WannaCry: Can Microsoft’s ‘Digital Geneva Convention’ ever be achieved?
The WannaCry ransomware attack has now spread its crippling influence across thousands of organisations, public and private, in 200 countries. As the fallout settles the cost is being counted, and fingers are being pointed.
The Windows vulnerability at the heart of the WannaCry crisis has put Microsoft itself in the frame, along with organisations’ inadequate security procedures, governments’ inadequate funding, and even inadequate IT professionals. Lots of fingers, lots of pointing.
They’d all be pointed at the culprits themselves, of course, if they knew who they were.
Which is a problem that immediately confronts Microsoft’s reassertion this week that it wants to see the creation of a Digital Geneva Convention.
The world should collaborate to build a supranational entity that sets universal rules and enforces them in the event of transgression, argues Microsoft president and chief legal officer Brad Smith. The convention would exist principally as a defence against nation-state digital malfeasance, but in partnership with private industry would help raise security standards everywhere.
But how would it be policed and enforced, particularly in a case like WannaCry, where code constructed by a government – the ironically named National Security Agency in this case – was stolen and turned against the world by invisible actors in the name of making a quick buck?
Mark Skilton, cyber security researcher and author (Building Digital Ecosystems, The Fourth Industrial Revolution), says individuals and companies have already lost the ability to protect themselves in what is now an “open, full scale war” with cybercriminals, and agrees with Microsoft that they need more protection.
"This attack has shown there needs to be a cyber police force at a global level to help manage these escalating threats with the right level of specialist skills, and not just vendors sorting it out for themselves,” he says.
"Microsoft is right to call for a 'Digital Geneva Convention of rights'; the risk and impact of cyber weapons can do the same or more harm than physical weapons. It can indirectly kill patients, change traffic controls, alter car onboard steering systems, change election outcomes, and more."
But, while desirable, he admits it wouldn’t be easy: "Governing the digital world is much harder as the identity of people and things is obfuscated, partly due to the paradox of the need for privacy, but also from the nature of digital data that is re-coded, redactable and transmutable.”
Lee Meyrick, director of information management at leading data-investigation firm Nuix, concurs. It’s all too easy for the bad guys to spoof the origin of their malware and avoid detection, he says.
“A Digital Geneva Convention is unfortunately a far-fetched idea. Internet governance ultimately comes down to questions of attribution, and the fact remains that definitive attribution is a tremendously difficult thing.
“It would be hard for such a convention to police threats if they don’t know where they are coming from. The NHS attack is a case in point; while it appears the attack was deliberate, it is more likely collateral damage from an attack that has been able to propagate very well.
So while an internationally agreed legal framework may serve to underpin a coordinated approach to cybercrime, it will ultimately only be enforceable by the same people tasked with the job already: Us - individuals and organisations throughout the digital ecosystem.
Tony Rowan, chief security consultant at cybersecurity company SentinelOne, says the concept of a Digital Geneva Convention is laudable – and useful in part – but ultimately “naïve”.
“With a world network, we are going to have to deal with eCrime using technical rather than legal controls,” he says.
“That's not to say that international legal agreements will not have their place. Rather that real control will have to use effective technical means to have useful effect. If international legal controls were enough, all kinds of crimes would have already been eliminated.”
- 5 mins with Tom Kellermann, cyber security leader at VMwareCloud & Cybersecurity
- Exec Q&A with Stephen de Vries, IriusRisk CEO and co-founderCloud & Cybersecurity
- Open Systems appoints new Chief People Officer, Alaska MayCloud & Cybersecurity
- 5 Mins With: Saeed Ahmad, Callsign.Cloud & Cybersecurity