Cyber Warfare – Do We Need a New Geneva Convention?
Cyber warfare as the 21st Century version of a nuclear holocaust has gripped both public and lawmakers imaginations. Elisabeth Fischer reports on whether increasing concerns over cyber safety could require an international code of battle similar to the Geneva Convention.
Digitised battlefields, cyber attacks and online terrorism are all catchwords of modern warfare. Major events like Stuxnet and the scandal over Wikileaks have pushed cyber technology to the forefront of a major shift in the national defence concerns of many Western countries, with the result that many governments are reassessing their strategies.
The German Government, for instance, has only recently announced the decision to pursue a new cyber-strategy: with April 2011, a newly set up National Cyber Defence Centre will protect the country from cyber attacks – be it hackers getting access to restricted data or worms and viruses aimed at destroying critical infrastructure groups.
US President Obama has identified cyber security as "one of the most serious economic and national security challenges" that a nation can face and has ordered a review of federal efforts to defend the country's information and communications infrastructure and only recently the Pentagon completed a new cyber strategy. The UK has released a strategic defence and security review in October 2010 and also Nato has emphasised cyber defence as a crucial aspect of its member and partnering states. The first official Nato cyber defence policy is scheduled to be completed in June 2011.
What seems like science fiction is in fact the zeitgeist of a new era of warfare. Germany's decision to implement a defence centre for cyber warfare, as well the steps being made by the US, UK and Nato, reflect the public debate in many Western countries about rules and regulation for the digital battlefield.
The need for cyber rules of engagement
The rules of conventional warfare are clear and are enshrined by the Geneva Convention and Article 51 of the UN Charter. Certain types of weapons have been banned and certain protections exist for civilian and medical entities. For cyber space, however, these rules and regulations are not relevant.
"These rules don't work in the boundless and borderless cyber space," says research director for security technology at the US Cyber Consequences Unit (US-CCU), John Bumgarner. The need for regulation, however, would certainly be given. "Yes, there will be cyber conflicts between countries and there are cyber threats out there. Regulation is needed."
Former military intelligence officer and now senior consulting fellow at the US-CCU, William Gravell adds: "The debate today is whether or not the definitions and usages and rules of warfare can in fact be extended to cyber activity. There is no consensus within the community on this subject just yet."
At the beginning of February this year, the New York-based EastWest Institute presented proposals for a cyberspace Geneva Convention, to delegates at the Munich Security Conference, including UK Prime Minister David Cameron, German Chancellor Angela Merkel and US Secretary of State Hillary Clinton.
The Russian-American thinktank of defence experts, which includes representatives from Microsoft and military supplier Northrop Grumman alongside academics and military advisors, announced in their report that critical civil infrastructure such as hospitals and air traffic control systems should be protected by internationally agreed sanctions, similar to the Geneva Convention.
Opinions on the nature of such a cyber threat, however, differ. Gravell, who also works as a consultant for the American national security industry, says that no such thing as cyber war exists. "Will there be cyber-oriented conflict? The answer is: unquestionably absolutely every second of every day. But as we discuss things like war - WW1, WW2 or the Vietnam War - cyber war does not lend itself to that."
"There will be wars in the future and every war will have a cyber component. Just as the introduction of the airplane meant that after 1903, when the airplane was invented, every war had an aviation component. The same is going to happen with cyber."
Definition of cyberspace
Ahead of a possible implementation of a regulation for cyber warfare, a strict definition of the borders of cyberspace has to find its way into the debate. Research director at the US-CCU, John Bumgarner says: "In 2009, I asked the UN in a statement to conduct an open debate about a possible cyber threat and about the borders of cyberspace. This hasn't happened yet."
"Countries such as Estonia and Georgia, who have experienced cyber threat, have had an open discussion and have made necessary steps to implement some kind of regulations. That's what the UN has got to do."
Cyber security research assistant at the Cyberspace Science and Information Intelligence Research (CSIIR) group, Oak Ridge National Laboratory, Brent Lagesse, agrees with Bumgarner: "In my opinion, the first issue related to cyber warfare that should be established is what actually constitutes warfare. Is launching a denial of service attack against a military system warfare? Is data exfiltration warfare? Before we can actually decide on rules regarding cyber warfare, we have to have an agreement on what constitutes cyber warfare."
According to Lagesse, the difference between civilian and military portions of cyberspace is not always clear. As a result, producing a definitive document regulating war-like actions is not an easy task. "There is no obvious and easy solution."
In Germany's case, the government has decided on a simple definition of cyberspace and includes all informational structures available through the internet, regardless of territorial boundaries. Severe attacks in this space could affect social livelihood and that's why "the availability of cyberspace and the integrity, authenticity and confidentiality of data has become an existential debate of the 21st Century."
The researchers at the EastWest Institute have asked some important questions in their report, which have to be answered before the implementation of a successful set of rules for cyber warfare: Can protected critical humanitarian infrastructure entities be 'detangled' from non-protected entities in cyberspace? Just as a Red Cross designates a protected entity in the physical world, is it feasible to use special markers to designate protected zones in cyberspace?
Should we reinterpret convention principles in light of the fact that cyber warriors are often non-state actors? Are certain cyber weapons analogous to weapons banned by the Geneva Protocol? Given the difficulties in coming up with an agreed definition for cyber war, should there be a third, 'other-than-war' mode for cyberspace?
International standards without effect
In spite of all problems with a clear definition of cyberspace and cyber warfare, military experts know that the debate has to take place soon. Critics, however, also ask if an international standard for cyber warfare would have any effect, saying that UN war crimes conventions and anti-genocide conventions have been ignored in the past and the same would happen to the rules for digital warfare.
One of these critics is the CSO at the US-based cyber security company Tenable Network Security, Marcus J. Ranum. He believes that although it would be nice to have a cyber Geneva Convention, in practice it would not really matter.
"I'm desperately trying to think of a single conflict in which the GC counted for anything more than 'that set of rules that everyone quotes but everyone violates'. The truth of warfare is that rules are only followed if the contests are approximately even and one side or the other is unsure if they will wind up in a kangaroo court arranged by the winner."
In Ranum's opinion the 'weak' would do well to advocate for rules governing cyber war but the actual superpowers would ignore them anyway when it suits them. "The strong will want rules for governing cyber war, in order to justify more direct retaliation and hopefully to avert less powerful nations from considering it."
And then there is the question whether the fear against a cyber attack is a mere hype or a real threat. William Gravell believes that part of the anxiety over cyber is its novelty. "Over time experience and education will moderate the issue, bring people to a collective understanding and then anxiety and tensions will be reduced," he says. "Time is on our side."
Marcus J. Ranum, however, even goes a step further and suggests that big military companies would aggravate a hype surrounding a possible cyber threat because this technology is a product that still can be sold, compared to heavy military equipment. "I think it's a pretty fair accusation," he says.
With such differentiating opinions and no clear definition about cyber warfare and cyberspace in general, much of the political debate surrounding a possible threat seems meaningless and many ask the question whether the implementation of a Geneva style set of rules at this stage is a meaningless idea.