It’s Time for a Geneva Convention on Cyber Warfare

Trump’s plan to form an impenetrable cybersecurity unit with Russia might have been wide of the mark, but a broader plan for international cooperation on cyber warfare is necessary.

Donald Trump’s latest plan to get into bed with Russia could actually make sense.

On the face of it, a bilateral US-Russian cybersecurity pact is seen as a complete misfire; and it would seem even Trump knows this, now that he has backed away from the idea. There is, however, a real underlying sense in the ethos of his encouraging major nations to engage in much-needed cooperation.

We knew from the outset that Trump’s plan would never come to fruition, because American intelligence services are still unwavering in their belief that the Russians, under Putin’s instructions, attempted to hack and influence the US Presidential Election last year.

This is still a real sore point for the US establishment, and many in Washington are furious that Trump is not investigating Russia’s activity more closely. Unlike under the Obama administration, there have been no repercussions for Russia’s alleged actions and now they’re going into discussions with Trump, making noises about working together.

Trump may demonstrate a somewhat layman understanding of cybersecurity issues, or ‘the cyber’ as he calls it – hence his talk of “forming an impenetrable cybersecurity unit”. Anyone who understands cybersecurity knows he can’t guarantee anything is impenetrable, particularly given the FBI and NSA’s history of being hacked.

The cyber-threat landscape is evolving. Recent months have seen waves of attacks which resulted in physical, real-world outcomes. WannaCry struck huge chunks of the NHS, causing chaos in UK hospitals and more recently the NotPetya malware wreaked havoc in Ukraine, bringing down shipping ports, airlines and supermarkets alongside hundreds of other businesses and organisations.

Attacks on critical national infrastructure are happening now and with increasing regularity. Earlier this year, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that the number of cyber-attacks that threaten “national security” is on the rise. Chancellor Philip Hammond recently said that the NCSC had been blocking up to 200 potential attacks each day.

It seems that cyber-attacks and their perpetrators are largely unthreatened by any coherent international law. If these were physical attacks they would be covered by international legislation and appropriate action would be taken in response. It’s becoming clearer by the day that there needs to be tighter controls on cyber activities that manifest in real world impact.

Globally, we have a number of different resolutions, agreements and unions, all of which attempt to address the issue of cybersecurity legislation and response. But we aren’t seeing any coordinated attempt at international cooperation and that’s why Trump’s idea shouldn’t be dismissed out of hand.

Trump’s comments raise the question: why is there no international agreement on cyber-attacks?

In conventional warfare we have established comprehensive international law: the Geneva Convention, the Hague Convention, and the Geneva Protocol. What we now need is a Geneva Convention on the use of cyber weapons. The threat is too great to ignore and the potential outcomes too terrible to leave to chance.

Forums like the G20 and the UN should be working towards bringing key parties to the table – the likes of China, Russia and the USA – and implementing strict governance over the use of cyber weapons by nation states. The Tallinn Manual 2.0 produced by NATO is the most comprehensive analysis of how existing international law applies to cyberspace. But this of course is limited to the member countries, which excludes some of the most active nations operating in cyber space

NATO has stated that if a cyber-attack creates a physical outcome – for example on air traffic control or a nuclear power station – it could lead to a physical military response. We must work together to put limits and boundaries on nation’s activities in cyberspace. We’re currently operating within a Wild West of the Web and the future is daunting.

Of course, the main stumbling block in tackling international cyber-attacks is comprehensive attribution. None of the recent major cyber-attacks have yet been comprehensively linked to a nation state. The question of attribution complicates matters but it’s not a reason to not tackle the problems. I believe that deeper international cooperation will yield greater results in attributing and curbing cyber-attacks. It will be difficult but we have a responsibility to get on and do it.

Trump’s call for a US-Russian pact on cybersecurity should actually be taken as a call-to-action for international cooperation on cyber warfare legislation and unified defence.