At the United Nations General Assembly meeting in New York last week, there was plenty of discussion of nuclear arms control. But there wasn’t enough talk of another kind of worrying threat: cyber weapons.
In 2013 a group of government experts at the UN decided that international law applied to cyberspace, too, and in 2015 the same group agreed to several voluntary norms to govern states’ behavior online in peacetime. These included stipulations that countries shouldn’t target each other’s critical infrastructure, and that they should be held responsible for any cyberattacks originating from their territory.
The UN initiative, however, hasn’t carried much weight. Revelations of Russian hacking of US power companies and the US electoral system, as well as Chinese efforts aimed at stealing intellectual property, are just some of the signs these norms haven’t had the desired effect.
Now the US and some other countries, like the UK, are preparing a more aggressive response to digital provocations.
The US recently unveiled a new national cyber strategy that makes it easier for its military to conduct offensive operations without lengthy approval processes, and the UK is planning to set up a 2,000-person team of tech experts to boost its ability to launch cyberattacks.
The new US strategy also envisages an international “cyber deterrence initiative” under which America and like-minded countries will coordinate their responses to particularly malicious cyberattacks. Those responses can range from economic sanctions to retaliation in cyberspace.
Supporters of this approach think it’s more likely to bring recalcitrant countries to the negotiating table. “When there’s a shared sense of vulnerability, that’s what drives arms control,” says James Lewis of the Center for Strategic and International Studies, a think tank.
But there’s also a risk it could trigger an escalation of cyber hostilities, at least in the short term. And that could lead to more aggressive attacks on key public services like electrical grids. So it’s essential that the US and other countries push harder than ever now for an international cyber arms control deal that reduces the risk of conflict.
Brad Smith, Microsoft’s president and chief legal officer, has been lobbying for a “Digital Geneva Convention.” This would bring together tech companies and governments to create a wide-ranging deal that protects civilians using the internet in peacetime in the same way that successive Geneva Conventions have protected civilians during wars.
Smith’s advocacy has already helped create a coalition of like-minded tech companies that have pledged to do what they can to protect their customers from cyberattacks by criminals and nation-states. Microsoft has also just launched a new PR campaign to get people to urge political leaders to do more to secure cyberspace.
Still, getting a broad agreement on cyber norms will be a massive challenge. In the short term, it makes sense to aim for a relatively narrow formal deal that gets countries to recommit to stop targeting vital public services.
Attacks on things like power plants, hospitals, and transport systems could have devastating consequences, including loss of human life, and the dangers are growing as more devices are being hooked up to the internet (see “For safety’s sake, we must slow innovation in internet-connected things”).
Striking even a narrow diplomatic agreement will not be easy. And there will also be challenges with enforcing it, because attackers often try to cover their tracks. Nevertheless, the stakes are so frighteningly high that the effort is worth making.
At a recent press briefing on the US’s new cyber strategy, Jason Healey, a cybersecurity expert, warned of the dangers if a cyber firefight does engulf key infrastructure. “We are all standing knee deep in tinder,” he said, “and soaked in gasoline.”