The Geneva Convention was signed in 1949, a reaction of sorts to World War II. The Second Great War was completely devastating to Europe, to combatants and civilians alike, and the Convention called for warring parties to treat prisoners of war humanely, and to protect civilians in or around war zones. It’s actually a series of four treaties, and eventually, nations on all continents signed the accord, and the three amendment protocols that were established in 1977 and 2005.
A new agreement, signed on November 12th of this year, is officially called the Paris Call for Trust and Security in Cyberspace, but it’s being casually referred to as the “Digital Geneva Convention.”
Countries signing the agreement include
The agreement was also signed by major tech companies Microsoft, IBM, HP, Google, and Facebook.
What did these countries and companies agree to? They’ve agreed to increase prevention of and resilience to malicious online activity, but without mentioning specifics for execution. There’s also a vague call to protect the accessibility and integrity of the internet, prevent the proliferation of malicious online programs and methodologies, and to improve the security of digital products and services and the “cyber hygiene” of citizens.
Those are good ideas but there’s no mention about the means to those ends. I feel more optimistic that they can achieve other parts of the agreement. The more pragmatic sections cover cooperation preventing interference in electoral processes, collaboration in combatting intellectual property violations via the internet, stopping online mercenary activities and offensive action by non-state actors, and joining forces to strengthen relevant international standards. I like the other parts of the agreement too, but I think they can be interpreted too subjectively to be actionable. Which objective metrics would be used to measure the accessibility and integrity of the internet? Remember that fifty different countries would have to agree upon what those metrics are and how to measure them.
Notably absent countries are the UK, India, Iran, North Korea, Russia, China, and the United States.
China and India are the two most populous countries in the world! It’s widely believed that China didn’t sign to keep their options open for restricting and monitoring Chinese citizens’ internet use à la The Great Firewall of China. But I have hypotheses as to why India didn’t sign. If it’s any comfort to India, Pakistan didn’t sign the agreement either.
Iran, North Korea, and Russia are well known to engage in cyberwarfare, including deploying destructive malware in other countries, a plausible rationale for those countries not signing.
Which leaves the UK and the US. I’m only guessing here, but perhaps Theresa May’s government in the UK and Donald Trump’s in the US fear that parts of the agreement might be used against them, such as to protect the accessibility and integrity of the internet and prevent the proliferation of malicious online programs and methodologies. Protecting the accessibility of the internet likely entails significant spending to improve internet infrastructure! Both governments tend to be reluctant to expend resources on public projects not directly related to their militaries. Preventing proliferation of malicious online programs might run counter to the activities of their armed forces as well. UK commonwealth partner Australia may have avoided signing simply because the US and the UK didn’t sign.
Interestingly, although the US didn’t sign the accord, most of the largest American tech companies did.
So New Zealand and Canada are the only two of the “Five Eyes” countries which signed the Paris Call for Trust and Security in Cyberspace. The “Five Eyes” are the US, the UK, Canada, Australia, and New Zealand, five countries which openly share intelligence with each other.
In my opinion, the Paris Call for Trust and Security in Cyberspace is a nice idea. It would be great if the signatory countries worked to make the internet safer and freer for their citizens. But with many of the world’s most powerful countries absent, and some vague wording that may be difficult to enforce, I don’t suspect that the treaty will much impact on the global cyber threatscape.
Even if the treaty doesn’t accomplish much, there’s lots you can do to improve the security of your own endpoints! The first step is to try a free malware discovery scan from Comodo Cybersecurity.