Can we see the potential danger of cyber warfare enough to contain it before a cyber-Dresden occurs?
According to the White House, the NotPetya attack in 2017 caused “billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine. . . . This was also a reckless and indiscriminate cyber attack that will be met with international consequences." So far there have been no public reprisals and there remains no international law on cyber warfare. A kinetic attack that damaging would have required an immediate proportional response.
The United States established Cyber Command and the Navy stood up Tenth Fleet a decade ago to direct cyber operations and defense. Retired Admiral James Stavridis argues for a separate service branch, a Cyber rather than a Space Force, but it would be a combatant with no directly applicable international law of warfare. NATO applies pre-cyber-era international law to cyber operations conducted by and directed against states.
The world was horrified by the human catastrophe of World War II, particularly the massive civilian devastation from strategic bombing—the ultimate forcing function to draft international law protecting civilians in armed conflicts as well as soldiers and sailors. Postwar conventions were written outlawing chemical warfare, biological warfare, and antipersonnel mines, and protocols were developed to address guerrilla and civil warfare—but not yet cyber warfare. Article 5 of the North Atlantic Treaty could possibly be applied against a cyber attack, but this has never happened. Nations, rebels, and guerrillas are expected to know and respect the difference between a legitimate military target and a hospital, but cyber warfare has no bounds. Using the three-factor standard put forth by Marsh, the cyber insurance and risk management firm, Russia could shut down the New York Stock Exchange and NASDAQ for a month without legally committing an act of war.
Brad Smith, Microsoft’s president and chief legal officer, took a bold step in 2017 when he proposed a “Digital Geneva Convention” and outlined what such a protocol might look like. The challenges to such an agreement are monumental. The depth and breadth of the issue, and the lack of incentive for governments to disarm what some consider a critical offensive capability, have kept the UN and other groups from reaching consensus. Arguably, they are diverging.
Show the Diplomats How It’s Done
An independent international group may be able to hammer out the basics of a convention on cyber warfare, if the right people come together with the right mind-set and reasonable expectations. Leaders from large and small businesses plus local officials with the help of international lawyers could establish a framework, with the expectation that when it became acceptable (and politically necessary) diplomats from nations would pick up the torch to finish the task. This is how the postwar agreements came about.
The modern Geneva Conventions materialized not because they are the product of government diplomats but thanks to an independent international group, and spearheaded by a single man: Jean Pictet. The International Committee of the Red Cross (ICRC) was horrified by the human catastrophe of the war and decided to act. It announced its intentions, held a preliminary conference (followed by a government expert conference), adopted revised language at a second ICRC conference, and convened a final diplomatic event.
A Cyber Convention
Setting the conditions to negotiate a final diplomatic agreement acceptable to even 20 of 200 nations will require exceptional management and leadership. This will be a design-thinking exercise for a global problem: we must define the problem, create empathy, ideate solutions, prototype answers, and test them.
Protecting civilians from future cyber warfare is a lofty purpose. And consider the challenge, if we imagine how difficult it would have been in 1910 for nations to predict the nature of submarine or air warfare by the end of World War I in 1918. In 2010, few would have foreseen or comprehended the 2018 Internet of Things—given the first iPhone was sold in 2007, and the World Wide Web had only been proposed in 1989.
Because cyber attacks have not yet drawn blood, an international business association may be the right group to address the Protection of Civilians in Cyber War. The 2017 Paris Call for Trust and Security in Cyberspace was endorsed by 370 actors—only 55 of which are nations, with the balance being corporations and nongovernmental organizations. Where governments have failed, an independent international organization supported by independent citizens and businesses can succeed. The most recent had promise but ended with a feckless final message.
The ICRC model can work again. Global leaders must announce clear intent, inspire others to collaborate, create a first draft of a convention, revise and edit the articles, then bring social pressure to bear on governments to adopt a negotiated act. A preliminary conference would identify the issues to address, before articles for each are proposed and crafted at the convention. The history of Annapolis, and its proximity to (but distinction from) Washington, D.C., make it an ideal location for an independent global conference on cyber warfare. With several months’ notice, a week in mid-August 2019 could be feasible.
Defining belligerents may be radical. A great deal of literature contemplates the ethics and impact of governmental cyberwarfare attacks on foreign civilian systems but fails to consider the inverse: Can Google commit an act of war? Could Amazon Web Services be considered a cyber-combatant? Where are the lines between government contract vs. criminal act vs. casus belli for a business? It is unlawful to bomb a mosque; should it be unlawful for patriotic citizen hackers to cyber-attack the Vatican as a levée en masse? Developing ethical solutions to questions like these will be extraordinarily difficult because of the complexity of modern society.
But extending the Geneva Conventions to guerrilla and civil wars (non-international warfare) was not easy. David McCullough has written that William Randolph Hearst started the Spanish American War. Could Facebook start a civil war? Can Twitter be declared a subversive guerrilla force?
What are the cyber threats to individuals, businesses, or governments not already governed by treaty? Where would jurisdiction to resolve disputes rest? Who signs—France, Vodaphone, or Apple? Can we distinguish between cyber crime, espionage, intelligence, and attack? Are we limited to ex post facto efficacy, or can a cyber convention establish rules that prevent collateral cyber damage? Would valid military cyber targets be required to mark themselves with a fixed distinctive sign recognizable by cyber payloads, to distinguish from civilian targets?
The U.N. has failed; nations have failed; and corporations have failed while the trends in cyber warfare have been consistently if not exponentially negative. A cyber ‘Pearl Harbor’ remains a threat and perhaps it is time to declare cyber a domain; it is certainly time to recognize that soldiers, sailors, and civilians can all be gravely harmed by nonkinetic forces.
Failing to act leaves American sailors at risk: nothing stops China from declaring Tenth Fleet “Yankee Cyber Pirates” and indicting them for cyber war crimes. Perhaps we should find our ‘pivot to China’ through Tenth Fleet instead of Seventh.