15). Meanwhile, cybersecurity initiatives and budgets balloon to protect against some of the offensive capabilities that were originally developed, in many cases, by nation-states.
The role of the private sector in cybersecurity
A recent survey of 726 companies across 79 countries revealed that the threat of cyber-attacks is the biggest concern of businesses, from small firms to large corporations (16). As the ex-CEO of Cisco put it “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked” (17). While the estimates vary, the global cost of cybercrime was valued at $375-$575 billion in 2014 (18). With an increasing part of the global economy becoming digital, these costs will continue to grow, up to $2.1 trillion by 2019 (19).
Correspondingly, the rise of the global cybersecurity sector has also been significant in little more than a decade. In 2004, the global cybersecurity sector was valued at $3.5 billion (20), it is now estimated to be at $135 billion (21). In Europe alone, the $22 billion market is expected to grow at an 8% rate to 2018 (22). In the information age, securitising data has become a very lucrative business.
Corporations can fill different roles in cyber space, not only as responders to security breaches or victims of cyber-attacks, but also distributors of malicious software. Surveillance software sold by Israeli and European companies is gradually becoming a tool of choice by nations with poor human rights records. FinFisher, sold by the German company Lench IT, has been reportedly used in 25 countries to monitor political dissidents, activists, whistleblowers, and journalists.
The digital space is generally seen as a domain away from central control, however cyber policy, and in particular arrangements concerning digital tools, is being subsumed under the umbrella of military controls and foreign policy. The EU has incorporated a list of surveillance technologies into the sanction regimes for Syria and Iran, and the US has passed similar measures. At the global level, the current governance system of cyber weapons relies mainly on three instruments: the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (1996), the Budapest Convention (2001), and The Tallinn Manual (23).
Intergovernmental organisations are also active. The OSCE has been leading the only project formally endorsed by states on confidence building measures — much in line with the history of the organisation in monitoring ceasefires and facilitating the exchange of information among militaries (24). Similarly, information security has been on the agenda of the United Nations since 1998 as part of the Committee on Disarmament and International Security. However, the topic did not gain much traction until 2004, with the establishment of the UN Group of Governmental Experts (GGE).
This said, neither states nor corporations have yet come to terms with their multiple roles in cyberspace. The contribution of the biggest technology, software and cybersecurity companies — such as Apple, Alphabet, Oracle, IBM, Symantec, or Checkpoint Software Technologies — is generally limited to commenting on technical aspects, taking part in industry discussions, and proposing market-based solutions. For instance, the two sets of confidence building measures agreed by the OSCE to “reduce the risk of conflict stemming from the use of ICTs” include only a superficial mention to cooperation and engagement with the private sector (25).
While a great deal has been written about the privatisation of security and war in the physical space, the role of the private sector in digital security and defense has been less noticed. This is even more striking given the unique nature of cybersecurity, as the infrastructure is predominantly owned and controlled by the private sector. Indeed, “future conflicts in cyberspace are very likely to be won or lost in the private sector, which runs, owns, and depends on the underlying networks and information, at least in the most advanced economies.” (26)
Microsoft: an Example of leadership in cybersecurity policy?
The use of the Internet as a ‘new battlefield’ is a source of preoccupation for not only policy and decision makers, but also for key stakeholders in the private sector. The most outspoken and recent example among technology leaders is Brad Smith, Microsoft’s President and Chief Legal Officer, who is calling for a ‘Digital Geneva Convention’ in the context of increased cyber-attacks perpetrated by nation-states. While the proposal has received mixed reviews in cybersecurity circles, it is important to understand first how a corporation got to position itself as such an important player in international security.
Microsoft’s prioritisation of cybersecurity can be traced back to an internal memorandum circulated by Bill Gates in 2002, which changed the company’s culture. The email, which is known as the ‘Trustworthy Computing’ memo, acknowledged the importance of placing security at the core of their products and created a team to move the initiative forward. The memo also mentioned the importance of gaining users’ trust by promoting cooperation with other actors:
“Trustworthiness is a much broader concept than security, and winning our customers’ trust…it’s a fundamental challenge that spans the entire computing ecosystem.” (27)
Since then, Microsoft has positioned itself as a pioneering company in steering cybersecurity norms, institutions and principles which engagement is not limited to industry, but also decision and policy makers. In his testimony before the US Senate, the Vice-President of Trustworthy Computing called on the US government to “insist that the private sector be integrated into these international discussions” around cybersecurity norms (28). Microsoft has also been an advocate for the internationalisation of the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (29). As a company present in virtually every country in the world, international cooperation among countries to implement similar laws and norms is vital for Microsoft to maintain its competitive edge in the market.
Microsoft has put forward a large number of proposals on cybersecurity — from industry only groups such as the Software Alliance, to ‘transparency centers’ aimed at serving governments. There are however, two proposals that epitomise Microsoft’s thinking on cybersecurity governance: the International Cybersecurity Norms and the Digital Geneva Convention (DGC).
The Digital Geneva Convention
Both the International Cybersecurity Norms and the Digital Geneva Convention (DGC) span across multiple years and documents. The first white paper published in 2009, Rethinking the Cyber Threat: A Framework and Path Forward, introduced the language and ideas that would develop throughout four subsequent documents, to culminate in the Digital Geneva Convention. This first document outlined the nature of cyber threats and the categories of attacks and called for international cyber norms, understood as agreements on normal and acceptable behaviour, which the paper argued are “necessary and, ultimately, unavoidable”.
The International Cybersecurity Norms and the DGC can be separated into two different proposals, but they are better understood as connected ideas influenced by contextual developments. There is a clear progression of Microsoft towards a more assertive approach on the need to regulate nation-states’ behaviour in cyberspace. This evolution cannot be understood without three key developments: the uncovering of Stuxnet in 2010, Snowden’s surveillance revelations in 2013, and the larger trend of increased attacks sponsored by nation-states.
While the initial proposition of creating cybersecurity norms was an attempt by Microsoft to regain control over an increasingly crowded digital space, the latest proposal of a Digital Geneva Convention is taking it a step further. The DGC is an umbrella term that encompasses three proposals: an attribution organisation that would analyse cyber-attacks and identify the perpretrators, an industry agreement to create a shared set of principles and behaviors that would protect citizens, and binding rules for nation-states.
As abovementioned, Microsoft’s normative approach to cyber governance responds to market forces (customers will not buy products they cannot trust), however the DGC has three distinctive characteristics.
First, it revisits the traditional multi-stakeholder governance model of cyberspace by separating each stakeholder into designated action areas. States would be the signatories of the Digital Geneva Convention, whereas the private sector would commit to their own industry agreement, and an NGO would be in charge of investigating cyber-attacks. Current opposition to the DGC is mostly rooted in the fear that this will drive the current governance system — favorable to Western countries, and the US mostly — toward a multilateral approach, preferred by countries like Russia and China.
Second, the DGC employs humanitarian vocabulary and language similar to that used by civil society groups. Microsoft’s responsibility in cyberspace has been a common thread in past governance proposals, but the DGC furthers this notion by presenting Microsoft as a moral actor looking after the greater good of society. The DGC portrays cyber-attacks as a global humanitarian problem that can only be solved with the contribution of technology companies. Furthermore, it compares the role of IT companies to that of the Red Cross, insofar as they are often ‘first responders’ after a cyber-attack. Corporate statements on the DGC connect collective interest with shared concerns, positioning Microsoft as an actor with universal values. They draw comparisons not only to the Red Cross, but also to the United Nations and Switzerland’s neutrality, and use expressions generally reserved to humanitarian advocacy. Microsoft argues that “we need to recognize that the time has come for us to come together as an industry around the world to call on the world’s governments” (30); and call upon the moral duty of the technology sector:
“We have brought the world together and it has put us in a position to forge perhaps almost a unique level of mutual understanding and respect for the needs of people around the planet” (31).
Third, the proposal is backed by senior leadership. Brad Smith, President and Chief Legal Officer of Microsoft, was in charge of unveiling the Digital Geneva Convention at the RSA Conference in February 2017, and since then he has published at least four articles in support of the idea and extensively campaigned for it at international meetings (32). While previous statements on cybersecurity norms had been acknowledged by other stakeholders, they had never received the levels of attention of the DGC across different international fora. Following the announcement of the proposal, the US government (33) and NATO Cooperative Cyber Defence Centre of Excellence (34) pronounced themselves against it. On the other hand, some technology thought leaders gave their support (35). In April 2018, a year after the DGC was first announced, 34 technology companies — including Facebook — signed up to the Tech Accord. Although it is notable the absence on the list of other tech giants such as Google, Amazon or Apple.
In sum, Microsoft’s DGC not only normalises the participation and leadership of technology companies in global security arrangements but does so on a moral basis, by appealing to solutions that benefit society. Could this be “a revolution in policy-making, equal in its own way to the technological revolution that has sparked it”?(36)
Conclusion: What role for tech giants in cybersecurity governance?
The Digital Geneva Convention represents a new level of engagement unprecedented for a technology company. However, the proposal is flawed at least from an international law perspective. The DGC picks and chooses International Humanitarian Law principles and taglines at its convenience, without fully developing the concepts. For instance, it would have been more logical to introduce the notion of regulating cyber-attacks through the existing provisions that require states to ensure that new weapons, means or methods of warfare comply with international law. More strikingly, Microsoft proposes applying to peacetime conditions a convention that regulates war, while International Human Rights Law would be the applicable body of law — although the DGC is unclear about which exact situations is aiming to cover.
Despite the shortcomings of the Digital Geneva Convention, Microsoft’s increased assertiveness in reaction to states’ behaviour in cyberspace is a good opportunity to debate the role that the private sector should play in such a critical domain. Corporations “have, de facto, become part of the fabric of global governance.”(37) Their role in cybersecurity governance has been, however, largely overlooked. Facebook’s data breach and the subsequent use of the information by Cambridge Analytica to influence voters’ decisions is only another example of the key position that technology giants play in global security issues, even if they are sometimes unwilling participants.
Ignoring the expertise and influence that the private sector has in technology policy will only compound the issues that arise from poor cybersecurity responses. In a global environment where the digital space has an ever-increasing role in national security, technology companies will need to play a more proactive role in the formulation of cybersecurity policies. We see this shift embodied in the Digital Geneva Convention. Determining which weapons can be used by nation-states is a field that has been out of bounds for the private sector, but we now have a company asserting its right to be part of the process — and quite successfully so.
It is time for decision-makers and governments to up their game so crucial global cybersecurity arrangements take in the expertise of the private sector, without elevating the role of technology companies to more than what they are — that is, stakeholders that respond mostly to market forces.
LSE IDEAS is the LSE’s foreign policy think tank. We connect academic knowledge of diplomacy and strategy with the people who use it.
References & Footnotes
About the Author
Raquel Vázquez Llorente is a Senior Legal Advisor at eyeWitness, an organisation that works at the intersection of technology, law and public policy. In 2016 and 2017, she was featured in the Forbes ’30 under 30' list for her contribution to the field of Law and Policy.
