Microsoft's Smith Shines Spotlight on Cyberwar's Effect on Civilians

Brad Smith sometimes uses his perch as Microsoft president and chief legal officer to draw disparate strands of tech, security, privacy, law and international relations together to make a larger point about emerging realities in the world.

He was at it again Tuesday at the RSA Conference in San Francisco, advancing a novel argument about the way cyberwar shuffles the responsibilities of nations, citizens, companies and soldiers.

Here's an excerpt from the speech (emphasis mine):

Let's face it, cyberspace is the new battlefield. The world of potential war has migrated from land to sea to air and now cyberspace. But cyberspace is a different kind of space. Not only can we not find it in the physical world, but cyberspace is us.

For all of us in this room, it is us. Cyberspace is owned and operated by the private sector. It is private property. Whether it's submarine cables or datacenters or servers or laptops or smartphones, it is a different kind of battlefield than the world has seen before. And that puts us in a different position, it puts you in a different position, because when it comes to these attacks in cyberspace, we not only are the plane of battle, we are the world's first responders.

Instead of nation state attacks being met by responses from other nation states, they are being met by us. And as we think about that change in the world, we should reflect upon one other, as well. It's a sobering thing to think about, but consider this: For over two-thirds of a century, the world's governments have been committed to protecting civilians in times of war. But when it comes to cyberattacks, nation state hacking has evolved into attacks on civilians in times of peace.

This is not the world that the Internet's inventors envisioned a quarter of a century ago, but it is the world that we inhabit today. And above all else, I think nation state attacks call on us as employees, as an industry, as private citizens to ask ourselves one fundamental question. What are we going to do?

The point about governments not protecting civilians in cyberwar is a bit overdone. Ask anyone who has both survived being shot and endured being pwnd to say which of the two experiences they'd prefer to go through again, and I think the answer would be pretty obvious. Or, maybe I should say, it is a bit overdone right now. The Stuxnet attacks made physical damage from a virtual attack a documented reality. Still, I suspect that should cyberattacks ever start actually killing or maiming civilians, nations will take a radically more aggressive stance on defending their citizens.

Smith's point about who is currently responsible for defense, though, is a solid one. It's possible to look at IT infrastructure through a lens that reveals that every person connected to the Internet has effectively been conscripted to stand guard at the nation's border. IT departments and security professionals are the first responders to international incidents, just as Smith describes.

Smith's attempt at a solution is what he calls a Digital Geneva Convention with six points. This slide from a related blog post on Tuesday lists the points:

While Smith's description of the new issues we face are largely spot on, five of those six points probably don't have much of a chance. Governments should and probably will beef up efforts on No. 2 (assist private sector efforts to detect, contain, respond to and recover from events). For the rest of the points, the fruits of digital warfare are too alluring to nation states. The costs appear very low compared to the catastrophic effects of kinetic warfare, and cyberweapons are more appealing to state actors due to their deniability.

This Digital Geneva Convention seems unlikely to prevail, but Smith has hit on an enormously important issue about the responsibilities of nation states to their citizens and to their private sectors as they engage in cyber operations against their enemies and allies. Shining a spotlight on the effect of digital warfare on every country's own population elevates an important element in policy deliberations.

Posted by Scott Bekker on February 14, 2017