5 June 2017

A Geneva Convention for cyber security

Dr. Abdullah Shibli

Cyber security and the threat by hackers have been in the news headlines in the recent past. Two of the most recent incidents are well known: the Bangladesh Bank cyber theft in February 2016 and the recent WannaCry attacks for ransom in May 2017. The lesson from these and other attacks is that nobody is immune from cyber invasions and we can only expect these threats, if not actual break-ins, to increase as technology becomes more sophisticated and makes inroads into our everyday life. Since we are all vulnerable from these attacks, Microsoft has floated the idea of a Digital Geneva Convention to codify the do's and don'ts in cyber-warfare. Just as the Geneva Convention protects civilians during armed warfare, the call for a Digital Geneva Convention is an attempt to codify measures to spare the civilian hospitals, academic institutions, and other clearly identified sanctuaries.

For those who have not kept track of the recent global outbreak of the WannaCry ransomware, I will briefly summarise the issue. A ransomware is a malicious software or “malware” that will block access to your computer's data unless the hackers' demands are met. On May 12, 2017, a group of hackers unleashed a virus known as WannaCry, which attacked about 200,000 computers in 150 countries. When WannaCry found its way to a PC, data were encrypted and users were told to pay USD 300 in Bitcoin, an electronic money system, in return for a key to decrypt the data.

During the attack, thousands of computers in the British NHS network were disabled which prevented the healthcare providers from accessing the electronic health record (EHR) of patients. Surgical procedures were cancelled and emergency room visits were severely delayed. The criminals exploited a vulnerability (or flaw) in the Windows Operating System that was originally discovered by the US government's National Security Agency (NSA) and was leaked to the world a few months ago. 

The WannaCry attack, and the role of NSA in the origin of the malware weapon, came at a time when international and government-sponsored cyber attacks and break-ins have reached a new height. It is now clear that the US government, by keeping the Windows vulnerability a secret, aided and abetted the attack. Previously, a few years ago US and Israel attacked Iran's nuclear facilities using the Stuxnet malware, and two years ago, North Korea retaliated against Sony Pictures to prevent the release of a movie that lampooned Kim Jung Un. Recently, the Russian government is reported to have interfered in US and the French presidential elections. And, if this trend continues, soon there will be a time when rogue governments as well as the super powers might decide to use cyber weapons to attack non-military targets with serious consequences for the civilian population. Last month, it was reported that the FBI has identified North Korea and Pakistan as being involved in the Bangladesh Bank heist, which according to a legal expert, “is just one example of a state-sponsored attack that was done on the banking sector”.

Given this state of lawlessness in cyber space, and acts of criminality that are carried out with the connivance or sponsorship of nation-states, it is high time for the international community to act. The most recent call for a Digital Geneva Convention came from Microsoft's President Brad Smith in February of this year but the idea has been circulating for several years. Smith, who is also the chief legal officer of Microsoft, spoke at the RSA security conference in San Francisco and offered several ideas for cooperation between nations and an international protocol protecting civilians. “The time has arrived to call on the world's governments to implement international rules to protect the civilian use of the internet.” Akin to the Fourth Geneva Convention which protects civilians in times of war, a Digital Geneva Convention would commit governments to protecting civilians from state-sponsored and criminal attacks in times of peace or war. Recent attacks have also strengthened the need for international collaboration to thwart future attacks which might pose a health risk or even catastrophe. These potential damages could have serious consequences with the new “internet of things” where all devices are connected and a single intrusion could lead to a domino effect.

The world's cyber community therefore urged the political leaders to come together for a Digital Geneva Convention soon. Unfortunately, at the G7 Foreign Minister's Conference in Lucca, Italy, in April 2017, “The Declaration on Responsible States Behavior in Cyberspace” paid lip service to the issue by simply reiterating earlier G7 and G20 commitments to norms, rules, and protocols needed to promote security and stability in the internet. Microsoft had previously circulated the idea of a “Tech Accord”to protect people and the creation of a neutral NGO to investigate attacks and identify the perpetrators. Smith was more specific and listed six requirements for an international agreement:

1. No targeting of tech companies, private sector, or critical infrastructure.

2. Assist private-sector efforts to detect, contain, respond to, and recover from events.

3. Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.

4. Exercise restraint in developing cyber weapons and ensure that any developed ones are limited, precise, and not reusable.

5. Commit non-proliferation activities to cyber weapons.

6. Limit offensive operations to avoid a mass event.

While this list is ambitious and only reflects Microsoft's view of the future, it can serve as a starting point for a serious conversation on how to keep the cyber criminals, both in the private sector and the government, from creating a Chernobyl-type disaster in a modern economy.

No comments: