The Role of the Private Sector in Cybersecurity

A Digital Geneva Convention? The Role of the Private Sector in Cybersecurity

Cybersecurity has risen to the top of the international agenda.



Raquel Vázquez Llorente


This Strategic Update explores what role the private sector should play in the global policy response, with companies on the 'front line' of the cyber threat often being more proactive than states. 

Read the online edition:

The Role of the Private Sector in Cybersecurity

Download the pdf:

The Role of the Private Sector in Cybersecurity

About the Author

Raquel Vázquez Llorente is a Senior Legal Advisor at eyeWitness, an organisation that works at the intersection of technology, law and public policy. In 2016 and 2017, she was featured in the Forbes '30 under 30' list for her contribution to the field of Law and Policy.

She has also been nominated to the Choiseul 100 leaders of tomorrow. Raquel holds a degree in Law and Business Administration from Universidad Carlos III de Madrid and an MSc in International Strategy and Diplomacy from the LSE.

References & Footnotes

[1] Segal, A., 2016 (Ch. 2). The hacked world order: how nations fight, trade, maneuver, and manipulate in the digital age. [Kindle DX e-book]. New York: PublicAffairs.

[2] Kaplan, F., 2016. Dark territory: the secret history of cyber war. [Kindle DX e-book]. Simon and Schuster.

[3] Symantec. 2017. Internet Security Threat Report. Government. June 2017, Volume 22. [Online] [Accessed: 07 May 2018].

[4] Privacy International. 2016. The global surveillance industry. July 2016. [Online] [Accessed: 07 May 2018].

[5] The most interesting works are: Fidler, M. 2015. “Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis”. ISJLP, Vol. 11, 405; Finklea, K 2017. “Law enforcement using and disclosing technology vulnerabilities”. Congressional Research Service. 26 April 2017; or Herr, T. 2017. Countering the proliferation of malware. Targeting the vulnerability life cycle. Harvard Kennedy School Belfer Center for Science and International Affairs. Paper, June 2017.

[6] Frei, S., 2013. The known unknowns: Empirical analysis of publicly unknown vulnerabilities. NSS Labs Inc., Austin.

[7] Perlroth, N. and Sanger, D.E., 2013. Nations buying as hackers sell flaws in computer code. New York Times, 13 July 2013.

[8] Denning, D. and Strawser, B.J., 2014. “Moral cyber weapons”. In: Floridi, L. Taddeo, M. (eds.) The Ethics of information warfare, pp. 85–103. Springer International Publishing.

[9] Daniel, M. 2014. Heartbleed: Understanding when we disclose cyber vulnerabilities. The White House, President Barack Obama, 28 April 2014. [Online] [Accessed: 07 May 2018].

[10] Healey, J. 2016. The US Government and zero-day vulnerabilities. Columbia SIPA [Online] [Accessed: 07 May 2018].

[11] Breene, K. 2016. Who are the cyberwar superpowers? World Economic Forum, 4 May 2016. [Online] [Accessed: 07 May 2018].

[12] Chase, M.S. and Chan, A., 2016. China’s evolving approach to “integrated strategic deterrence”. Rand Corporation.

[13] Giles, K., 2011. “Information Troops” A Russian Cyber Command?. CCDCOE Publications; also, Hulcoop, A., Scott-Railton, J., Tanchak, P., Brooks, M. and Deibert, R. 2017. Tainted leaks disinformation and phishing with a Russian nexus. The Citizen Lab, 25 May 2017. [Online] [Accessed: 07 May 2018].

[14] NATO. 2016. Warsaw Summit Communiqué. Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Warsaw 8–9 July 2016. Press release, para. 70, 9 July 2016. [Online] [Accessed: 07 May 2018].

[15] DoD, US Department of Defense. 2011. Department of Defense strategy for operating in cyberspace. July 2011. [Online] [Accessed: 07 May 2018].

[16] BCI, Business Continuity Institute. 2017. Horizon Scan. February 2017.

[17] Chambers cited in PwC. 2017. Cyber security: European emerging market leaders. January 2017. [Online] [Accessed: 07 May 2018].

[18] CSIS, Center for Strategic and International Studies. 2014. Net losses: estimating the global cost of cybercrime. June 2014. [Online] [Accessed: 07 May 2018]

[19] Moar, J. 2015. The Future of Cybercrime and Security. Juniper Research, 12 May 2015 [Online] [Accessed: 07 May 2018].

[20] Ross, A. 2016. Want job security? Try online security. Wired, 25 April 2016. [Online] [Accessed: 07 May 2018].

[21] Statista. 2017. Size of the cyber security market worldwide, from 2016 to 2021 (in billion U.S. dollars). [Online] [Accessed: 07 May 2018].

[22] PwC 2017.

[23] Stevens, T., 2017. “Cyberweapons: An emerging global governance architecture”. Palgrave Communications, Vol. 3.

[24] Grigsby, A. 2016. OSCE agrees to new confidence building measures. Pop the champagne?. Council on Foreign Relations, 31 March 2016. [Online] [Accessed: 01 May 2018].

[25] OSCE. 2013. Decision no. 1106. Initial set of OSCE Confidence-Building Measures to reduce the risks of conflict stemming from the use of information and communication technologies. 975th Plenary meeting, 3 December 2013. [Online] [Accessed: 07 May 2018]. And OSCE. 2016. Decision no. 1202. OSCE Confidence-Building Measures to reduce the risks of conflict stemming from the use of information and communication technologies. 1092nd Plenary meeting, 10 March 2016. [Online] [Accessed: 07 May 2018].

[27] Rattray, G. and Healey, J. 2010 (p.79). “Categorizing and understanding offensive cyber capabilities and their use”. In: Dam, K. W. and Owens, W. A. (eds.), Proceedings of a Workshop on Deterring Cyberattacks, pp. 77–97. Washington, DC: The National Academies Press.

[27] Gates, B. 2002. Bill Gates: Trustworthy Computing. Wired, 17 January 2002. [Online] [Accessed: 07 May 2018].

[28] Charney, S. 2012 (p.8). Written Testimony of Scott Charney Corporate Vice President, Trustworthy Computing, Microsoft Corporation. Senate Committee on Homeland Security and Governmental Affairs, Hearing on “Securing America’s Future: The Cyber-Security Act of 2012”. 16 February 2012.

[29] McKay, A. 2016. Lessons from the NIST Cybersecurity Framework. Microsoft Cybersecurity Blog Hub, 5 October 2016. [Online]. Also, Nicholas, P. 2017. NIST Cybersecurity Framework: building on a foundation everyone should learn from. Microsoft Secure Blog, 7 June 2017. [Online] [Both accessed: 07 May 2018].

[30] Smith, B. 2017 (p.9). The need for a Digital Geneva Convention. Transcript of Keynote Address at the RSA Conference 2017. San Francisco, California, 14 February 2017 [Online] [Accessed: 07 May 2018].

[31]Ibid, p.15.

[32] Smith, B. 2017. The need for a Digital Geneva Convention. Microsoft Cybersecurity Blog Hub, 14 February 2017. [Online]; Smith, B. 2017. Growing consensus on the need for an international treaty on nation state attacks. Microsoft Cybersecurity Blog Hub, 13 April 2017. [Online]; Smith, B. 2017. The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack. Microsoft On the Issues, 14 May 2017. [Online]; and Smith, B. 2017. We need to modernize international agreements to create a safer digital world. Microsoft On the Issues, 10 November 2017. [Online] [All accessed: 07 May 2018].

[33] Weber, .R. 2017. State Dept.’s top cyber official rejects call for ‘Digital Geneva Convention’. Inside Cybersecurity, 25 April 2017. [Online] [Accessed: 07 May 2018].

[34] NATO CCDCOE. 2017. Geneva Conventions apply to cyberspace: No need for a ‘Digital Geneva Convention’. 18 July 2017. [Online] [Accessed: 07 May 2018].

[35] Notably, Eugene Kaspersky and Julian Assange. Kaspersky, E. 2017. A Digital Geneva Convention? A great idea. Forbes, 15 February 2017. [Online]; Assange, J. 2017. Press Conference on CIA Vault 7Thursday 9:45 a.m.Tweet questions at Twitter, 9 March 2017. [Online] [Both Accessed: 07 May 2018].

[36] Nicholas, P. 2017. Future-proofing principles against technological change. Microsoft Secure Blog, 29 March 2017. [Online] [Accessed: 07 May 2018].

[37] Levy, D. and Kaplan, R., 2008 (p.433). “CSR and theories of global governance: strategic contestation in global issue arenas”. In: Crane, A., Matten, D., McWilliams, A., Moon, J. and Siegel, D.S. 2008. The Oxford handbook of Corporate Social Responsibility, pp.432–451.