The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent


Microsoft's Brad Smith on cyberattacks, cybersecurity, and 'cyberspace'


Microsoft President Brad Smith delivered a rather remarkable speech last month at a major cybersecurity conference in San Francisco, with some big ideas in it that deserve wide attention and discussion. [A (20-minute) video of the talk is here; the transcript is here.]

The first idea, and the one that, as Milton Mueller puts it in his commentary [here], "shot out into media reports," was a call for a "Digital Geneva Convention." Cyberspace, Smith observes, has now become a battleground for nation-state warfare:

[I]f you think about what has happened over the past year, if you think about the changes in cyberattacks, I think we should come together and reflect on one thing, one thing that has clearly made the situation even more challenging—that is the entry of more nation-state attacks. We've seen cyberattacks move from enthusiasts to financial thieves to now governments around the world.

Referring to the Fourth Geneva Convention ("For the Protection of Civilian Persons in Time of War"), he writes:

For over two-thirds of a century, the world's governments have been committed to protecting civilians in times of war. But when it comes to cyberattacks, nation-state hacking has evolved into attacks on civilians in times of peace…. We need to call on the world's governments to come together [as they] came together in 1949 in Geneva, Switzerland….

What we need now is a Digital Geneva Convention. We need a convention that will call on the world's governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure, whether it's of the electrical or the economic or the political variety.

I think he's on to something. It's easy to dismiss the Geneva Convention's protections for civilians during wartime, along with many other components of international human rights law, as ineffective and unenforceable do-goodism and feel-goodism, and it has hardly put an end to brutality directed at noncombatants; the actions of the Syrians (and Russians)—both of whom are, incidentally, signatories to the Fourth Convention—are merely the latest in a long and depressing list of places where the Convention's protections have proved to be unavailing.

But at the same time, it is difficult, or impossible, to argue that the Convention has not been a net plus for the human species; even if it only works at the margins, helping to push forward the development of new international norms of conduct and providing a framework for protection in some circumstance and some conflicts, that's a lot of needless suffering prevented.

And to the "nice idea, but it'll never happen" objection, one can point to the Geneva Convention itself as the counterfactual. It won't happen in the blink of an eye, to be sure; but it also won't happen unless people start to believe that it's a good idea and help to imagine it into existence.

Smith's second idea is more radical and, to me, more intriguing: that "the global IT infrastructure"—"cyberspace"—needs to "become a trusted and neutral Digital Switzerland."

We need to pledge that we will protect customers, that we will focus on defense. We need to be concrete in showing and pledging how we will collaborate with each other to respond to attacks. That we will provide patches to all customers everywhere, regardless of the attacks that they face.

We need to be clear that we will assist and protect customers everywhere. That is what we do regardless of the country from which we come. We need to be clear that we will not aid in attacking customers anywhere, regardless of the government that may ask us to do so.

We need to make the case to the world that the world needs to retain its trust in technology. And regardless of a government's politics or policies or individual issues at any moment in time, we need to persuade every government that it needs a national and global IT infrastructure that it can trust

Way back in 1996, John Perry Barlow—ex-Grateful Dead lyricist and founder of the Electronic Frontier Foundation—issued his "Declaration of the Independence of Cyberspace." I thought at the time, and still think, that the prose was overly grandiose and overwrought:

"Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather."

The grandiloquence of the prose detracted, I think, from the seriousness of the message, making the idea of a jurisdictionally separate "cyberspace" easy—too easy—to dismiss. Some of us tried to make a similar point—that "many of the jurisdictional and substantive quandaries raised by border-crossing electronic communications can be resolved by one simple principle: conceiving of cyberspace as a distinct 'place' for legal analysis by recognizing a legally-significant border between cyberspace and the 'real world' "—in a somewhat more measured way.

We didn't get a whole lot of traction—which is why I find Smith's argument about cyberspace as a digital Switzerland so interesting. He's talking about constructing just such a "legally-significant border between cyberspace and the real world," one that will allow private companies (such as Microsoft) to push back against jurisdictional assertions by territorial sovereigns, to "assist and protect customers everywhere … regardless of the country from which they come" and to decline to participate in "attacking customers anywhere, regardless of the government that may ask us to do so."

It's pretty radical stuff coming from the head of a major global corporation that has one foot very firmly planted in the real world and one in the virtual. There's lots to be said about the idea, and lots to argue about, and I'm glad that Smith has put it so solidly on the table.

Finally, in his concluding comments, he reminds us that America's IT sector has helped to "bring the world together" not just in the products it produces but also "under our own roofs," noting, for instance, that at Microsoft headquarters in Washington state there are employees from 157—157!—countries (and noting further that Microsoft is hardly unique among IT companies in regard to its internationalized workforce). With all the talk these days about immigration and immigrants, we need to think hard about why the sector of American industry that has outpaced all others on the global stage is the one that has been the most welcoming to immigrants and the one that has benefited most obviously from their energy and their expertise. I guess some people might think that's just a coincidence, but it isn't.