The Rules of Cyber War

Jake Meyer by Jake Meyer

There is a war going on and the U.S. is under attack.  These attacks aren’t on our soil, but they hit us at home and have the possibility of causing severe damage to our infrastructure through computers and internet connections.  These attacks threaten to “destroy databases, communications systems and power grids, rob banking systems, darken cities, knock manufacturing and health-care infrastructure off line” and cause other serious damage.  Cyber attacks have been launched against the U.S., because the U.S. has large systems that offer a large payoff if the systems are compromised — it’s probable that recent attacks on U.S defense and economic targets were launched by North Korea, China, and Iran.  Over 100 foreign intelligence agencies have attempted to break into U.S. networks.  But the U.S. isn’t the only target as the use of cyber warfare escalates around the world.  Russia has cyber attacked Estonia and Georgia.  And Stuxnet, a worm created to disrupt Iranian nuclear power plants, has been blamed on either the U.S. and Israel, or Russia.  But cyber warfare isn’t just limited to nations attacking other nations — China has launched coordinated attacks against Google and Gmail.  With all of this conflict on the cyber battlefield, is there any chance of a cyber peace treaty?

The secretary-general of the International Telecommunications Union (an agency of the United Nations), Hamadoun Touré, has called for the creation of a cyber treaty with a built-in legal and regulatory framework and a contingency plan in case of a large-scale attack.  U.S. officials are wary of Touré’s proposal since it would result in “restructuring Internet governance in ways that would boost government controls.”  But the U.S.’s reluctance on such a cyber treaty is not baseless.  There is cause for concern because regulation of the internet by the nation’s governments can result in censorship, limiting the usefulness of the internet.  Russia’s Defense minister has argued that promotion of ideas on the internet, such as democracy should qualify as “aggression” under a Russian-sponsored U.N. initiative introduced to combat cyber attacks, or as Russia prefers — “information war.”  Although a cyber peace treaty could be unlikely for the near future, there could be an agreement between nations on how a cyber war should be fought.

As nations waged bloody wars with each other through the centuries, rules of war were created by nations.  The modern rules of war are embodied in the Geneva Convention, but there is no such similar Geneva Convention for cyber warfare.  It could be time for rules of cyber warfare to be developed.  Professor Neil C. Rowe of the U.S. Naval Post Graduate School has suggested that cyber warfare should have ethics policies.  Rowe gives examples of possible policies such as an agreement to a “no first use” policy, where participating members would agree to only use cyber attacks in response to other cyber attacks, or requiring that the attacks have distinctive signatures that identify who is responsible and their intended target.

So what is the U.S. government doing to defend itself on this new battlefield?  New organizations in the U.S. Department of Defense are being created to deal with these new threats.  The U.S. formed Cyber Command to defend defense networks and to also launch offensive cyber strikes.  Existing government agencies are also cooperating more to defend the variety of systems that are vulnerable to cyber attack.  The National Security Agency, which is tasked with protecting U.S. national security systems and intercepting communications overseas, and the Department of Homeland Security, which has responsibility for protecting vital systems like power grids, financial services and water purification, have agreed to share their intelligence

Solutions have also been proposed to defend the U.S. in the event of a large scale attack.  The Senate Committee on Homeland Security and Governmental Affairs has approved a bill to allow the President “emergency authority to shut down private sector or government networks in the event of a cyber attack capable of causing massive damage or loss of life.”  This bill, S. 3480, has been described as a “kill-switch” for the internet.  There is some concern with such a system because the power to disable whole portions of the internet is an extreme power, and it’s not clear what the precise circumstances would be for the exercise of such a power.  Larry Clinton, president of the Internet Security Alliance, which represents the telecommunications industry, criticized the bill as “empower[ing] the president to essentially turn off the Internet in the case of a ‘cyber-emergency,’ which they didn't define.”

The strengths of the internet are also what make cyber attacks a serious threat to the security of citizens and countries around the world and also make these same threats difficult to regulate.  The internet “enables communication on an unprecedented scale and is woven into billions of lives around the world.  Its openness, its inclusiveness, its relative lack of regulation make it a fertile field for innovation and competition, an engine for much needed economic growth,” says Rod Beckstrom, President and Chief Executive Officer of Internet Corporation for Assigned Names and Numbers (ICANN).  This engine for economic growth that allows vastly improved communication and near instantaneous access to information benefits from its openness and lack of regulation.  Defending against the threat of cyber attacks will require policy makers to walk a fine line between regulation and openness.