Microsoft president Brad Smith has said that the Trump administration’s apathy for multilateralism explains why it is yet to sign up to a new global agreement on cyber security.
In a wide-ranging interview with NS Tech and Spotlight, Smith discusses his work attempting to unite world leaders and tech executives around a set of norms for the ways nation states and the private sector operate online.
Smith’s proposals for a “Digital Geneva Convention” were incorporated by the French President Emmanuel Macron into the “Paris Call for Trust and Security in Cyberspace” at the annual UN Internet Governance Forum last November.
Sign up to Emerging Threats, our weekly cyber security newsletter
The agreement “reaffirms that international laws”, such as the United Nations Charter, are “applicable to the use of information and communication technologies (ICT) by States”. It also calls on signatories to work together to achieve nine aims, including preventing cyber attacks on critical infrastructure and individuals, activity that damages the integrity of the public core of the internet and interference in elections.
There are no repercussions for signatories who fail to abide by the terms of the agreement. But despite this, a number of countries have so far withheld their support, including China, Russia, the US, India and Brazil. Smith described the latter three as the most notable absences from the list.
The veteran lawyer, who serves as Microsoft’s chief legal officer as well as president, told NS Tech: “We’ve had direct conversations with all three governments. Our argument is that the Paris Call strengthens and broadens support for norms that have already been endorsed by the United States government with one exception. It creates a new principle, if you will, around the protection of elections. We think that the United States should find it easy to stand up to the protection of elections.”
Asked why the US has so far withheld its support, Smith said: “Well it came at a time when the State Department felt it needed more time to consider it so that led to a slow response last year. It has come at a time when we have an administration that is less enthusiastic about multilateralism. I think that remains the challenge today.
“We remain hopeful that there will come a day in the future when the US government will sign. I don’t look at this as a case where the US government hasn’t signed. I look at it as a case where the US government hasn’t signed yet. We’ll keep chipping away at that.”
Although the US has not yet backed the Paris Call, the State Department released a statement earlier this year calling for governments to advance responsible behaviour in cyber space. The statement was signed by 27 countries including a number of EU states and the members of the Five Eyes intelligence alliance. It was widely seen as a thinly veiled warning to China and Russia, which, in light of joint disclosures by the UK and US, are respectively facing mounting pressure over intellectual property theft and political interference.
Smith joined Microsoft in 1993 and has spent most of his career defending the company in anti-trust battles. But with each of the disputes now settled and regulators and lawmakers turning their attention to Microsoft’s rivals in Silicon Valley, he has emerged as an outspoken commentator on tech regulation and cyber warfare, seeking to shape the agenda in Washington, Brussels and at the UN.
In 2017, after it emerged that Windows exploits stockpiled by US National Security Agency (NSA) had been leaked, Smith compared the incident to the “US military having some of its Tomahawk missiles stolen”. The exploits were repurposed by suspected North Korean hackers in the WannaCry attack, which spread through thousands of organisations around the world including the NHS, forcing doctors to cancel thousands of appointments and operations, and leaving British taxpayers with a £92m bill.
Speaking to NS Tech, Smith weighed in on recent developments at the UN. “One of the things that I’m finding a little bit encouraging at the moment – and it’s more in the realm of a little bit – is that I do feel that [at] the United Nations, where there are two different efforts to deal with these issues […] that things have started to move a little more briskly [over the last few months].”
“At the end of the day,” he added, “if a Digital Geneva Convention emerges from the United Nations and does what needs to be done that would be a victory and we should applaud it. If what we do leads others to work harder and move faster but use a different name, that’s going to be fine.”
One of the UN efforts cited by Smith is the “Open-ended Working Group on International Information Security” [IIS]. In September, Russia’s representative, A.V. Krutskikh, said members’ responsibility was to “do our best to facilitate the restoration of the consensus on IIS in the UN”.
“The situation in this field is rapidly deteriorating,” he added. “If we disregard the propagandistic wrapping, it would be clear that cyber confrontation is on the rise, and if we fail to find joint efforts the effective ways to fight these threats, the global cyberwar will be just down the road.”