Can Microsoft’s GC convince governments to convene a new “Geneva Convention” to combat state-developed malware?

We have heard reports that the U.S. has attacked Iran with cyberweapons in the past week. Last week, the New York Times reported that the US has placed malware beacons within systems that operate Russia’s civilian electricity grid. This is apparently in response to the Russians taking similar aggressive steps regarding the US civilian power infrastructure. Moreover, there have been numerous recent examples of malware attacks on U.S. municipalities, Baltimore and Philadelphia among them. Early reports have identified the culprit in the Baltimore infection as “Eternal Blue,” a malware tool developed by the US Government’s National Security Agency (NSA) as a cyber-weapon. It looks like these reports got ahead of the story and according to one well-placed expert there is no evidence that “Eternal Blue” infected Baltimore’s computers. The electronic filing system operated Philly’s court system is down due to a malware infection and it has not promised users any date for a fix. The court has not specified the cause of the problem nor a date for its resolution.

Brad Smith, GC of Microsoft, ever trying to get ahead of things, has offered the “big think” solution of a “Digital Geneva Convention” to protect the public from marauding governments conducting cyber-warfare. Smith’s idea, originally set out in a blog post in 2017, was that government should not target “civilians” meaning the tech sector and critical civilian infrastructure, a direct analogy to the protection of civilians and other non-combatants promised by the well-known Geneva Conventions on the rules of warfare.

Business and tech people interested in this might seek out a lawyer to advise on the prospects for such a treaty coming about. Unfortunately, predicting the success of this type of effort is not within the skill set of most lawyers. Training and experience predispose lawyers to offer advice anyway, but the analytical bag of tricks of most practicing lawyers also bias them to see the question as one of what a treaty “should say” or how the treaty would be enforced rather than one demanding that they predict the likely outcome of any treaty negotiation or accurately weigh the prospects for governments to commit to such a negotiation in the first place. This the type of question when having a friend trained academic international relations theory and knowledgeable of real-life case studies can come in handy.

If he were successful, Smith would need to convince the very governments that are potential sources of malware to hang their weapons by the door. He can’t do this as an exercise in writing private standards with his peers (brokered over dinner at Davos or dancing at Burning Man) so its hard to know what he has in mind as a strategy for achieving this aim. International relations theory does not offer much optimism that Smith will convince big powers like the US, Russia and China to make “credible commitments” and cede enforcement to an international authority, let alone “rogue states” such as Iran and North Korea. Theory says that a big power like the US should be willing to cede some of its freedom of action only if it believes that it will win more valuable concessions from others at the outset if they are perceived as willing to be subject to the same rules and enforcement risk as other states. In this case, Russia, China or Iran will only agree to limit their own programs if the design of the treaty is such that the US can be found guilty and sanctioned according to the same rules as everyone else. The willingness of the players to agree to this type of arrangement also depends on the length of what game theorists call the “shadow of the future” — the degree to which future outcomes are valued as set against the risks of no agreement and the costs of reaching an agreement. If the US is present-minded on the opportunities to exploit cyber-weapons— i.e. it is unimpressed by pleas by the IT giants about future US dominance of AI and the next industrial revolution — it is unlikely to suffer much risk or pay costs of negotiating.

Nevertheless, the US and Russia and to a lesser extent other states have a track record of entering into arms control treaties with some teeth. Moreover, the interest of all to protect the global IT infrastructure (the cloud and AI tools) from balkanization, should remain keen, especially for the US whose firms are in the best position to capitalize on opportunities afforded by open global platforms.

The Geneva Convention itself (really a series of conventions dating from 1864 with a substantial updating in 1949 and several protocols since) would appear to be the model Brad Smith has in mind. Its origins are unique, however, as it emerged in the very different circumstances of the mid-nineteenth century and it took its modern form in the very special environment immediately after WWII, when memory of Nazi crimes and the atrocities of the Spanish Civil War and the War in the Pacific were fresh in delegates minds. For purposes of judging the likely shape of any Digital Geneva Convention, more recent arms control treaties serve as better points of comparison.

The first category of examples are nuclear arms control treaties between the United States and the Soviet Union, of which only the current Strategic Arms Reduction Treaty (New START) is currently in force. The US suspended its compliance with the Anti-ballistic Missile (ABM) Treaty in 2002 and the Trump Administration has formally withdrawn from the Intermediate Nuclear Forces (INF) Treaty. The second is the Treaty on Non-proliferation Nuclear Weapons (NPT) that is enforced by the International Atomic Energy Agency (IAEA). The Third is the Chemical Weapons Convention (CWC) enforced by the Organization for the Prohibition of Chemical Weapons (OPCW).

The ABM and the INF Treaties were bi-lateral treaties between the US and the Soviet Union and the New START Treaty between the US and Russia. The ABM Treaty emerged out of the SALT I talks and was signed in 1972. It banned the signatories from testing and deploying specified anti-ballistic missile systems. The INF Treaty was negotiated as the Cold War was winding down in 1988 and banned certain classes of intermediate range land-based missiles. New START was signed in 2012 and limits the strategic nuclear arsenals of the US and Russia to hard caps and is the only one of the treaties still in force. Each of these arms control treaties contained elaborate declaration and verification protocols. The nature of the missile systems made hiding the programs difficult and the exchange of information and offering the recourse to inspections helped make the commitments credible. The collapse of the ABM and INF treaties points out the limits of its design. As a bi-lateral treaty, the INF did not include China, a fact that made the treaty less and less relevant to the parties over the years. ABM no longer met the needs of the US and it went ahead with basing defensive missiles in Europe after assuring the Russians that they were in response to threats from Iran and other “rogue nations.” A “Digital Geneva Convention” would require at least the US, Russia, China, North Korea Israel and Iran to sign on to a credible framework for limiting cyberthreats and sharing information on vulnerabilities with affected private actors. Verification would appear to be a much more challenging task for cyber weapons, as these technologies can be developed anywhere and by their very nature are are tested and deployed in ways that are very difficult, if not impossible to detect and verify.

The NPT would seem to be a more promising precedent. It is a multi-lateral treaty with 93 signatories and a total of 191 state parties agreeing to abide by its provisions. More states have ratified NPT than any other arms control treaty. Under its provisions there are five recognized nuclear weapon states: US, Russia (as successor to the Soviet Union), United Kingdom, France and China. States who are not recognized nuclear powers agree not to develop nuclear weapons programs, gain access to civilian nuclear technology and accept obligations to open their facilities to inspections by the International Atomic Energy Authority (IAEA). On the surface, this is encouraging precedent for Brad Smith’s Digital Geneva Convention. The history of the negotiation and enforcement of the NPT reveal that there was a great deal of collusion between the US and the Soviet Union, who wished to enshrine their dominance in the field of nuclear weapons, and effectively worked in parallel to pressure their Cold War allies and client states to tow the line and sign-on. The bipolar logic of the Cold War no longer characterizes the emerging world order in the early 21st century. It is difficult to imagine Russia and the US collaborating and successfully pressuring other states like China, Israel, Iran and North Korea to voluntarily accept limits on their freedom to conduct cyber-warfare. Also, the very design of the NPT treaty enshrined the oligopoly of the existing nuclear powers. A Digital Geneva Convention that protected the cyber-terror capabilities of states with sophisticated programs would undermine the intent of any new treaty to limit state-authored cyber-threats.

The Chemical Weapons Convention has features that make it a touchpoint of optimism. It was entered into in the 1990s after the Cold War. It quickly has been acceded to by a vast majority of UN members (Egypt and Syria are notable non-signatories), and for the most part the signatories have complied with the disclosures of capabilities and the deadlines for ending weapons programs and destroying stockpiles of weapons. The inspection system recognizes that many chemicals are “dual use” (i.e. they can be used for warfare or for civilian applications like pesticides) but permits members to order “challenge inspections” of suspect facilities. The CWC emerged out of bi-lateral arms’ control talks between the US and the Soviet Union. There is record that both parties believed that chemical weapons provided more benefit to the armies of smaller developing countries than to large modern forces of the superpowers. The treaty emerged in the immediate post-Cold War period marked by unchallenged US hegemony and recent history of use by Saddam Hussein of chemical weapons in the Iran-Iraq War and concern about “weapons of mass destruction” in the hands of dictators. Regional powers it seems were willing to agree partly for the perceived benefits be on the “good list” of responsible countries but also to gain leverage against regional rivals. The circumstances of its adoption give pause to any easy application of the case to Brad Smith’s “New Geneva Convention” on cyber-weapons.

To sum up, it is difficult to see much progress towards a Digital Geneva Convention. The reasons are:

1. The leading powers have little incentive to limit their activities, given the distribution of cyber-warfare capabilities around the world.

2. Detection and verification regimes will be difficult to design and will be easy to circumvent, even more so than under NPT or CWC.

3. The types of exceptions built into other arm’s control treaties (grandfathering existing nuclear weapons powers under the NPT, focussing on specific systems and capabilities in strategic arms control or leaving the application of the treaty to “dual use” technologies in CWC) would limit the usefulness of any treaty in a fast-moving area where new tools are being developed and vulnerabilities identified.

Institutional design for any new “convention” on cyber-security will have to be either riddled with exceptions or include pre-negotiated exit ramps. Will defining the necessary exceptions to give big powers the confidence that their national security not be undermined yet not rob it of all usefulness? Will the existence of any treaty enshrine an important norm against targeting civilian infrastructure and thereby empower civil society and private tech companies to hold states to a higher standard of conduct than would otherwise be the case? Realism cautions that any Treaty will not be perfect, but perfect may be the enemy of the good. Maybe a treaty with loose commitments but that enshrines a principle is something that the tech giants value as an end itself.