'We need a new Geneva Convention to protect all citizens from snoops'

Private biz needs to push back against government pressure, says Microsoft prez

RSA USA In 1949, the world’s nations came together to sign the Geneva Conventions, according respect in times of war to civilians, soldiers incapable of fighting, and prisoners of war. Now we need to go back and do the same for civilians caught up in online conflict, according to Microsoft.

In a keynote at this year's RSA USA Conference, Redmond’s president Brad Smith called on the technology industry to cooperate and form a “Digital Switzerland” for the world. That doesn’t mean fondue for all or caching Nazi gold, but rather that the tech industry needs to insist on being an impartial operator that shields its users from unwarranted state spying and attack.

Protecting people online is good for business, after all, we note. It's not a great advert for your software and online services when the Feds can just siphon off your customers' emails seemingly at will. Trust equals money, and Microsoft wants your trust and money.

“We will not aid attacking customers anywhere, regardless of whether governments ask us to do so,” Smith told the RSA audience in San Francisco today. “We need to make the case that the world needs to retain its trust in technology; we need to maintain the world’s trust.”

Smith suggested new Geneva conventions that require governments to not attack technology companies; to disclose to developers all security vulnerabilities so they can be fixed rather than hoarding them to use to attack; to defend the tech sector when dealing with hackers running amok; to sign up to the non-proliferation of weaponized exploits; and “exercising restraint” when using them.

The technology backbone of the world is privately owned and run, and the world’s governments need to commit to using it responsibly, he said. If they can’t, the technology community needs to stand up and ensure that no one runs wild online. Apropos of nothing, have you checked your Windows 10 privacy settings recently?

geneva convention

Smith's rules for online life – but don't hold your breath for them

The technology industry is an international one, Smith said, and Microsoft employs people from 157 nations. More than any other sector, the technology field is all about bringing in people from around the world to get the best solutions, rather than falling into petty nationalism.

Smith said that the recent US election should act as a warning sign of how bad things can get. The claimed Russian hacking of the Democrats' computers, and subsequent email leaks, had an unprecedented effect on American democracy, Smith opined.

That's not that unusual though, said Adi Shamir, Borman professor of computer science at the Weizmann Institute in Israel and co-inventor of the RSA algorithm. He said political meddling is an old-school practice, and the Russians are used to being screwed around with in this way.

In 1956, US and UK intelligence agencies recorded a speech given in private by the Soviet premier Nikita Khrushchev which decried the excesses of Stalin’s regime. They leaked the speech to “the WikiLeaks of its day,” The New York Times, he said, and the news led directly to the Hungarian uprising that year.

“While I’m shocked, shocked, by these attacks,” he joked, “they are not alone in history.” ®

Similar topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022