Microsoft is calling for a digital Geneva Convention to outline protections for civilians and companies from government-sponsored cyberattacks.
In comments Tuesday at the RSA security industry conference in San Francisco, Microsoft President and Chief Legal Officer Brad Smith said the rising trend of government entities wielding the internet as a weapon is worrying.
Cyberattacks — from profit-seeking theft of credit-card data to state-sponsored attacks aimed at influencing national politics — are a growing concern for technology companies and their customers.
“We suddenly find ourselves living in a world where nothing seems off-limits to nation-state attacks,” he said.
Warfare in cyberspace, Mr. Smith said, often targets noncombatants, aiming at data centers, laptops, and software owned by companies and civilians.
Mr. Smith cited the high-profile hack of Sony, said to be perpetrated by North Korea, as well as attacks last year aimed at “the democratic process itself,” a reference to hacking in the U.S. presidential election.
He called for governments to come together and outline a set of new rules for behavior in cyberspace to protect civilians on the internet, akin to the protections for civilians in times of war outlined by the Geneva Conventions.
A new international regulatory regime, Mr. Smith said, should include an independent organization that can investigate and share evidence that attributes nation-state attacks to specific countries, playing a role similar to that of the International Atomic Energy Agency in nuclear nonproliferation.
That organization, Mr. Smith said, should investigate and share publicly the evidence that ties specific nations to attacks.
Microsoft, based outside Seattle, itself has been reluctant at times to identify the source of state-sponsored attacks on its own services.
When Microsoft disclosed a hacking campaign aimed at its Windows operating system last year, the company named the group of hackers, but stopped short of laying out the widely held view in the security industry that Russian-linked groups were behind the attacks.
Companies, Mr. Smith said, should remain neutral, and commit to not aiding governments or other actors in cyberattacks.
“This is not the world that the internet’s inventors envisioned 25 years ago,” Mr. Smith said. “But it’s the world that we inhabit today.”