In an environment of ever-increasing technological complexity, Microsoft has been at the forefront of a conversation to redefine how tech companies not only protect their own customers but also our societies across the globe. In August, Microsoft went public with its plans to better safeguard the cybersecurity of elections and help defend our democracies, warning of cyber-threats to both U.S. political parties ahead of the midterm elections. But that is only the most recent step the company has taken to address the pressing cybersecurity issues that we face.
In fact, the company is working collaboratively to answer what may be the most pressing question of all: How should tech companies respond when governments seek to abuse their technology and the internet for hostile actions or political gain?
Over the past few years, nation state “cybersecurity operations,” which includes government hacking, have caused escalating damage to societies around the world. The WannaCry and NotPetya attacks, widely attributed to North Korea and Russia respectively, brought down computer systems, knocking out vital systems at hospitals, banks, and airports. Computers were held for ransom, and many people lost all of their data, with no way to get it back. When states have targeted our communications systems, energy infrastructure, and even our election systems, we are all the victims. But what can we do about it?
Microsoft has been working in collaboration with other technology companies on two laudable initiatives that are meant to limit these attacks:
- the Cybersecurity Tech Accord (Tech Accord) and
- the Digital Geneva Convention (DGC).
These initiatives show promise, but as we explain in our new response paper, “A Digital Rights Approach to the Tech Accord and Digital Geneva Convention,” they also need work to fulfill that promise.
At Access Now, we advocate for cybersecurity policy that is built on internationally recognized human rights standards, and our policy guidance for government hacking is likewise grounded in these standards. In our paper, we argue that the Tech Accord and DGC can also be strengthened by adhering to and reinforcing the existing human rights framework, along with other improvements. Otherwise, there is a very real danger that they could serve to undermine the rights protections that are already in place — putting in jeopardy their very objectives.
What are the Tech Accord and DGC?
The Tech Accord – The Tech Accord pledges participating companies to adhere to a set of shared principles and to “commit to act responsibly, to protect and empower our users and customers, and thereby to improve the security, stability, and resilience of cyberspace.”
The Digital Geneva Convention – The DGC proposal is an initiative to have governments bind themselves to limit their actions in times of peace. Microsoft, which has been leading this initiative, has also called for an independent attribution body that would be tasked with determining who is responsible for an attack, a notoriously difficult and inherently risky endeavor.
What we’re recommending
Following is a high-level overview of our core recommendations, which we contextualize and explain in detail in our response paper:
- Develop the problem definition: Further develop the Tech Accord to clearly articulate the extent and boundaries of the problems at issue; the methods participating companies will use to address them; and how the accord interacts with existing efforts on business and human rights.
- Build out standards for attribution: Rather than creating a centralized attribution organization, work with a broad range of stakeholders to develop a common understanding of attribution, with agreement on evidentiary standards and norms.
- Move away from the war time analogy: Analogize to other sources of international law, including those applicable outside the law of war, to avoid perpetuating the atmosphere of conflict.
- Build cybersecurity from human rights up: Promote a holistic view of cybersecurity that explicitly aims to protect human rights and users, includes all stakeholders as the keepers of peace and neutrality online, and articulates the responsibilities of governments outside protections applied to the private sector. Develop binding and enforceable legal mechanisms to address the inherent deficiencies of co- or self-regulatory measures around oversight and remedy for users.
Don’t sidestep existing human rights commitments — deepen them
We support the goals of the Tech Accord and DGC and we are hopeful they will be effective. But we urge companies and governments that have previously supported a free and open internet to use this opportunity to reinvigorate and strengthen their human rights commitments, rather than side-stepping them.
Important work is already being done by the Freedom Online Coalition and the United Nations Group of Governmental Experts, but it should be rejuvenated with new emphasis on the harm that nation state attacks are causing for the users, including at-risk and vulnerable populations. The United Nations is uniquely placed in this regard, and we hope that new initiatives such as the High Level Panel on Digital Cooperation — which was launched by the U.N. Secretary General in July this year — will lead to more international commitments, and broader consensus on how to treat digital infrastructure with an eye on human rights and security, as well as protect the individual.
It is more important than ever that these processes are inclusive and respect a range of stakeholders to ensure they address the both the individual and systemic threats that people are facing around the world.
You can read our full response paper here.