Is it time for a Geneva Convention on cyberwar?


Hacking, viruses, denial-of-service…all fair game in the modern world of conflict. Maybe it’s time we drew up some new rules of engagement

In November 2015, the world held its breath for a few hours after Turkey shot down a Russian jet it claimed was violating its airspace during operations in Syria. In the end the incident played out fairly predictably. The Russian and Turkish governments issued some bellicose statements, a planned meeting of foreign ministers was cancelled, sanctions were slapped on, and some existing agreements were torn up. Annoying for the people involved yes, but there was never really any threat of either side firing another shot.

The reason the incident didn’t take on greater importance is because the rules of international relations are fairly well rehearsed and understood at this point. Earlier agreements from the 1648 Treaty of Westphalia onwards meant that both sides knew how far they could push the other before something undesirable happened. The anarchic international system has been somewhat tamed by rules and norms.

Enter cyberwarfare

Back in September, another diplomatic fracas between two nations that took place without those sorts of precedents. US companies came under attack, allegedly from the Chinese government in a bid to steal intellectual properties and gain a competitive advantage. This led to a war of words which became so heated that it was a major talking point during a visit to the White House by the Chinese President – and ended with both countries pledging to do more to limit attacks.

In 2007, Estonia suffered a cyber Blitzkrieg. Persistent attacks over several weeks disabled emergency services, and prevented businesses and banks from communicating. According to Shaun Roberts, writing in the North Kentucky Law Review, some Estonians were left without internet connections for up to two weeks. While no one ever claimed responsibility, the attack was (inevitably) linked to hackers with ties to the Kremlin.

Back in 2008, it was estimated that 140 states have cyber programmes. That number is no doubt larger now. And here’s the thing: There’s no norms, or conventions governing cyberwarfare. The game has 140 players, and no one has written the rules.

What counts as a weapon?

For its part, the United States has published a “cyberspace strategy” outlining how it would respond to such an attack – saying that “We reserve the right to use all necessary means – diplomatic, informational, military and economic – as appropriate and consistent with applicable international law in order to defend our nation, our allies, our partners and our interests.”

We’ve arguably already seen this doctrine in action. Last Christmas Sony Pictures was subject to a devastating hack which leaked internal emails and unreleased films. Blame was placed with North Korea – which was upset with the comedy film The Interview – the premise of which was the assassination of Kim Jong Un. In response, North Korea was essentially entirely cut off from the internet in a mysterious counter-hack – thespeculationbeing it was the US government’s not-so-subtle response.

But the cyber strategy is essentially a platitude. The problem with cyberwarfare (other than the sad fact that “cyberwarfare” has become the accepted name for the phenomenon) is that there are no rules. And rules are important if we don’t want every cyberthreat to risk spiralling out of control.

Read the full article here

Credit: Little Atoms