
The Need for a Digital Geneva Convention - doener
https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/
======
tptacek
The Geneva Conventions have whatever teeth they have precisely because they
don't prohibit war. But these recommendations would more or less prohibit
signals-based spycraft. It's reasonable to want governments not to spy on each
other. It's not reasonable to expect it, especially since --- probably unlike
most violations of the Geneva Convention --- there's a Prisoners Dilemma
problem with adhering to these conventions.

~~~
anigbrowl
_It 's reasonable to want governments not to spy on each other._

Is it? I think governments spying on each other is sort of a good thing,
myself. Insofar as governments have conflicting interests then it makes sense
that they would attempt to understand each others' strategies and seek to
outmaneuver them.

I know some people argue that the world would be a better place if everyone
minded their own business, but that's kinda like kids saying we could solve
crime if everyone would stop being bad. It's a form of wishing the world away,
reflecting an unwillingness or inability to engage with it. Uncertainty and
informational asymmetry are realities of life, hoping to eliminate this
entirely seems irrational to me.

~~~
tptacek
I'm just saying there's an argument to be had. I have mostly your perspective
on this as well.

------
d--b
This is wrong on so many levels. The worst is that it undermines the actual
Geneva Convention by borrowing its name to advocate something totally
different. The Geneva Convention doesn't ask for "no fighting", but rather
gives boundaries to keep fighting within "human-ish" levels.

I think everyone agrees that hacking is not inhumane...

~~~
Teever
And when that hacking results in a power plant in a region being taken offline
and after several days of emergency power several babies in incubators die is
that still humane?

~~~
steverb
And when a power plant in a region is taken offline via conventional means?
That isn't covered by the Current Laws of Land Warfare, why should a digital
version be any different?

~~~
zeveb
I think that it _is_ covered by the laws of war: as long as the military
benefit of attacking the power plant is sufficient to outweigh the collateral
damage, it's legal. If you're wrong, and you lose, then you hang after the war
is over.

~~~
steverb
You are correct. I should have said that it's not prohibited.

------
rrggrr
Inverse = better. Enact products liability legislation that holds software and
hardware makers financially liable to damages due to defects in their products
and watch the attack surface available to state and non-state actors shrink
demonstrably.

Not only will more secure solutions be engineered, but greater resources will
be expended by companies like Microsoft, Apple, Cisco, etc. on UI's,
educational efforts, and features that enhance security.

There is no stopping a state actor through treaty. Its unrealistic and will
cause compliant countries to unilaterally disarm at the expense of non-
compliant actors (eg. Assad chemical weapons use in Syria).

~~~
MikusR
This would kill all opensource software.

~~~
mlmlmasd
It only makes sense to apply such rules to closed-source and proprietary
software.

------
DanielBMarkham
It should be noted that the Geneva Conventions were signed immediately after a
war, the signatories were all nation-states (no independent non-state groups),
they were an ongoing process, and not every nation-state signed them. They
have also been violated quite frequently. In fact, if it weren't for the
constant _peacetime_ indoctrination of military officers in signatory nations,
they would be violated a lot more in time of war.

It also should be noted that for a long time there has been a solution for
non-state actors inciting violence upon another state: military trial.
Pirates, no matter what Disney may have you believe, were not the most
friendly folks. The Royal Navy and others hung quite a few in an effort to
establish open seas.

We already _are at war_ , it's just nobody wants to come out and say it. So
now is a terrible time to bring this up. Belligerents are going to stall and
hem and haw while they seek tactical advantage. That's not conducive to a
frank discussion. I can't see any of the major nations or third parties
participating in any kind of honest way, sadly.

If we want to start hanging hackers (the bad kind), and I'm not so sure we
aren't just a few decades away from doing that, we need to start having an
honest discussion about just what constitutes an "open internet". And I
imagine there are several nations right now, including the U.S., that do not
have one. That's a great discussion to get started, but this idea is way, way
premature and is based on a ton of assumptions which are not true. Loosely the
analogy might work, but I doubt the authors have thought through exactly what
they're leading us into.

------
kakwa_
Am I the only one who see this call as deeply misplaced?

The Geneva conventions were written and accepted by governments. Those
governments where acting on the behalf of their people and had (some kind of)
legitimacy. Further more, they were acting with a goal of universal humanity
and common interest.

This call is Microsoft asking for global legislation for protecting itself and
other tech companies, which have no legitimacy whatsoever to represent the
common interest.

~~~
rchaud
That is how I read it as well. Something written with absurdly transparent
levels of self-interest.

------
nof
Yo Microsoft, have you looked at the work done by e.g. EFF?

~~~
dzolvd
EFF is what I immediately thought of as well.

------
mempko
When our own government (USA) has violated the Geneva conventions many times
we must keep in mind what the real purpose of the conventions seem to be. To
be a tool to be used against 'the other guys'. The strong against the weak.

~~~
hackuser
> a tool to be used against 'the other guys'. The strong against the weak.

Recently some African countries have withdrawn from the International Criminal
Court on that basis; only the weak are prosecuted. It's inconceivable that a
U.S. leader would be prosecuted, for example.

However, the GC are used by everyone against everyone, including the strong
against the strong, so the strong don't escape scrutiny. I believe U.S. law
requires the government to obey them. For example, the Bush administration
crafted careful (and sometimes convoluted) legal arguments that their actions
complied with the GC - they respected the GC enough to feel they couldn't just
ignore the rules.

On the other hand: The Geneva Conventions are not followed or implemented
perfectly, but neither is any law or rule. International governance is
anarchy; there is no real authority; in that realm, nothing will get nearly
100% compliance.

Do the GC have a positive impact? Now militaries and governments are legally
bound and their people trained to follow these rules, and accusing someone of
'violation of the Geneva Conventions' carries weight. Imagine the world
without them.

~~~
AnAfrican
Not that I disagree with your overall point but :

>Recently some African countries have withdrawn from the International
Criminal Court on that basis; only the weak are prosecuted

Actually only two (Gambia and Burundi) has withdrawn arguing this. And in both
cases, everyone knows the withdrawal is related to their own human rights
abuses.

South Africa has announced its intention to withdraw (don't know if it's
effective) because they believe it hinders its mediation efforts in conflict
zones. (ie. we cannot help Uganda settle with the LRA because we're bound to
arrest LRA leaders as soon as they set foot in South Africa)

~~~
hackuser
Agreed, thanks for clarifying. I was not addressing the issue carefully.
However, I thought that criticism was more widespread than the countries that
withdrew.

------
Kunix
I am surprised by the number of naysayers here.

Question: Do you have something better to suggest? (something that could
realistically get implemented)

Conventions like the one suggested here are the baseline on agreeing on common
rules. It allows accountability, boundaries, and once accepted open the way to
discuss possible sanctions.

I would much rather see positive steps like this one than no progress at all.

~~~
mcbits
I can't predict if it would actually be better, and I fear you'll say it can't
be realistically implemented, but I would suggest the nuclear option: a
Manhattan Project level of R&D into decentralization.

Problem is, those with the ability to make it happen are essentially the same
people running the massive spy infrastructure while singing platitudes about
privacy and security.

------
vog
Such a Digital Geneva Convention will be utterly useless, and perhaps even
counter-productive, until we have solved the attribution problem.[1]

Until that is solved, we risk misuse of a Digital Geneva Convention to impose
sanctions against innocent players.

Like with the real Geneva Convention, prevention is harder and not that sexy,
but leads to much better long-term results: Invest in improving software
security, run bug bounties, enforce accountability at least for non-free
software. And, of course, resolve the conflict of interests within the state,
e.g. by making clear that police and intelligence are going too far when they
buy zerodays[2] and spread malware[3].

[1] Right now, attributing attacks to their origin is idle speculation. Every
larger attack is initially attributed to the currently popular scapegoats,
with "evidence" that is essentially based on coffee grounds reading.

[2] Buying zerodays creates an incentive for people to keep the
volunerabilities they found secret, instead of publishing and fixing them.
Moreover, these create an incentive to insert such "bugs" (backdoors) in the
first place.

[3] ... or force other to build backdoors into their software, which is in
effect almost the same as spreading malware.

------
greenyouse
One particular issue that makes this difficult to enforce is the nature of
nation-state cyber weapons. Unlike physical weapons, which can be regulated by
tracking their location or use, cyber weapons are undetectable by design. Less
advanced cyber weapons from weaker programs like North Korea's or Iran's teams
can be found but the capabilities of major players like the USA, China, or
European countries likely extends far beyond what a company would be able to
detect.

The technology that advanced nation-states are using to do attacks is highly
classified and most likely farther reaching than most people realize. The
documentary Zero Days gives a pretty good overview of how nation-state cyber
attacks have transferred into physical attacks (e.g. taking large power grids
offline, derailing trains, subverting anything that has a PLC, etc.). This
technology has been around for almost a decade. Without knowledge of what kind
of weapons they have, we won't be able to detect them. If these capabilities
fell into the hands of non-nation state actors (terrorists) the damage they
could do could be analogous to a nuclear weapon.

Even if we do discover an attack, it's even harder to attribute a piece of
software to a country. Do you think an advanced nation would leave marks
saying "foobar virus copyright X team 2017"? There's plausible deniability as
well because one country could frame the other to make it look credible and
we'd have no way to know what the truth was.

This program may work well for normal hacking attacks by people or lesser
nation-states but it will not affect the missions for more advanced countries.
Maybe it's worthwhile for stopping some attacks and setting a precedent but it
won't be a silver bullet. I agree with the sentiment though, innocent
civilians and companies should be left out of the crosshairs. It would be good
if major software companies could work together to mitigate damage from
attacks.

~~~
sturmisch77
Nation states have gravitated to cyber because it carries less risk than
espionage in the field, and because of the difficulty of attribution. Despite
a mountain of evidence, Russia denies the DNC hack. The US pretends Stuxnet
didn't happen. And N. Korea obviously is not owning up to Sony.

This puts tech companies in a bind. They want to innovate on society changing
ideas like autonomous vehicles, but with nation to nation cyber attacks, they
are potentially putting civilian lives at risk by doing so.

Will nation states play nice? No one expected direct attacks on private
companies -- then Sony happened. No one expected attacks on a US election. And
no one expected an attack on the grid without declaration of war -- but then
Ukraine. Without defined international norms, anything is on the table -- even
in peacetime.

------
a_imho
_Commit to nonproliferation of cyberweapons_

A cyberweapon performs an action which would normally require a soldier or
spy, and which would be considered either illegal or an act of war if
performed directly by a human agent of the sponsor during peacetime. Legal
issues include violating the privacy of the target and the sovereignty of its
host nation. Such actions include (but are not limited to):

Surveillance of the system or its operators, including sensitive information,
such as passwords and private keys[0]

[0][https://en.wikipedia.org/wiki/Cyberweapon](https://en.wikipedia.org/wiki/Cyberweapon)

------
anigbrowl
Civil or international warfare are bad for business, but trying to handshake
them away with some sort of business compact is about as realistic as 'peace
in our time.' It's going to happen and the time has come to place bets. Trying
to postpone this reality by having a lightbulb moment and asking for the
rulebook isn't going to work. Sorry.

------
sqeaky
Does anyone else see irony in microsoft advocating good behavior?

Just yesterday I was saying that some industries self regulate well, I even
used video games as an example. Even with their cleaner behavior the past few
year I don't think I won't companies like microsoft anywhere near actual
regulation of anything vaguely connected to human rights. I see too many ways
for them to abuse even an advisory role in such regulation.

Maybe they really have turned over a new leaf and microsoft is nothing but
angels, but it is too soon to tell in my opinion.

~~~
JumpCrisscross
Politics is about building coalitions. A good way to ensure nobody joins your
coalition is to pre-sort parties based on some arbitrary measure of
"goodness".

~~~
marcosdumay
Politics is also about knowing when to trust that previous serial killer that
wants your house keys for no good reason, and when not to trust.

~~~
sqeaky
This was exactly my point.

How do we know microsoft won't do something shady to strongly favor themselves
or hurt others? They have done it in the past with standardizations groups.

------
MaggieL
Just what we need: more asymmetric warfare.

------
dbg31415
Can we start smaller? Say with a digital bill of rights?

------
yourself92
"Following highly visible and even challenging negotiations, in September 2015
the U.S. and China agreed to important commitments pledging that neither
country’s government would conduct or support cyber-enabled theft of
intellectual property."

LOL. Does anyone actually believe that?

~~~
Eridrus
Sort of [http://www.darkreading.com/attacks-breaches/china-still-
succ...](http://www.darkreading.com/attacks-breaches/china-still-successfully-
hacking-us-but-less/d/d-id/1325980)

There are certainly challenges, but the threat/intelligence communities have
made a lot of strides in attribution.

If you can attribute attacks, you can retaliate with sanctions, etc. So if you
are credible in your threat of retaliation and the retaliation is meaningful
and proportional, reducing cyber conflict may be possible.

This is certainly a challenging topic, but to draw a parallel; many people
were sceptical of the Iranian nuclear deal, but even the Israelis admit that
the Iranians look to have stopped developing nuclear weapons capabilities.

~~~
vinay427
> many people were sceptical of the Iranian nuclear deal, but even the
> Israelis admit that the Iranians look to have stopped developing nuclear
> weapons capabilities.

It's incredible that people thought Iran would risk devastating sanctions just
to pursue a risky nuclear program that would remain open to foreign
intervention and espionage indefinitely. If Israelis really want peace, they
might consider electing a government that actually promotes that.

------
jjawssd
If Microsoft actually cared they would donate to or support the EFF

------
coldtea
Because the analog one worked wonderfully?

------
zeveb
> 1\. No targeting of tech companies, private sector or critical
> infrastructure.

In peacetime, the last item is okay — clearly in wartime it's appropriate to
degrade a foe's infrastructure, consistent with the accepted laws of war and
humane concerns.

I think the private sector ought to be generally off-limits — but surely there
are times when that might not be the case. Do spies never duck through a dry
cleaners'?

I'm negative about privileging tech companies vs. the private sector in
general.

> 2\. Assist private sector efforts to detect, contain, respond to & recover
> from events.

Sure, that sounds reasonable.

> 3\. Report vulnerabilities to vendors rather than to stockpile, sell or
> exploit them.

I can't possibly imagine that will or should ever happen. Nation-states have a
duty to their citizens to be able to conduct offensive & defensive cyber
operations; a necessary condition of doing so is the ability to stockpile &
exploit vulnerabilities.

There's a gain-loss calculation to be made for report any vulnerability: does
the gain to national defense of closing that vulnerability outweigh the loss
to national defense of being able to exploit it against an adversary? I see
absolutely no reason to believe that the answer is automatically 'yes,' or
even _mostly_ 'yes.'

> 4\. Exercise restraint in developing cyber weapons and ensure that any
> developed are limited, precise and not reusable.

Restraint of course is laudable. Limited & precise capabilities are obviously
a good thing. Trying to limit reuse, though, seems impossible to ensure in the
general case, and not really desirable anyway. Why restrain makers of software
munitions from using one of the most powerful tools in a software developer's
toolkit: reuse?

> 5\. Commit to nonproliferation activities to _[sic]_ cyberweapons.

Meh, I always thought nonproliferation in general is either a case of pulling
up the ladder behind oneself (on the part of states which have already
achieved a capability) or a exercise of wishful thinking (on the part of those
who think that the genie can be crammed back in the bottle). As applied to
cyberweapons, I have difficulty understanding what this is even supposed to
_mean_.

> 6\. Limit offensive operations to avoid a mass event.

This is already addressed by the existing laws of war, particularly the
principle of proportionality.

Overall, I imagine this is really meant to be a starting point, not a draft:
there is absolutely no way that a serious person can expect point 3 in
particular to universally hold.

~~~
alexandercrohde
>>> Nation-states have a duty to their citizens to be able to conduct
offensive & defensive cyber operations; a necessary condition of doing so is
the ability to stockpile & exploit vulnerabilities.

You speak of war as those it's some necessary and good force, as opposed to a
0-sum-game that has lost all use in modern society.

Am I the only one who thinks that we as a race need to look to an era 200
years out where the very concept of "war" and "nation" is obsolete?

------
examancer
We need to get better at following the current Geneva Convention before we can
hope to enforce a digital version.

~~~
lorenzhs
The two are not mutually exclusive, and the set of people who could work on
either of these is probably mostly disjoint. "Don't fix problem X because
problem Y is more important" isn't a helpful stance if we can work on both.

~~~
JumpCrisscross
Sort of. We can learn from why the the Geneva Conventions aren't respected
while WTO rulings are.

~~~
Semaphor
Unless they negatively affect the US?
[https://www.wto.org/english/tratop_e/dispu_e/cases_e/ds285_e...](https://www.wto.org/english/tratop_e/dispu_e/cases_e/ds285_e.htm)

