Digital Diplomacy and the Protection of Cyberspace

Thoughts about digital transformation and AI for enterprise leaders and their legal & compliance advisors

These posts represent my personal views on enterprise governance, regulatory compliance, and legal or ethical issues that arise in digital transformation projects powered by the cloud and artificial intelligence. Unless otherwise indicated, they do not represent the official views of Microsoft.

As the world’s health authorities work together to combat the spread of the coronavirus, it occurs to me that there is an important lesson here for the struggle against another variety of harmful vectors—namely those that live in cyberspace.

We often think about cybersecurity as chiefly a technical issue: what technologies can we devise to shield our software and hardware from ingenious but malign attackers? But technology is never a magic bullet. Every CIO and Chief Security Officer knows that the behavior of ordinary end users and IT staff is just as important. They know that far too many damaging data breaches start with simple, avoidable mistakes.

But today, with the analogy of the coronavirus effort in mind, I want to talk about a third critical dimension of cybersecurity—that of global cooperation among the frontline defenders against cyberattacks. In practice, and thinking in terms of organizations rather than individuals, these defenders fall into two main groups: governments and technology providers. Unless the members of these groups can learn to work together effectively, the battle against the most dangerous kinds of cyberattacks—those perpetrated by rogue states and organized criminal gangs—cannot be won. But governments and tech firms, as we all know, have diverse and even competing interests. Bringing them together, therefore, requires what my colleagues at Microsoft like to call digital diplomacy.

On the governmental front, there are a number of digital diplomacy initiatives underway today that merit attention, but two in particular stand out:

• A proposal advanced by Microsoft and others for a Digital Geneva Convention would create a legally binding framework governing the behavior of nation states in cyberspace. Governments that sign this convention would pledge, among other things, to refrain from launching cyberattacks against vital civilian infrastructures such as hospitals and power grids, the world’s financial system, or the Internet itself. Developing such a framework and obtaining ratification by a critical mass of nations will take time. But incremental progress is possible, especially if we start with voluntary agreements before passing to formal and legally binding treaties. The UN has already established a Group of Governmental Experts to discuss ways of “advancing responsible State behavior in cyberspace in the context of international security.” The Group is scheduled to submit its first report to the UN General Assembly in 2021.
• The Paris Call for Trust and Security in Cyberspace, announced in 2018, has been signed by over 70 nations, 600 corporations, and 350 NGOs (non-governmental organizations) or IGOs (intergovernmental organizations such as the UN itself). The Paris Call is an effort “to bring the international community together to ensure peace and security in the digital space.” It advances nine principles that call for the protection not only of civilian infrastructures and digital supply chains but also of social institutions such as electoral processes and intellectual property. Unlike the Digital Geneva Convention’s proposal for binding international laws, the Paris Call is essentially symbolic, but its detailed principles establish a compelling minimum standard for acceptable behavior by all actors in cyberspace. While the United States has not yet endorsed the Paris Call, more than 130 state and local governments in the US have.

Digital Geneva and the Paris Call aim primarily at regulating the behavior of nation states. A parallel initiative aims at tech firms:

• The idea of the Cybersecurity Tech Accord is that the firms who join it pledge to work together to protect all their users and customers from cyberattacks—whether individual, organizations, or governments—regardless of the attacker’s identity or motives. As of late last year, the Tech Accord has more than 100 members, including Cisco, Dell, Facebook, Hitachi, HP and HPE, Intuit, Microsoft, Oracle, Salesforce, and SAP.  In addition to fostering cooperation among its members, the Tech Accord is working with the UN, the OECD, and other international organizations to develop international cybersecurity norms.

While the nitty-gritty of cybersecurity policy and diplomacy may not be as sexy as the latest AI-powered cyber defense tool, it will arguably be more important in the long run, and perhaps even sooner than that. Enterprise leaders responsible for the cybersecurity of their organizations should understand that it is difficult to do business in an unstable environment or where the militarization of cyberspace is allowed to proceed unchecked. Every CEO and Board member should recognize that digital diplomacy in the sense of the initiatives described above concerns them as much as policymakers or the tech industry. As Microsoft CEO Satya Nadella often says, “A better world is better for business.” Apart from the hackers themselves, ensuring the rule of law in cyberspace is in the interest of everyone.

Microsoft has published a book about how to manage the thorny cybersecurity, privacy, and regulatory compliance issues that can arise in cloud-based Digital Transformation—including a section on cybersecurity. The book explains key topics in clear language and is full of actionable advice for enterprise leaders. Click here to download a copy. Kindle version available as well here.