We Need An International Cyberwar Treaty. Now.

By James O Malley on at

Ukraine is under attack. In the last 24 hours the national bank, the state-owned power company and the country’s largest airport have all been taken out.

So why aren’t we seeing images on our TV screens of burning rubble and charred bodies? Why are there not dramatic images of missile-laden fighter jets taking off? It’s because this attack took place in what the 90s dubbed cyberspace.

The Petya ransomware has wreaked havoc across the entire Ukraine - and has even taken out government computers. There may not have been any deaths or destruction but functionally, the attack achieved the same thing, and has (temporarily at least) hobbled some of the country’s most strategic assets. The malicious software is now spreading around the world too.

Is this an act of war? It sure as hell looks like one - but the problem is, nobody knows if it is.

An Increasing Problem

Ukraine is far from unique. In recent weeks, we’ve seen a number of high profile attacks. In May, the WannaCry attack infected millions of computers - most notably Britain’s NHS. Just last Saturday, Parliament was hit by a (less severe) brute-force attack designed to compromise the email accounts of elected representatives.

The cyber-battlefield is increasingly the theatre of choice for malicious actors: As is now well known, in advance of last year’s Presidential election Russian hackers (allegedly directed by Putin himself) gained access to email accounts belonging to both political parties, and according to recent reports in the Washington Post, they even tried access voting machines directly. The newly-elected President Macron of France fell victim to a similar hack during his campaign too.

Cyberattacks have been a problem for as long as the internet has existed. But given the volume and scale of recent attacks - and given that there is now no distinction between our digital and analogue lives, it feels as though we’ve more recently crossed a dangerous precipice.

It is surely now inevitable that sooner rather than later, a state is going to respond to a cyberattack not with a like-for-like cyber response, diplomatic pressure or economic sanctions - but with military force.

The reason this is particularly dangerous, and the reason we should urgently worry about this is simple: We don’t know the rules of the game we’re playing.

We don’t know the rules of the game we’re playing.

The stability of the international system is built on predictability. The reason countries don’t go to war with each other as much any more is because we - humans - have done a pretty good job of establishing the ground rules for how to behave.

Today, because of centuries of norms and international agreements, it is fairly clear to both sides in a conflict just how far they can push the other before it escalates tensions. Country A’s politicians and generals will have a pretty good idea how close they get place their ship to Country B, before they start shooting back.

We’ve even established more formal conventions - sets of rules - to outline how wars ‘should’ be fought. The Genveva Conventions, for example, set out rules on how all sides in a conflict should treat Prisoners of War and civilians. Later protocols outlawed the use of chemical and biological weapons. And these rules held - because they were universally agreed, and made wars more ‘predictable’ - so less susceptible to accidental escalation.

So strong was this convention about how wars should be fought that even Hitler chose not to use chemical weapons on the battlefield (though obviously he didn’t have such reservations about using them in death camps).

These norms also enable actors on all sides of a conflict to set benchmarks for when a military response would be justified - and for what would constitute a war crime. The norms and rules around the use of nuclear weapons evolved quickly in the 20th century once their devastating power was demonstrated. Today, any country that launched a nuclear weapon would instantly become a pariah, and the target of a united international community. From potential chaos and destruction, by establishing rules and norms, we’ve managed to bring some stability and predictability to the nuclear age.

There Are No Rules

And this is why cyber attacks are so dangerous: There are currently no rules like those described above.

Instead, there’s a hell of a lot of uncertainty - which means that in a cyber conflict, predicting how different actors will respond is more difficult. Which is very bad if we want a stable and peaceful world.

As I wrote in 2015 for the website Little Atoms, there are seemingly countless ambiguities that could be sources of escalation or increased tension: Would military force be a justified and proportional response to a cyber attack? Does attacking critical infrastructure, such as a power plant, count as an act of war? How do we define the difference between soldiers and civilians when the war is likely going to be fought using computers that have a dual civilian use?

As Donald Trump noted during the 2016 election debates, cyber attacks are not just carried out by state actors - it could just be a 400-pound guy in his bedroom. But even if this is the case, how should states respond to the proverbial 400-pound man’s government? Would his government be “harbouring” them, and could this not in itself justify a response? When the Taliban harboured the Al Qaeda leadership, that was deemed sufficient to justify the invasion of Afghanistan. I’m not saying I know the answer to this, what I’m saying is that nobody does and that is a problem.

It is surely inevitable that people will die as a result of the Ukraine attack: Even if taking out a power plant doesn’t switch off any life-support machines, it will mean, say, delays to important surgery, to give an obvious and trite example. Supply chains that provide food and medicine could be disrupted by the hack - which could lead to deaths. How is this functionally not the same as dropping a bomb?

Wasn’t the WannaCry NHS attack in May really an attack on civilians?

Again, the problem is: We don’t know. But it is now more important than ever that governments and other actors start to try to figure out some answers.

We Need A Treaty

This is why it is time for a new treaty - a new Geneva Convention, of sorts - to regulate cyberwar.

It’s within the interests of all countries to agree these rules now, before conflict escalates. And yes, it is even within the interests of Vladimir Putin. Though he is thought to be behind a number of major attacks, and his entire political strategy is said to be about sowing chaos in the west, he is also vulnerable to an unregulated cyber-battlefield.

In response to the election hack, President Obama before he left office reportedly ordered for unspecified American cyber-weapons to be deployed inside Russian systems. Because there are no rules, we’ve got no idea what this might entail - or when it might be activated.

Cyber attacks are only going to become more common - and greater in scope. Every time an attack takes place, the odds of escalation increases. We’re already arguably in a cyberwar - but do we really want to wait for it to get hotter before we try to do something about it?

The cyber battlefield is currently the wild west - and we, urgently, need a new international agreement to set the rules of the game. We need to make cyberwarfare more predictable. Before it is too late.
James O'Malley is the Interim Editor of Gizmodo UK and tweets as @Psythor.

Read More: Is NATO Ready for Cyberwar?