WHY THIS MATTERS IN BRIEF
In some respects we are starting to see the advent of open cyber warfare between competing sovereign nations and unless someone steps in the problem is only going to escalate.
Last year cyber the rise of warfare prompted the US Government to implement a DEFCON scale for cyber attacks, and now, after yet another “global attack,” when the WannaCry ransomware exploit spread across 150 countries and over 200,000 machines the blame for some of these attacks has spread wildly too. As a consequence, and in the aftermath of one of the most destructive ransomware attacks ever Microsoft has used cybersecurity’s latest headline grabbing moment to call for a “Digital Geneva Convention” to limit and defang future cyberattacks.
Redmond has also received some share of the blame. Although Microsoft released a security patch in March that closes the hole the attack exploited it’s thought that thousands if not hundreds of thousands of Windows XP machines are still at risk – at least until that it they’re patched.
On the other hand, said company president Brad Smith the WannaCrypt exploit drew on vulnerabilities the NSA stockpiled but didn’t publicise or even report covertly to Redmond. Instead, hackers stole those vulnerabilities from NSA and the reportedly used them to make WannaCry.
In addition to blaming the spooks, IT departments have also been rapped for being slow to respond to patched vulnerabilities, but above the entire chorus of blame, Microsoft is now also promoting clearer cybersecurity expectations and responsibilities for companies and governments.
“It’s time,” said Smith, “to take a page from the atomic age. What the world needs is a new independent organisation, a bit like the International Atomic Energy Agency that has addressed nuclear non-proliferation for decades.”
“We need an agency that has the international credibility not only to observe what’s happening, but to call the question and even identify the attackers when nation-state attacks happen. That is the only way that governments will come to recognise that this is not a program that will continue to pay off.”
“What we need now is a Digital Geneva Convention,” he added, “we need a convention that will call on the world’s governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure, whether it’s of the electrical or the economic or the political variety. We need governments to pledge that, instead, they will work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities, and they will take additional measures.”
Hans Klein, Associate Professor at Georgia Institute of Technology’s School of Public Policy, though says Microsoft is taking some risk in being as pro-active as they are.
“In some ways it’s a daring move by Microsoft,” Klein says, “it opens up the question of global regulation of companies like Microsoft. If we start talking about global public policy, and Geneva Conventions and industry agreements, suddenly it might not just be the governments that are being asked to behave better, and possibly with sanctions backing that up. The companies might be asked or required to behave better too. And that might not be a bad thing.”
For instance, Klein says, what if Windows XP, whose support was cut off back in 2014, is so broadly adopted around the world that governments begin requiring Microsoft to continue supporting XP regardless of its profitability or un-profitability for the company? What if, in other words, Windows XP has become something closer to a public utility?
“When it happened, I thought it was pretty noteworthy that a company could declare that it would no longer support a product like Windows XP,” said Klein, “apparently there was some limited debate [in 2014] but a little less than I expected. But since WannaCry, [the XP debate] might come back. When the hospitals are getting hit hard, maybe there’s a social and public responsibility for Microsoft.”