The idea of a “Cyber Geneva Convention” has gained steam in the last five years. Based on the original Geneva Convention, which dates back to 1864, it would ensure that certain types of attacks, as well as specific targets, would remain off-limits in a cyberwar.
The concept of rules dictating what shouldn’t be allowed in war came about after Swiss national Henry Dunant visited wounded soldiers during the Second Italian War of Unification and found that little was being provided to help the hurt and dying. He called for a permanent relief agency that would provide humanitarian aid in times of war — which became the International Red Cross.
More importantly, Dunant proposed a government treaty to recognize the organization and its neutrality. For his efforts, he became a corecipient of the first Nobel Peace Prize in 1901.
The first Geneva Convention was about sick and wounded soldiers but in time was expanded to cover the treatment of prisoners of war. Following World War II, it was amended to cover war crimes.
The Hague Conventions
The Geneva Conventions’ primary focus has been on wounded soldiers, the treatment of prisoners and how war criminals could be punished.
In fact, the Geneva Conventions are often confused with the Hague Conventions of 1899 and 1907, which were among the first formal statements that addressed the laws of war and crimes. (A third Hague Convention was to take place in 1915 but did not because of the start of World War I.)
The point of both conventions is that in warfare certain things should be off limits. The Hague Conventions laid out rules on the use of chemical and biological weapons, which were sidestepped and then outright ignored during World War I.
Yet, warring countries have followed the rules; neither side in World War II used poison gas despite the fact that both sides had large stockpiles in place.
A similar treaty could ensure that some things would be off-limits in cyberwarfare, such as causing a nuclear plant to melt down.
The Royal United Services Institute renewed calls for such a pact earlier this year, suggesting that the creation of a simple digital marker could ensure that systems and traffic can be identified as protected in cyberconflict under an international convention.
Laying the Ground Work
The Hague Conventions wouldn’t have been possible had it not been for the Geneva Convention. Prior to these conventions, the rules of war were in essence made up by the commanders at the time.
A Cyber Geneva Convention might have solid footing, as security policy-makers already have discussed some topics at events such as the 2011 Munich Security Conference. More recently, President Obama and Chinese President Xi Jinping in October committed to a cybersecurity agreement that would limit the theft of intellectual property.
The question remains whether such nonbinding agreements are worth the digital paper they’re written on.
“The agreement between the U.S. and China is not really enforceable,” said Guy Nizan, CEO of IntSights Cyber Intelligence.
While the governments have agreed not to steal each other’s IP, the agreement doesn’t really outline how they nations would stop or even discourage their citizens and businesses from engaging in such tactics.
“Today you can’t always know who is behind the attack, and it’s relatively easy to cover your tracks,” Nizan told TechNewsWorld. “It’s not enforceable because you don’t have an organization like theInternational Atomic Energy Agency in place.”
The key rationale for any agreement, however, is still based on the idea that certain targets should be off-limits in warfare.
“Such an agreement is going to be a necessity in the way things are headed,” said Bruce McConnell, global vice president at the EastWest Institute.
“Civilian nuclear power plants are a great example of what should be off limits in any sort of cyberattack,” he told TechNewsWorld.
“The reason such a treaty is necessary is one of escalation, especially in cyberspace where it can be very hard to tell who fired the first shot,” McConnell added.
“The second issue is one of miscalculation, where what could be a smaller-scale hack ends up costing lives and destroying critical infrastructure,” he said.
As a result of President Obama’s meeting with President Xi and their subsequent agreement, it’s unlikely the U.S. and China will direct cyberattacks against one another. Certainly they’ll exercise enough restraint to avoid the sort of large-scale attacks that would be deemed acts of war if conventional weapons were used.
A close analogy is how agents of the Serbian secret society Black Hand assassinated Austria-Hungary’s archduke and set off World War I in 1914. Those agents didn’t have the official support of the Serbian government, but instead worked at its behest. Austria’s government responded by declaring war on Serbia.
“That is an excellent analogy and sums up the dangers we face today,” noted McConnell.
“We saw recently in cyberattacks against Estonia that weren’t directly by Moscow but were orchestrated by bad vigilantes,” he added. “Today there are many groups that could or would target rival powers’ systems that don’t officially work on the books.”
Another threat comes from civilian players who aren’t affiliated with any government. The hacker collective known as Anonymous recently declared war on ISIS, and neither side is likely to respect any treaties.
“If countries sign up, the question moves to how do they control their populations,” noted Stephen Coty, director of threat research at Alert Logic.
“Hacking is still continuing between China and the U.S., so signing a paper may not have made much of a difference,” he told TechNewsWorld. “If anything, governments may look to third parties tomaintain deniability.”
That brings the threat back full circle, where groups could be linked to a government indirectly — such as Serbia’s Black Hand.
“Once these groups go after the private sector — which may not be covered by such treaties anyway — corporations may look to hack back,” suggested McConnell. “In this case, we could end up with cyberprivateers, with letters of marque to go after the hackers. And that brings us back to the escalation concern.”
Cyberwar Vs. Cyberespionage
The final concern with a Cyber Geneva/Hague Convention is that it would be tied to cyberwar, but that doesn’t address espionage. Neither the Geneva nor Hague Conventions covers espionage or spying — so even if such a treaty were drafted, it might leave open the ability for nations to use cyberspace to gather information.
“Espionage already is played by some unwritten rules that most of us don’t fully appreciate,” said McConnell.
“What makes this different is that in traditional espionage you’re getting information that is in the real world, or running assets,” he said.
“In the cyber world, it can be more than just the stealing of data; it can be leaving something behind that can cause damage as well,” McConnell added.
Examples of this include the Stuxnet and Flame virus attacks directed against Iran’s nuclear program in 2009-2010. Those attacks blurred the line between business-as-usual espionage and an attack — and clearly were aimed at kinetic damage rather than information gathering.
Iran is believed to be behind several smaller responses to the attacks, illustrating how such attacks could escalate all too quickly.
A convention may not have much power or authority, unless it operates as an independent body, much like the IAEA, suggested IntSights’ Nizan.
Instead of a convention, “the U.S. should focus efforts on creating an enforceable mechanism that could hold responsible the nation for all hacking groups within it,” he added.
That could lead to an international agency for sharing data about IPs and threat actors and close the loop when necessary, but the key is to define punishment for violations. It also could target rogue groups and nonstate players.
“Just like the atomic energy issue, you can make it very hard to conduct cyberattacks if you have such an enforceable Cyber Convention,” said Nizan. “In the end, groups like ISIS rely on compromised servers and connections in order to conduct a cyberattack. The Western world can make sure it’s not easy to gain those resources using this type of convention.”