When RSA’s Zulfikar Ramzan finished his keynote discussing technology’s “ripple effect,” Brad Smith, President of Microsoft, took the stage to talk about cyberspace as the new battlefield. He started by pointing out that – unlike when war shifted from land, to the sea, to the air – cyberspace is not physical. Yet the battle can still have physical impacts. This makes security professionals the first line of defense in the war in cyberspace.
An implication I hadn’t given much thought to is the victims of this war. In modern times, there have been agreements between nations on how to treat civilians in times of war. Civilians are to be protected and not targeted. But in this new battlefield, civilians are becoming the target, even in times of peace. Why is this so scary? As Smith put it – every company has at least one person who will click on anything. That’s why 90 percent of cyberattacks start out as phishing attempts.
We’ve even seen examples of nation states targeting private companies with the goal of hurting our economy – not the company.
We aren’t close to victory. And I fear this is the type of battle that never ends. But as Smith puts it – we can do more, together. Smith reminds us that we’ve had four Geneva Conventions in modern history. In each convention, the world’s nations came together to agree upon a set of guidelines on how war would be conducted, how civilians would be treated and how governments would respond if these agreements were broken.
Smith then called for a fifth Geneva Convention with the goal of creating an agreement for how civilians should be protected online in times of peace as well as war – and what the penalty will be for breaking this agreement. He cited recent agreements in the UN and with China as precedents we can use for these agreements.
The keynote concluded with a call to the current US administration to address Russian hacking of the US and other governments.
I’ve heard calls for cybersecurity regulations and international agreements in the past. However, this call felt different. It was specific, it was pointed and it cited recent precedents to demonstrate that such regulations are possible.
Stay tuned for more from RSA …