Elizabeth Weise

USATODAY

SAN FRANCISCO – In a major policy speech aimed at rising nationalism, Microsoft president Brad Smith said tech companies must declare themselves neutral when nations go up against nations in cyberspace.

“Let’s face it, cyberspace is the new battlefield,” he told an overflow audience in the opening keynote at the RSA computer security conference.

Tech must be committed to “100% defense and zero percent offense,” Smith said.

Smith called for a “digital Geneva Convention,” like the one created in the aftermath of World War II which set ground rules for how conduct during wartime, defining basic rights for civilians caught up armed conflicts.

The speech was echoed in a blog post on Microsoft's site that went up Tuesday morning.

The world’s governments need to pledge that “they will not engage in cyberattacks that target civilian infrastructure, whether it’s the electric grid or the political system,” Smith said.

This digital Geneva Convention would establish protocols, norms and international processes for how tech companies would deal with cyber aggression and attacks of nations aimed at civilian targets, which appears to effectively mean anything but military servers.

While Europe and other nations are also experiencing a rise in nationalist feelings, it is no accident that Smith’s talk comes just three weeks after Donald Trump was inaugurated the 45th president of the United States. Trump’s aggressive stance — warning Iran, for instance, that it's been put "on notice" — has caught the attention of the world and made tech companies uncomfortably aware that their realm — cyberspace — is also a likely battlefield when hostilities break out.

Smith listed a string of increasingly threatening cross-border cyber incidents, beginning with the North Korean attack on Sony Pictures Entertainment in 2014 to thefts of intellectual property by China in 2015, ending with last year’s Russian involvement in the U.S. presidential election.

“We suddenly find ourselves living in a world where nothing seems off limits to nation-state attacks,” Smith said.

Technology companies, not armies, are the first responders when cyber attacks occur, he noted. But they cannot and must not, respond in kind, or aid governments in going on the offensive, Smith said.

He called for the creation of an autonomous organization, something like the International Atomic Energy Agency that polices nuclear non-proliferation.

“Even in a world of growing nationalism, when it comes to cybersecurity the global tech sector needs to operate as a neutral Digital Switzerland,” Smith said.

“We will not aid in attacking customers anywhere. We need to retain the world’s trust."

What this appears to mean in the near term is that tech companies should refuse to aid governments, even the government of the country they are based in, in attacking other nations. That could mean not building backdoors into programs sold in other countries and not taking part in work to create cyberweapons.

Some of this groundwork has already begun. In 2015 the United Nations made a recommendation for cybersecurity norms around country-sponsored cyber attacks.

Later that year the United States and China vowed to cooperate oncybersecurity and specifically the touchy issue of intellectual property theft. That was followed by the Group of 20 affirming the same principals.

Claudio Neiva, a network security research director with analyst firm Gartner, did note that it’s easier for Microsoft and other large companies to commit to taking no offensive cyber action because they have the money and staff to pursue legal action.

“They’re being offensive by using legal measures, so it’s just a different way of doing things,” he said.

Microsoft, which does business in 190 countries, clearly sees itself as an international company responsible to its global customers.

“We need to make clear that there are certain principals for which we stand, that we will assist and protect customers everywhere. We will not aid in attacking customers anywhere, regardless of the government that may ask us to do so,” Smith said.

Smith’s speech is part of a general turn-around of the Seattle-area company, which a decade ago was hated by many in the tech world when it had a near-monopoly on computer operating systems.

Today, its corporate culture and ethos have changed under CEO Satya Nadella and it has fought for privacy and freedom from government intrusion for its users, if less vocally than companies like Apple and Google. Most notably it has waged a long-term legal battle to keep the U.S. government from accessing European customer data stored in Ireland, a battle Smith was instrumental in waging as Microsoft’s chief legal officer.

Microsoft has also said publicly it would not aid in building a registry of Muslims for the government, one of several companies that has made that promise.

Microsoft wins appeal over U.S. email requests

Smith’s speech lays a blueprint for an organization that hasn’t yet been created, but which may be called into being through his words. No meeting of tech companies has been called, but that would be a plausible next step.