Microsoft: Security Industry Must Be 'Neutral Digital Switzerland'
Brad Smith says the security industry must become a check against nation-state cyber attacks.
The security industry must declare itself a neutral party in cyber attacks between nation states, Microsoft President Brad Smith said here at the RSA Conference.
"Even in an age of rising nationalism, we need to become a trusted and neutral digital Switzerland," Smith told the audience, making an oblique reference to the rise of nationalist political movements in the U.S. and Europe.
"As a global tech sector, we need to come together and sign our own pledge in conjunction with the world's states," said Smith. "We will protect customers, focus on defense, collaborate with each other and we will provide patches to all customers everywhere regardless of the attacks they face, and we will do our part to address the world's needs.
"We will not aid in attacking customers anywhere," he added.
Smith also urged attendees to call on governments to adopt a treaty or pledge that would enshrine the rights and safety of civilians during a cyber attack. Civilian infrastructure, including civilian governmental systems, should be off limits, he said, pointing to the 1949 Geneva Convention, which outlines how nations must treat civilians in times of war.
A new convention on cyber attacks from nation states must focus on preventing attacks against civilians in times of peace. He pointed to the U.S. and China, which under the Obama administration -- to cool rising tensions between the two countries -- agreed to not partake in certain behaviors as part of cyber operations. President Trump should do the same with Russia, Smith said.
This point is clearly a nod to the allegations that Russian intelligence elements hacked computers owned by the Democratic National Committee and used the information, along with misinformation, to undermine the 2016 U.S. presidential election. Smith also said governments should agree not to stockpile vulnerabilities that could be used in attacks.
Lastly, Smith called for the creation of a new group to monitor cyber-attack activity. "What the world needs is a new independent organization, like IAEA," he said, referring to the International Atomic Energy Agency. The organization Smith outlined would provide an impartial assessment of cyber attacks and identify nation-state attackers, which would give its judgement greater authority on the world stage.
Smith's concern is rooted in the rapid expansion of cyber attacks, both in scope and severity. "We've seen cyber attacks move from enthusiast to financial thieves to nations around the world," said Smith. Taking strong positions on issues of national interest is nothing new for Smith, who last year used his keynote presentation to call on the security industry to stand with Apple in its case against the FBI.
As warfare moves into cyberspace, Smith observed that this creates new problems not seen in other theaters of conflict, like oceans or airspace. For one thing, cyberspace exists everywhere, between computers, servers and phones carried by just about every living human being. Cyberspace is also, Smith pointed out, privately owned.
"When it comes to these attacks, we are the plane of battle and the world's first responders instead of nation state attacks being met by other nation states, they are being met by us," Smith told RSA attendees, most of which are members of the security industry.
Smith described the Sony Pictures Entertainment hack, allegedly carried out by North Korea in response to the film The Interview, as a major turning point in cyber attacks from nation states. It was, he said, not about attacking a government but rather, "attacking a private company over freedom of expression over, as it turned out, not a very popular movie."
Smith also highlighted the importance of the immigrant community in the technology industry, a reference to President Trump's controversial travel ban targeted at seven majority Muslim countries.
In recent years, the RSA Conference has become if not political, then at least more policy focused. Previous speakers have included, Defense Secretary Ashton Carter, embattled FBI director James Comey and former Attorney General Loretta Lynch, who used her time at the conference to defend the DOJ's position that Apple should grant investigators access to an iPhone owned by one of the San Bernardino shooters.