Dan Lohrmann
Let’s start with a question: What do all of these activities have in common?
Stopping ransomware from devastating consequences.
Protecting critical infrastructure from cyber attacks.
Policing illegal cyberspace activities.
Bringing global cyber criminals to justice.
Holding nation-states accountable for online criminal activities.
International rules for war in the 2020s and beyond.
While there are many potential answers to this question, a growing number of international experts believe that these issues call for a new "Digital Geneva Convention" to address a growing global mess in cyberspace that is having very real impacts in the daily lives of individuals, companies and governments around the world.
DEFINITIONS, PLEASE
But before we dig deeper into this topic, here are a few important definitions.
According to the International Committee of the Red Cross:
“The Geneva Conventions and their Additional Protocols are international treaties that contain the most important rules limiting the barbarity of war. They protect people who do not take part in the fighting (civilians, medics, aid workers) and those who can no longer fight (wounded, sick and shipwrecked troops, prisoners of war). …
"Article 3, common to the four Geneva Conventions, marked a breakthrough, as it covered, for the first time, situations of non-international armed conflicts. These types of conflicts vary greatly. They include traditional civil wars, internal armed conflicts that spill over into other states or internal conflicts in which third states or a multinational force intervenes alongside the government. Common Article 3 establishes fundamental rules from which no derogation is permitted. It is like a mini-Convention within the Conventions as it contains the essential rules of the Geneva Conventions in a condensed format and makes them applicable to conflicts not of an international character:
"It requires humane treatment for all persons in enemy hands, without any adverse distinction. It specifically prohibits murder, mutilation, torture, cruel, humiliating and degrading treatment, the taking of hostages and unfair trial. It requires that the wounded, sick and shipwrecked be collected and cared for.”
ADDING CYBERSPACE
But perhaps you’re wondering what the Geneva Convention and/or physical conflicts in the real world have to do with cyberspace and cybersecurity. Here is some recent history on the subject of creating a Cyber Geneva Convention or Digital Geneva Convention:
World Economic Forum (2017): Why we urgently need a Digital Geneva Convention:
“The United Nations almost two decades ago set up a working body to ensure agreement is reached on how to handle the then relatively new field of information technology (IT), and in particular the increasingly difficult question of cybersecurity. It took a while, but in 2015, the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN GGE) confirmed that international law applies to cyberspace. …
"To make significant progress, we have to unmask the fact that unfortunately there is little specificity in the agreements reached so far. This situation allows states to continue to act in violation of established norms, without the international community having any recourse to respond. For example, international law prohibits the use of force by states except in self-defense in response to an armed attack, and the UN GGE norms call for states to refrain from international malicious activity. …
"Our proposed response was a Digital Geneva Convention, that would commit governments to adopt and implement norms that have been developed to protect civilians on the Internet, without introducing restrictions on online content. Just as the world’s governments came together in 1949 to adopt the Fourth Geneva Convention to protect civilians in times of war, a Digital Geneva Convention would protect citizens online in times of peace.”
“The great challenge for military and cybersecurity professionals is that incoming attacks are not predictable, and current strategies for prevention tend to share the flawed assumption that the rules of conventional war extend to cyberspace as well. Cyber warfare does have rules, but they’re not the ones we’re used to — and a sense of fair play isn’t one of them. Moreover, these rules are not intuitive to generals versed in fighting conventional wars.
"That’s a problem because cyber war won’t be waged with the informed participation of much of the U.S. technology sector, as the recent revolts at Google over AI contracts with the U.S. Defense Department and at Microsoft over Office software contracts with U.S. Immigration and Customs Enforcement demonstrate. That leaves only governments and properly incentivized multinational corporations to set the rules. Neither has yet provided a workable and operational definition of what constitutes a globally recognized act of war — a vital first step in seeking to prevent such transgressions."
“The DoD strategy lays out five mission objectives that should be the framework for creating cyber doctrine:
Ensuring the joint military forces can achieve its mission in a contested cyberspace domain
Enhancing Joint Force military advantage through the integration of cyber capabilities into planning and operations
Deterring, preempting or defeating malicious cyber activity targeting US critical infrastructure that is likely to cause a significant cyber incident
Securing DoD information and systems, including non-DoD-owned networks against cyber espionage and malicious cyber activity
Expanding DoD cyber cooperation with allies, partners, and private-sector entities
"Before we can establish rules of engagement for cyber warfare, we must first establish conventions for the use of cyber weapons. Our adversaries are mounting offensive cyber operations daily and due to a lack of guidelines regarding operations in cyberspace, there is little protocol defining what the appropriate response is. Similar to the outcomes of the Geneva Convention, the world needs new international rules to protect the general public from nation-state threats in cyberspace.”
National Defense Magazine (2020): Geneva Conventions for Cyber Warriors Long Overdue
“Cyber warfare is a fact of the modern world. However, there is no clear international law that distinguishes between warfare, terrorism, crime or vandalism. As a result, U.S. military cyber warriors are operating without the protections and restrictions their kinetic brethren enjoy under the Geneva Conventions.
"The road to those agreements was long, but necessary, and it needs to be trod again — before civilians suffer the consequences of unrestricted cyber warfare."
Lawfare Blog (August 2021): Responsible Cyber Offense
“Governments that harbor cyber criminals, or themselves engage in criminal behavior, may not see a shared interest in limiting damage. But this assumes that there is little risk that sloppy or unrestrained cyber operations could cause the target to escalate — intentionally or not — or could turn increasing numbers of countries against the states whose hackers wreak havoc. The concepts discussed in this post will not ameliorate blatantly dangerous behavior in the near term. But they would clarify what the U.S. considers to be an irresponsible activity, moving the nation away from a murky model of outrage at every Russian phishing email. By articulating and promoting the discussion of responsible operations, the U.S. could gain international political leverage.
"Admittedly, it will take a certain hardheadedness and even cynicism among U.S., Russian and Chinese leaders to discuss best practices in malware development and placement, but this is the nature of diplomacy in the 21st century. Major powers bear responsibility for reducing systemic risk in cyberspace, and to do this they must make offensive operations more predictable. Each country wants to expel spies from its computer networks, and each will struggle to design better defenses against cyber operations. But technical panaceas are unlikely. Better to create codes of honor among spies, and their bosses."
WILL HACKERS, AND NATION STATES, FOLLOW THE RULES?
Whenever I post any article or blog on LinkedIn about this specific topic, a common question that gets debated involves whether this is just political talk with no action and enforcement. For example, when I posted this last article from the Lawfareblog, here were some of the responses:
Mike Moran, Digital Marketing Consultant with Content and Digital Expertise: “It will be fun to watch the first time that some part of a world power gets hacked and then that drives hacking attempts at other world powers, with all parties hacking back. Yes, I worked on a situation where a client called us in just in case ... they didn't think they had any problems but wanted it documented. Turns out they had been hacked and were being used as base for additional attacks ... fun stuff.”
Jack Kufahl, Chief Information Security Officer at Michigan Medicine: University of Michigan: “I am dubious of how effective incremental cyber offensive tactics would be in the end. The 'low bar' for how offending nation-states and actors are impacting critical infrastructure means to me that those efforts need to be focused on the rigor and common sense protections as they not only help protect against adversarial attacks, but good processes and system integrity also protects from user and configuration errors. Certainly, as a component of war, there is an increasing relevance on cyber as a natural evolution of disrupting the enemy's ability to command and coordinate, however it is not a well-defined mode of attack with clear thresholds for internationally accepted countermeasures and retaliation. Internationally matters since we are largely an integrated global economy, so the disruption or destruction of services in one country do impact others and have unintended consequences. I wish it was as simple as 'hack Vlad back' but there is no satisfaction in short-term wins in this field while the infrastructure at home is having problems with local passwords and unpatch Windows 2000. …”
Jim Angleton Chief Executive Officer at United Police Federal Credit Union and Ambassador US/UN KoM, Sovereign State: “We are big proponents to legalization (acknowledging) of cyber deterrence. Meaning, offensive and defensive strategies protecting and defending systems. While many conduct and use protocols of same, it is good to know that it has been addressed, accepted, legalized and recognized that if you hit a company, individual or government, be prepared to punch back, hard! We do and our clients are better off for it.”
FINAL THOUGHTS
This topic has been important to me personally since I wrote the book Virtual Integrity: Faithfully Navigating the Brave New Web back in 2008. At that time, I wrote that federal government needs to appoint an “ambassador to cyberspace” to deal with the international nature of these vital topics.
I have written several articles over the past few months regarding international relations and cybersecurity, and the Ransomware Task Force covers the importance of this topic in several ways.
Here are two of those articles: Biden Sets Cyber Standards for Critical Infrastructure; NATO Adds Cyber Commitments, Potential Ransomware Response.
Bottom line, I just don’t see major progress regarding cyber attacks escalating without substantial international cooperation. Whether we call it a "Digital Geneva Convention," or something else, urgent action is needed now.
No comments:
Post a Comment