Cyberattacks don’t just impact the internet, they threaten lives offline too. When ransomware cripples hospital computers, patients can go without access to care. Hacked human rights organizations put activists’ security at risk. And if institutions like the government itself gets compromised, millions of people’s identities can be exposed.
A new, Geneva-based organization called the Cyberpeace Institute is drafting volunteers who can swoop in to help vulnerable institutions recover and protect themselves in the future. Announced just last month, the Microsoft-backed non-governmental organization (NGO) will focus on cyberattacks that impact civilians, and aims to assist victims, investigate attacks, and promote norms and international laws for responsible cyber behavior.
“If you look at cyberattacks, there’s often people, but also institutions or organizations, impacted almost by collateral damage,” explains Marietje Schaake, the Cyberpeace Institute’s president and a former Dutch European Parliament member who has focused extensively on technology issues. “Those are the kinds of harms that I think we don’t hear enough about when we think about cyberattacks.”
Beneficiaries of the Institute’s help—selected on a case-by-case basis—could be schools, medical facilities, or human rights organizations, says Schaake. The organization is currently recruiting a network of volunteers, which will include experts from the technology industry, civil society, and academia. Once that network is established, the NGO will begin responding to requests for immediate and long-term recovery assistance, as well as helping vulnerable institutions improve their defenses.
Microsoft customer security and trust corporate vice president Tom Burt argued in a blog post that just as victims of war and natural disasters receive help and advocacy from humanitarian NGOs, “victims of attacks originating on the internet deserve similar assistance.” In an email, cybersecurity law professor Ido Kilovaty tells Fortune that “many cyber-attacks occur during peacetime—in the absence of war—and there is currently no international organization that offers what the Institute offers.”
The NGO aims to promote accountability by facilitating investigations into cyberattacks and their impact. Though the organization—which wants to remain neutral and independent—doesn’t plan to attribute the attacks it analyzes to any one state or group, Schaake notes that those reports will be publicly available, and that “it could well be that our findings help create a better understanding of what happened [in a given attack].” The Institute also says it will also promote norms for responsible cyber behavior through publicizing its findings and directly engaging stakeholders.
Primarily funded by Microsoft, MasterCard, and the Hewlett Foundation (the non-profit created by the H.P. co-founder), the Cyberpeace Institute’s establishment comes as private companies have looked to take on a greater role in promoting rules of the road for international cyberspace.
Back at the 2017 RSA conference, Microsoft’s president Brad Smith—citing the historic formation of the Geneva Convention and the International Committee of the Red Cross — asked technology companies and states to create similar institutions for cyberspace. In 2018, that call was followed by the Cybersecurity Tech Accord, through which now more than 100 companies (including Microsoft) have pledged to not assist governments with cyberattacks on “innocent citizens” (among other commitments). That same year, French President Emmanuel Macron established the Paris Call for Trust and Security in Cyberspace, bringing together nearly 70 countries, and hundreds of companies and civil society organizations, to declare shared goals for securing cyberspace.
“What we’re seeing by the fact that there are private companies interested in funding this NGO is that there is a sense that there should be more responsible behavior, and that private companies are willing to push for that agenda,” says Schaake, emphasizing that the Institute will go beyond focusing on what principles ought to be, and, as an independent organization, will be operational, addressing the “and then what.” She adds that the Institute’s founding companies represent a minority of the Institute’s executive board, and none provides more than one third of the organization’s funding.
Nele Achten, an affiliate at Harvard’s Berkman Klein Center for Internet and Society who studies cybersecurity norms, observes that in the Institute “there are two functions that [come from] the beginning of the International Committee of the Red Cross,” pointing to its focus on assisting victims and the advancement of norms. Meanwhile, academics Elaine Korzak and Herb Lin have also floated the idea of a cyber NGO loosely-inspired by the Red Cross.
Schaake says the Institute can’t exactly be compared to a century-old humanitarian organization with billions in funding; the organization will function during peacetime, and will hardly match the Red Cross’s size, scope, and impact. “It’s a different context,” she cautions.
Still, she emphasizes that the Institute’s work is just beginning, and they’re still recruiting staff. “We’ve basically put the boat in the water. But now it has to start sailing.”
More must-read stories from Fortune:
—Why WeWork’s failed IPO might not mean disaster for SoftBank after all
—Dyson pulls the plug on its plan to build an electric car
—Why Etsy sets a higher standard for diversity and inclusion in tech
—From porn to scams, deepfakes are unnerving business leaders and lawmakers
—A.I. remains a disruptive force in finance—even for fintechs
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
