Microsoft released their idea of a “Digital Geneva Convention” to help normalize behavior on the cyber battlefield. The document, linked here, is generally well written and documents the need for a document of its type.
The problems start by the second paragraph where a “Digital Geneva Convention” is compared to other non-proliferation treaties, such as those that exist for chemical weapons. However, a traditional non-proliferation treaty and a “Digital Geneva Convention” would have little in common when it comes to identifying a violator of the treaty. When chemical weapons are developed and/or used, it is relatively easy to attribute a particular action to a nation or group. However, this is far more challenging in the cyber domain.
As any cyber threat intelligence (CTI) analyst will tell you, attributing any cyber intrusion is difficult and attribution is always tentative. In other words, new evidence might change the attribution to another group. Groups may even attempt to perform false flag operations where they craft a cyber attack to appear as if another group is responsible. While this is relatively easy to do in the cyber domain, it would be largely unthinkable in the physical domain (consider the feasibility of false flag chemical weapons development and proliferation).
Lack of definitions
The document lacks some fundamental definitions, including (for instance) what is defined as an attack. In traditional US Department of Defense (DoD) parlance, cyber espionage impacts the confidentiality of data while cyber attack impacts the integrity or availability of the data. However, most business leaders view any impact on confidentiality of their systems as an attack. It is unclear which definition of the word “attack” Microsoft is using here.
Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals, electric companies).
A few selected notes
Microsoft’s proposal to limit acquisition of vulnerabilities in “mass market” software also seems oddly self serving. It’s not surprising that as the largest software company in the world they would hold that view.
Agree to a clear policy for acquiring, retaining, securing, using, and reporting of vulnerabilities – that reflects a strong mandate to report them to vendors – in mass market products and services.
There are some interesting points in the proposal such as limiting attacks on organizations who engage in incident response. Microsoft’s proposal compares attacking a CERT to attacking civilian hospitals. While the latter is unthinkable, the former is a great source of counterintelligence for offensive cyber groups and seems wholly unrealistic.
Intervening in private sector response and recovery would be akin to attacking medical personnel at military hospitals.
There are too many points to list individually here, so you are encouraged to read the original proposal (page 2 has most of the good points).
It’s all about attribution
At Rendition Infosec, we’ve investigated a huge number of cyber intrusions. We know how challenging attribution can be. Microsoft know this as well but fails to address or even acknowledge this fact in their proposal. We believe this undermines the credibility of the proposal since the attribution challenges will doubtless become known long before any treaty is ratified.
Also, when performing cyber threat intelligence (CTI) reporting, ensure that you define terms (such as “attack”) to avoid ambiguity. Good definitions and upfront discussion of the problem space maximize your credibility on a given topic.
While Rendition Infosec welcomes a cyber domain with better international norms, we also recognize it can’t happen without concrete cyber attribution frameworks – and those are unlikely to be developed any time soon (if ever). Even if cyber attack attribution evolves to a point of being repeatable and reliable, an independent international organization would be needed to prevent inherent biases on the part of impacted nations.