Chapter 7

DIGITAL DIPLOMACY: The Geopolitics of Technology

When Casper Klynge arrived on Microsoft’s Redmond campus in February 2018, he could have been mistaken for a tech entrepreneur. Or given his sharp dress, California vibe, and less-than-close shave, perhaps an actor or musician. When I shook his hand, I paused to recall whom I was meeting.

Casper is not your typical ambassador. And he doesn’t have a typical assignment. He is the first person to serve as Denmark’s tech ambassador, responsible for connecting the Danish government to tech companies around the world. His “embassy” has more than twenty employees working on three continents, with staff in the United States, China, and Denmark.

When I had met with a group of European ambassadors in Copenhagen the preceding spring, Casper’s new job was on people’s minds. The Danish foreign minister, Anders Samuelsen, had proclaimed the position “a world first” and a necessity, stating that tech companies affect Denmark as much as countries do. “These companies have become a type of new nation and we need to confront that.”1

While Denmark was the first country to name a formal ambassador to liaise with the tech sector, the country’s decision followed a similar step by the British government. In 2014, Prime Minister David Cameron created a position in his office for a special diplomatic role, initially to address law enforcement technology issues and then to serve as “special envoy to US technology companies.” The first to take the new post was Sir Nigel Sheinwald, a former British ambassador to the United States.

Other governments from Australia to France have followed suit with similar moves. It’s a shift that shows how the world has changed.

Large corporations have played a major role in economies and societies since the birth of the business empires of the Gilded Age. And no industry transformed American society and ultimately American law like the railroads in the second half of the 1800s. As Poor’s Manual of the Railroads of the United States so aptly put it at the turn of the century, “No enterprise is so seductive as a railroad for the influence it exerts, the power it gives, and the hope of gain it offers.”2

Railroads were America’s first big business, crossing state lines with thousands of miles of track, and they sparked a surge of regulation and laws governing commerce, patents, property, and labor. James Ely’s Railroads and American Law may seem an unlikely book to see on a software executive’s shelf, but it’s one I refer to periodically to help me think about how technology changes the world around it.3

While the railroad may be considered by some as the internet of its day, there’s something quite different about today’s digital technology. The products and companies are far more global, and the pervasive nature of information and communications technology increasingly thrusts the tech sector into the center of foreign policy issues.

In 2016, a mantra, “There’s no national security without cybersecurity,”4 took hold within Microsoft and started to seep into the public discussion. We were hardly alone with this recognition. As German conglomerate Siemens AG predicted succinctly, “Cybersecurity is going to be the most important security issue of the future.”5 Clearly, any issue that would be fundamental to national security would propel the tech sector even more squarely into the world of international diplomacy.

In part, this made it more important to explain publicly and clearly what we were doing to address these issues. As we evolved our cybersecurity efforts, we recognized the need to take—and talk about—three distinct strategies. The first and most obvious was to strengthen technical defenses. This work naturally starts with the tech sector, but it becomes a shared responsibility when customers deploy these new services. At Microsoft we were spending more than $1 billion a year developing new security features, an investment that involved more than thirty-five hundred dedicated security professionals and engineers. This work is ongoing as we continually roll out new security features at an accelerating pace, and it’s a huge priority across the tech sector.

The second approach, involving what we call operational security, was in some ways more of a priority at Microsoft than at some other tech companies. It includes the work of our threat intelligence teams to detect new threats, the focus of our Cyber Defense Operations Center to share this information with customers, and the work of the Digital Crimes Unit to disrupt and take action against cyberattacks.

The latter work brought us increasingly into an area more traditionally addressed by governments alone. And it raised some complicated questions. How should companies respond to specific attacks? Of course, we needed to help our customers recover from hacks, but how could we deter attacks in the first place? Was attacking back an option?

When this question was put to a group of tech leaders at a White House meeting in 2016, the reaction was mixed. One attending executive was enthusiastic about empowering companies to attack back, but I worried that vigilante tech justice could lead to mistakes and even chaos. It’s why I took comfort in the fact that we typically required our Digital Crimes Unit to solve issues in court, often in cases that also involved law enforcement. It grounded us in a legal system where public authorities played their proper role and we remained subject to them and the rule of law more generally. I felt there was good reason to stick with this approach.

With rising nationalism, including in the United States, global companies also needed an intellectual foundation to act in a global way. We challenged our peers to act as a “neutral digital Switzerland” committed to defending all our customers around the world, pledging to play 100 percent defense and zero percent offense. Every government, including those with more nationalistic points of view, should be able to trust technology. They too benefit when the tech sector pledges to protect all of our customers regardless of nationality and refrain from helping any government attack innocent civilians.

When we combined these two strategies, they still seemed an insufficient response to broadening attacks. We needed to prop the cybersecurity stool with a third important leg: stronger international rules and coordinated diplomatic action to restrain cyberthreats and help galvanize the international community to pressure governments to stop indiscriminate cyberattacks. Until there was a greater degree of global accountability, we worried that it was too easy for governments to deny any wrongdoing.

In January 2017, coincidentally the week before Denmark announced the creation of what would become Casper Klynge’s job, we at Microsoft found ourselves discussing ways to help galvanize the tech sector and unite the international community around cybersecurity. I recalled that the International Committee of the Red Cross, or ICRC, had brought the world’s governments together in 1949 to establish the Fourth Geneva Convention to better protect civilians in times of war. “Isn’t it ironic that now we’re seeing these attacks against civilians, and it’s supposed to be a time of peace?”

Our public affairs leader, Dominic Carr, was quick to reply. “Maybe it’s time for a Digital Geneva Convention,” he said.

Bingo. Just as governments had pledged in 1949 to protect civilians in times of war, perhaps a Digital Geneva Convention could capture people’s imagination about the need for governments to protect civilians on the internet in times of peace. It was an idea that could build on work already in motion by governments, diplomats, and tech experts focused on establishing so-called cybersecurity norms between nations. Perhaps a compelling example and brand would help us speak more effectively to the nontechnical audiences that we needed to win over if any of this were to become a reality.

We called for the continued strengthening of international rules to avoid cyberattacks that target private citizens or institutions or critical infrastructure in times of peace, as well as an expanded ban on the use of hacking to steal intellectual property. Similarly, we urged stronger rules to require governments to assist private sector efforts to detect, respond to, and recover from these types of attacks. Finally, we urged the creation of an independent organization that can investigate and share publicly evidence that attributes nation-state attacks to specific countries.6

After we shared our ideas at the annual RSA security conference in San Francisco in 2017, a number of journalists picked up the theme and enthusiastically zeroed in on the call for a Digital Geneva Convention.7 While the press is always a good litmus test for the acceptance of new ideas, the bigger test was whether the conversation would change in national capitals. And a good way to gauge whether people were listening, ironically, is whether some disagree. After all, in a world with so many issues and such fragmented media, it was easy for many ideas to become like trees falling in the wilderness. Busy people in important positions couldn’t possibly care enough to take the time to address most of what others said during a day.

We passed this test. In Washington, DC, those most bothered by the idea of a Digital Geneva Convention were often officials who had played a leading role in developing the nation’s offensive cyber capabilities. They argued that rules restricting the use of cyber capabilities would hold back governments like the United States. We pointed out that the US government already stood against the use of cyberattacks against civilians in times of peace, which was the area we were trying to restrict. And more broadly, the history of weapons technology showed that even if the United States was in a leadership position today, other nations would catch up soon.

They pointed out that if we created stronger rules and the United States followed them, the country’s adversaries would not. But we believed international rules could nonetheless help put greater pressure on all countries, including by creating the moral and intellectual foundation needed for more coordinated international responses to cyberattacks. After all, it was even harder to restrain conduct if it violated no rules in the first place.

As always, we learned a lot from these exchanges. Some people pointed out that important international norms were already in place and that we risked creating a perception that existing rules didn’t matter. They were right. We were clear from the outset that we saw a Digital Geneva Convention as a long-term goal and part of a vision that would probably take up to a decade to implement. We didn’t want to undermine existing norms along the way. We talked through these aspects in more detail with government and academic experts from around the world, acknowledging what rules already applied in cyberspace and the need to both strengthen their application and identify gaps that need to be filled.8

We also encountered pushback from people who objected to the notion that international companies would protect civilians on a global basis rather than help their home government attack other nations. As one Trump adviser challenged me on a trip to Washington, DC, “As an American company, why won’t you agree to help the US government spy on people in other countries?”

I pointed out that Trump Hotels had just opened a new property in the Middle East as well as down the street on Pennsylvania Avenue. “Are these hotels going to spy on people from other countries who stay there? It doesn’t seem like it would be good for the family business.” He nodded.

At least we had succeeded in sparking a new conversation. When Satya and I attended a tech summit at the White House in June 2017, I participated in a breakout session on cybersecurity issues. One of the White House officials relayed a message to me beforehand: “Please don’t raise the topic of a Digital Geneva Convention. We want this discussion to focus on security best practices for the US government rather than other issues.”

As we walked into the ornate conference room where the meeting would take place, I reassured him that I got the message. But as the discussion ensued, the CEO of another company, whom I hadn’t even spoken with, suddenly leaned across the table and said, “Look, what we really need is a Digital Geneva Convention.”

I exchanged glances with the White House staffer and shrugged.

As we talked with more people about the notion of a Digital Geneva Convention, we realized that many of the points raised were pertinent to any form of arms control. There was a long history of public discussion about rules to govern weapons, and we needed to learn from them.

During the latter decades of the Cold War, arms control was the geopolitical focus as the world’s superpowers of the time—the United States and the Soviet Union—negotiated treaties to manage nuclear weapons.9 Issues around arms control were well understood in policy circles at the time, and they were often discussed much more broadly as well. As the possibility of a man-made nuclear apocalypse dwelled in the recesses of people’s minds, it burst into pop culture in a big way in the early 1980s.

These nuclear risks weighed heavily on President Reagan on June 4, 1983, as he helicoptered to Camp David in rural Maryland with a stack of classified arms control documents. As a storm rolled into the Appalachians that evening, Reagan, with his wife, Nancy, settled into the lodge for a movie—one of the 363 films the former movie star would watch during his two-term presidency.10 A writer for the new film, WarGames,11 had arranged a screening; it had premiered the day before.

The thriller features a teenage hacker who goes from changing his grades in the high school’s computer to stumbling into a supercomputer at the North American Aerospace Defense Command, or NORAD, and nearly starting World War III. The Cold War tale spooked the commander in chief. Two days later during a high-level meeting at the White House, he asked whether anyone had seen the movie. Receiving blank looks, he described the plot in detail, before asking the chairman of his Joint Chiefs of Staff if the plot line was plausible.12 That conversation set off a chain of decisions that led to the first federal forays into cybersecurity. Life imitated art, leading in part to the passage of the Computer Fraud and Abuse Act to make the hacking portrayed in the movie illegal.13

WarGames stoked the era’s unease about nuclear weapons and technology. At a time when personal computers were nascent devices mostly sequestered to hobbyists’ back bedrooms, the movie had wide appeal. Filmed more than thirty-five years ago, it now seems almost prophetic. Its themes connect with the public’s concerns about computer vulnerabilities, the threat of war, and the prospect of machines escaping human control. They also speak to the power of diplomacy over war, captured by NORAD’s supercomputer, which applied its learning from playing tic-tac-toe to the destruction that would be unleashed from nuclear war, uttering the film’s climactic line: “A strange game. The only winning move is not to play.”

Since the end of the Cold War, the topic of arms control has in many ways receded from public view. As a result, a generation of arms control experts has departed the scene and there is no longer a broad public understanding of the issues. In 2018, we were once again looking back to the future. As former US ambassador to Russia Michael McFaul put it, there was no longer a Cold War, but instead a Hot Peace.14 It’s time to dust off some of the lessons from the past.

In some respects, the response to World War II and to decades of nuclear arms negotiations provide some inspiration for the work needed to address cybersecurity. After all, following the dropping of two atomic bombs on Japan in 1945, the world has avoided nuclear conflict for almost seventy-five years. There are lessons from the challenging and at times circuitous paths taken by governments between the end of World War II and the end of the Cold War.

One such lesson came from International Humanitarian Law and the work of the world’s governments when they came together in 1949 to create the Fourth Geneva Convention. The outcome didn’t ban or limit specific weapons as much as it restrained how governments engage in military conflict. Under its rules, governments cannot deliberately target civilians, take action that would create disproportionate civilian casualties, or use weapons that cause superfluous injury beyond their military value.15 Interestingly, the driving force for the 1949 Convention was not a specific government but rather the International Committee of the Red Cross, which continues to play a vital role in the Convention’s implementation to this day.16

In an important way, the Geneva Convention speaks to learning that’s applicable to arms control itself. It’s often more realistic to limit the amount or characteristics of specific weapons or control how they’re used than it is to try to ban them entirely. As one author suggested, “If a weapon is seen as horrific and marginally useful, then a ban is likely to succeed. If a weapon brings decisive advantages on the battlefield, then a ban is unlikely to work, no matter how terrible it may seem.”17

Arms control ranks among the world’s more difficult endeavors. But as one study concluded just as the Cold War was ending, agreements to control weapons so they are not used—as distinct from eliminating them entirely—“may, in the end, be better, if only because its prospects for success are greater.”18 It’s perhaps this concept, as much as anything else, that has animated the efforts of international legal experts to define international norms that limit the way cyberweapons can be used.19

Another repeated lesson from the history of arms control is also applicable: Governments will sometimes seek to evade international agreements if they can, so there need to be effective ways to monitor compliance and hold violators accountable. This speaks directly to one of the biggest challenges for controlling cyberweapons. Governments not only perceive them as useful but also uniquely easy to use in a manner that evades detection. As David Sanger of the New York Times has put it, this unfortunately makes them “the perfect weapon.”20

This points to the importance of increasing the ability to attribute cyberattacks to the nations that launch them and developing a collective capability to respond when such attacks take place. The United States and other governments are increasingly working to develop such responses, which can vary from responsive attacks to more conventional diplomatic tools, including sanctions. But regardless of the form, they are likely to contribute best to cyber-stability if they are grounded in agreements on what international rules are being violated and in multilateral consensus on who was responsible for the attack. And in an era when these new weapons are unleashed on data centers, cables, and devices owned and operated by companies, information from the private sector is likely to play a broader role in attributing attacks in the first place.21

All of this points to the continuing importance of international diplomacy. As we think about this new generation of diplomatic challenges, there are some new tools in the diplomatic toolbox. The Danish foreign minister identified one of our new opportunities when he said that tech companies have become a “nation” of sorts. While we thought the comparison had its limits, it underscored a key opportunity. If our companies are like nations, then we can forge our own international agreements.

We had tried to move the tech sector in this direction when we called for a “neutral digital Switzerland.” We needed to put this into action by bringing companies together to sign an accord committing to act to defend all of our legitimate customers everywhere. While we sensed broad support for our general cybersecurity concepts, we knew this would not be an easy task. The tech sector is full of energetic people working for ambitious enterprises. Bringing companies together to do something in a coordinated way is easier said than done.

Establishing what would be called the Cybersecurity Tech Accord22 was the perfect task for our digital diplomacy team, led by Kate O’Sullivan. She leads a team of Microsoft “diplomats” who work with policy makers and industry partners around the world to advance trust and security on the internet. Given the private ownership of cyberspace, we had long recognized that protecting it required not only multilateral but multi-stakeholder engagement. Like the new tech ambassadors representing governments, we needed envoys steeped in diplomatic values to focus on creating digital peace—and protecting our interests and customers in what had become a new plane of war.

We sketched out the tech accord’s principles, and the digital diplomacy team fanned out to explore the industry’s interest. The accord would first commit all its signatories to two overarching concepts: to protect users and customers everywhere and to oppose attacks on innocent citizens and enterprises from anywhere. These would provide the principled foundation that we thought the tech sector needed to promote and protect cybersecurity on a global basis. The agreement would complement these two principles with two pragmatic pledges. The first was to take new steps to strengthen the technology ecosystem by working with users, customers, and software developers to strengthen security protection in practical ways. And the second was to work more closely with each other to promote cybersecurity, including by sharing more information and coming to each other’s aid when needed to respond to cyberattacks.

Getting people to agree that these principles made sense was one thing. Getting them to commit to them publicly was another. A small group came together quickly, including Facebook, which was becoming more forward leaning as it addressed its own rising privacy concerns. Several other large and experienced IT firms, including Cisco, Oracle, Symantec, and HP, also were quick to support the cause.

Google, Amazon, and Apple proved more difficult. As we talked with them, some said they considered it too controversial to stand next to Facebook at a time when it was on the firing line in national capitals around the world. Having experienced our own time on the firing line in the 1990s, I probably had more sympathy for Facebook than most. I also appreciated that to some degree, everyone has their difficult days, and if our first principle is to run away from people in times of trouble, we may doom ourselves to inaction even on issues for which collective efforts are needed the most.

Others at these companies said they had heard some of the pushback from individuals in the US government. They didn’t want to support something that was the subject of criticism. And some said that they simply couldn’t get people within their company to make a decision, so they couldn’t get the approval to sign on. Despite repeated emails and phone calls, we couldn’t get these companies across the finish line.

The good news was that the rest of the industry began to jump on board. We decided internally that we would launch the tech accord if we could secure public signatures from at least twenty companies. As the date for the RSA conference in 2018 in San Francisco approached, it was apparent we would meet that goal.

In the final weeks running up to announcing the Cybersecurity Tech Accord, we shared our plans with the White House and key officials in other parts of the United States and other governments. We didn’t want them to be surprised. We got positive feedback from the White House itself, but we heard through the grapevine that some in the intelligence community had concerns about the language pledging not to help governments launch cyberattacks against “private citizens and enterprises.” They were concerned that the reference to “private citizens” would cover terrorists and mean they could not turn to the tech sector if there was such an emergency. It was helpful feedback. We changed the text to refer to “innocent citizens” instead, which seemed to address this issue.

When we unveiled the Cybersecurity Tech Accord in April 2018, thirty-four companies signed on.23 It was more than enough to generate momentum. By May 2019, the group had more than one hundred companies from more than twenty countries, and it was putting the accord into action by endorsing practical steps to strengthen cybersecurity protection.

Importantly, the need for stronger private sector collaboration found additional support around the world. To its credit, Siemens led one of the earliest efforts, creating what it called a Charter of Trust to focus on protecting the ubiquitous small devices that make up the internet of things. A number of leading European companies, including Airbus, Deutsche Telekom, Allianz, and Total, were quick to join.24

In some ways, an even more interesting reaction awaited us in Asia. While in Tokyo in July 2018, we met with senior executives at Hitachi, which wanted to be the first large Japanese signatory. When we arrived at their headquarters to seal their approval, they were quick to say, “We were attacked by WannaCry. We thought about staying silent, but we realized that we’ll never solve this problem if we don’t stand up together and do something like this.”

This was in fact the whole point. I was struck by the fact that a long-standing Japanese technology company in a sector that had a reputation for being more conservative than American companies was willing to stand up at a time when companies like Google, Apple, and Amazon were still sitting down. We discussed in Tokyo the need for the tech sector to be proactive and build new forms of multilateral alliances.

Our preference was to see more government leadership that would sustain the multilateral approach to security that had been fundamental since the end of World War II. But it wasn’t the mood of the moment in the White House or in other national capitals that were turning inward.

It seemed ironic and even uncomfortable as a company to advance the mantle of multilateralism, which typically was the role of governments. But we found far more support than criticism as we pushed forward. And as we made progress, an increasing number of companies expressed a desire to join in.

But if the diplomacy was to be effective, we’d need to take it beyond the tech sector and business community. Governments, companies, and nonprofit groups would need to find a way to act together. We looked for the right opportunity and concluded that our best chance was an international conference that would take place in Paris in November 2018. French president Emmanuel Macron had decided to host what he called the Paris Peace Forum on the centennial of the armistice that had ended World War I. He posted a video on YouTube that we watched several times.25 It talked about the weakening of democracies and the collapse of multilateralism in the two decades that followed the armistice, leading to World War II. Macron invited ideas for projects that would strengthen democracy and multilateralism in the twenty-first century. It seemed like the perfect invitation for what we wanted to do.

Officials in Paris took an interest. David Martinon, France’s ambassador for cyber diplomacy and the digital economy, held a position similar to that of Casper Klynge in Denmark. He was responsible for internet governance, cybersecurity, freedom of expression, and human rights. Under the leadership of Philippe Étienne, diplomatic Advisor to President Macron, Martinon and other French officials were already focused on architecting the future. We talked with them about the opportunity to craft a new declaration and initiative to address cybersecurity.

It took strong French leadership and months of careful conversations around the world. The day after the armistice centennial, President Macron unveiled the “Paris Call for Trust and Security in Cyberspace,”26 reinforcing the importance of existing international norms to protect citizens and civilian infrastructure from systemic or indiscriminate cyberattacks. It also calls on governments, tech companies, and nongovernmental organizations to work together to protect democratic and electoral processes from nation-state cyberthreats—an area that we believed called for more explicit support under international law.

Even more important was the breadth of support for the Paris Call. The afternoon of Macron’s speech, the French government announced that there were 370 signatories for it. The list included 51 governments from around the world, including all 28 members of the European Union and 27 of the 29 NATO members. It also included key governments from other parts of the world, including Japan, South Korea, Mexico, Colombia, and New Zealand. By early 2019, that number would rise to more than 500 and include 65 governments and most of the tech sector, including Google and Facebook—although not Amazon or Apple.27

Ironically and in our view unfortunately, the Paris Call garnered all this support without the backing of the United States government, which didn’t sign the declaration in Paris. Although we originally were hopeful that Washington would sign on, it became apparent a month before the Paris meetings that the U.S. government wasn’t ready to take a position one way or another. The political winds among some on the White House staff were not blowing in favor of multilateral initiatives, regardless of the issue. It put us in an unusual position, as we had our government affairs teams around the world asking other countries to support the effort.

The Paris Call nonetheless represents an important innovation. It takes the multilateral approach that had been so vital to international peace in the twentieth century and turns it into the type of multi-stakeholder approach needed to address global technology issues in the world today. It unites most of the world’s democracies and connects them with most of the tech sector and leading nongovernmental groups worldwide. And over time, additional parties can sign on.

The model embodied in the Paris Call soon garnered additional global attention. As we met with Prime Minister Jacinda Ardern and her cabinet in New Zealand shortly after the Christchurch tragedy in March 2019, we brainstormed how the world could prevent a recurrence of terrorists using the internet as a stage for the attack on her people. Our conversation quickly turned to the Paris Call and whether we could bring governments, the tech sector, and civil society together in a similar way. We thought about it overnight, and by the next morning at a meeting with additional government officials, the room was talking about what a “Christchurch Call” might address.

Under Ardern’s leadership, the New Zealand government seized the initiative. As I had commented to Ardern in our initial meeting, she brought to the issue a sense of moral authority. She was quick to reply that the world’s outrage would eventually dissipate, and she wanted to use the moment not to score public relations points but to achieve something of more lasting importance. She dispatched New Zealand cybersecurity official Paul Ash to Europe to explore partnering with a government there, and building on the Paris Call, he found Macron’s team willing to move briskly.

The tech industry had a big part to play. Our challenge was identifying pragmatic steps we could take to help prevent our services from being used as they were in Christchurch to amplify extremist violence. Inside Microsoft, I asked general counsel Dev Stahlkopf and her chief-of-staff, Frank Morrow, to spearhead work to develop ideas. Although we hadn’t experienced the broad video uploading that had impacted Facebook, Twitter, and Google’s YouTube service, we soon concluded that we had nine distinct services that potentially were susceptible to this type of abuse. These ranged from LinkedIn and Xbox Live to the sharing of videos through OneDrive, Bing search results, and the use of our Azure cloud platform.

Other tech companies were prepared not only to step forward but to step up. Google, Facebook, and Twitter all recognized that the use of their content sharing services by the Christchurch terrorist made it essential for them to do more. Amazon, to its credit, recognized that it could be part of the solution even if its services hadn’t been part of the problem.

It was apparent that a variety of steps would be needed—and different balances would need to be struck—on different technology services. We needed to be sensitive both to engineering requirements and broader human rights and free expression concerns. A series of group conference calls quickly garnered support among the companies for nine concrete recommendations to address extremist violence and terrorist content online, including five steps individual services could take to tighten their terms of service, better manage live videos, respond to user reports of abuse, improve technology controls, and publish transparency reports. The group also formulated four industry-wide steps, including the launch of a crisis response protocol, open source–based technology development, better user education, and support for research and broader work by nongovernmental organizations to promote pluralism and respect online.

Ardern pressed for a decision and announcement at an upcoming meeting in Paris, only a month away. Representatives from the New Zealand and French governments met in northern California with civil society groups and with tech companies to talk through the specific issues raised by the proposed draft for the Christchurch Call. The New Zealand government’s team worked pretty much around the clock, juggling feedback from government leaders and other stakeholders. On a late-night phone call that Satya and I had with Ardern, I mentioned how struck I was by the government’s speed. She replied, “When you’re small, you have to be nimble!”

On May 15, two months to the day after the horrific attacks in New Zealand, Ardern joined Macron in Paris with eight other government leaders to launch the “Christchurch Call to Action.” Its text addresses terrorist and violent extremist content online through commitments by governments and tech companies to act both separately and together.28 As I joined other tech leaders and the heads of state in Paris to cement Microsoft’s signature, our group of five companies also unveiled the nine steps we would take to put the Christchurch Call into action.

Launched just a little more than six months apart, the Paris and Christchurch calls highlight the progress the world can make by advancing what Casper Klynge likes to call “techplomacy.” Instead of relying on governments alone, a new approach to multi-stakeholder diplomacy brings governments, civil society, and tech companies together.

In some ways, the idea is not entirely new. As one recent study concluded, a variety of nongovernmental organizations have long played influential roles on arms control issues, including involvement by advocacy groups, think tanks, social movements, and education groups.29 Initially spearheaded in the 1860s by the founders of the Red Cross in Geneva, one of the most successful recent initiatives was the International Campaign to Ban Landmines in the 1990s. The latter campaign started with six nongovernmental organizations in 1992 and grew to involve roughly 1,000 such NGOs from sixty countries.30 The group “successfully reframed landmines into a humanitarian and moral issue rather than a purely military matter” and, with support from the Canadian government, took its campaign to an ad hoc forum that adopted “a landmine-ban treaty in December 1997, barely five years after the campaign for a ban was initiated.”31

Viewed from this perspective, the most novel aspect of the Paris and Christchurch calls is perhaps the involvement of companies, as distinct from other types of non-state actors, on a new generation of humanitarian and arms limitation issues. There is no doubt that some will be more skeptical of companies than of NGOs. But given the degree to which cyberspace is owned and operated by these companies, it seems hard to argue that they have no role to play.

The Paris and Christchurch calls also pointed to another innovation that we felt was important to ushering in an era of digital diplomacy. Arms control and humanitarian protection have always required broad public support. In the twentieth century, new ideas sometimes moved successfully from think tanks to detailed conversations with nongovernmental organizations and government policy circles, ultimately breaking through to the public by way of important speeches by international statesmen. But at a time dominated by the fragmentation of the traditional press and the rise of social media, there’s both a need for and opportunity to connect with the public in new ways.

This is part of what we took away from the public discussion about a Digital Geneva Convention. While some traditional diplomats might roll their eyes, the idea captured public imagination in a way that had escaped the expert discussion of the critical but less than glamorous sounding international cybersecurity Tallinn Manual 2.0.32 It’s part of what I saw in the innovative approach and frequent tweets by Casper Klynge.33 And it’s what inspired us to couple our work on the Paris Call with support for citizen diplomacy, including an online pledge that garnered more than 100,000 signatures from around the world to support “Digital Peace Now.”34

Perhaps as much as anything, we need to advance digital diplomacy with a sense of determination based not just on new circumstances and hopeful lessons from the past, but history’s sobering failures as well. We were reminded of this when we visited the United Nations European headquarters in Geneva for a speech in November 2017. The Palais des Nations, which now houses the UN, served as the headquarters for the League of Nations in the 1930s. The building still has several small art deco conference rooms that reflect the post–World War I era.

The building served as the global stage for what would become some of the twentieth century’s most tragic times. Japan invaded Manchuria in 1931, and shortly afterward, Hitler’s Nazi regime became an increasing threat in Europe. Governments from thirty-one nations came together in the building to seek to constrain arms buildups in a series of meetings that spanned more than five years. But the United States balked at providing the leadership needed for what it perceived were mostly European issues, and Hitler pulled Germany out of the negotiations and then the League of Nations itself, sounding the death knell for the effort toward global peace.

Before the diplomatic conference convened in 1932, Albert Einstein, the greatest scientist of his age, proffered a warning that fell on deaf ears. Technology advances, he cautioned, “could have made human life carefree and happy if the development of the organizing power of man had been able to keep step with his technical advances.”35 Instead, “the hardly bought achievements of the machine age in the hands of our generation are as dangerous as a razor in the hands of a three-year-old child.” The conference in Geneva ended in failure, and before the end of the decade, that failure had translated into unimaginable global devastation.

Einstein’s words speak to the crux of today’s challenge. As technology continues to advance, can the world control the future it is creating? Too often, wars have resulted from humanity’s failure to keep pace with innovation, doing too little too late to manage new technology. As emerging tech such as cyberweapons and artificial intelligence become more powerful, our generation will be put to this test yet again.

If we’re to succeed where people failed almost a century ago, we’ll need a practical approach to deterrence combined with new forms of digital diplomacy. As we joined Casper Klynge and his colleagues from more than twenty governments at a meeting in San Francisco in April 2019, it was heartening to see a new generation of cyberdiplomats working more closely together.

There’s no denying that Denmark is a small country, with a population of 5.7 million that makes it smaller than Washington state. New Zealand’s population is even smaller. But the Danish foreign minister had been right. In the twenty-first century, the best way to address global issues is to put in place a team that can work not only with other governments but also with all the stakeholders that are defining technology’s future. It would be a mistake to underestimate a small country with a good idea and determined leadership. A new type of digital diplomacy has arrived.