Does cyberwarfare need a ‘Geneva Convention’?

Experts are calling for a set of rules of engagement for cyberwarfare, setting out acceptable methods for countries to fight back.

At the RSA Security Conference in London this week, Michael Chertoff, former US Department of Homeland Security Secretary, said that there neded to be consensus on, for example, whether it was acceptable for a victim country to disable the entity that was attacking it.

“We need to develop a set of rules soon to begin the process of stabilising the situation,” he said.

“By setting rules, we can adjust incentives to make countries take responsibility for what is going on within their borders.”

The rules would define what level of reponse was proportional, suggesting that attacks on air traffic control systems or financial trading systems, for example, could justify a greater response than those on less critical targets.

Military ethicist Randall R Dipert of the University of Buffalo agrees.

“Unlike conventional warfare, there is nothing remotely close to the Geneva Conventions for cyberwar. There are no boundaries in place and no protocols that set the standards in international law for how such wars can and cannot be waged,” he says.

“Traditional rules of warfare address inflicting injury or death on human targets or the destruction of physical structures. But there are no rules or restrictions on ‘soft-‘ or ‘cyber-‘ damage, damage that might not destroy human beings or physical structures as objects. But intentional destruction or corruption of data and/or algorithms and denial-of-service attacts could cause tremendous harm to humans, machines, artificial systems or the environment.”

And he warns that the US is particularly vulnerable. “Our massive systems offer the biggest payoffs for those who compromise them,” he says.

General Keith Alexander, director of the National Security Agency and head of Cyber Command, has said that serious thought is being devoted to the development of cyberwarfare policy and strategy.

But, says Dipert, “To date, however, this has been shrouded in secrecy, which is a serious problem, because if they are to have a deterrent effect, it is absolutely necessary to make some policy elements public.”

Of course, for any policy to work, it’s necessary to know where the attack originates – and this isn’t always easy. The recent Stuxnet nuclear plant-disrupting worm has been blamed on Israel and the US by Iran, while others point the finger at Russia.