Cyberwarfare Convention

The political will remains too weak

Adopted at a time when wars were 'traditional', do the Geneva Conventions need to be adapted to the new reality of cyberwarfare? We asked Philippe Jacques, research assistant and doctoral student in International Humanitarian Law (IHL) at the Catholic University of Louvain.  

By way of reminder, the Geneva Conventions are international treaties in the field of international humanitarian law. They lay down the rules of conduct to be adopted in times of armed conflict, including the protection of civilians, humanitarian aid workers, the wounded and prisoners of war. These conventions have been ratified worldwide, which means that every state in the world has undertaken to comply with them. 

"First of all, a distinction has to be drawn between cyberattacks in times of armed conflict and malicious cyber operations in times of peace."

Guide of conduct on cyberwarfare

What should a Geneva Convention on cyberwarfare include? 

Philippe Jacques, research assistant and doctoral student in International Humanitarian Law (IHL) at the Catholic University of Louvain: "First of all, a distinction has to be drawn between cyberattacks in times of armed conflict or which would trigger an armed conflict and malicious cyber operations in times of peace. The concept of "cyberwarfare" in common language is therefore very broad. Such a convention should draw inspiration from the Tallinn Manual, which was initiated following a cyberattack on Estonia by Russia in 2007.

At the time, NATO created a specialised cyberwarfare centre and issued a guide of conduct on the application of international law to cyberwarfare. Version 1.0 of the guide was concerned with cyberattacks in armed conflict and version 2.0 also includes cyber operations in peacetime. This guide of some 650 pages contains 158 rules, including the attribution of state responsibility, jurisdiction, the prohibition of intervention in the internal affairs of states, etc. 

It is certainly not a convention insofar as this guide was drawn up by experts, often very Western experts, since it is mainly a NATO initiative. On the other hand, to have a real convention, all states would have to agree.

Moreover, the guide does not necessarily cover the strategic interests of all states. This is obviously a constructive step that fills a legal vacuum, but the drafting of a new convention has a very political aspect. And politics means possible blockages, as was the case for several provisions of the 1949 Geneva Conventions, particularly at the level of large countries such as the United States and Russia."

Who should take the initiative for such a convention? 

"The United Nations in general, and more specifically the Office for Disarmament Affairs (UNODA), has already contributed to the drawing up of several arms control conventions, notably against the use of nuclear weapons. This office organizes discussions between government experts who are familiar with the strategies of states. There is agreement on the main principles at this stage, namely to apply international humanitarian law to cyber warfare, but the terms of application remain to be defined.

For its part, the UN Security Council addressed the issue in 2021 and its report confirms the importance attached by all states to the issue of cyberwarfare, even if some countries, including Russia, have doubts as to whether international law applies to cyberwarfare. In other words, everyone seems to agree on the main principles, but we are still far from a convention. In short, at this stage, states are only prepared to adhere to very informal and conditional optional rules of conduct. 

For its part, the International Committee of the Red Cross (ICRC), which has enormous experience of armed conflict and is the originator of the Geneva Conventions, is said to be a serious possibility, but does not seem to have started any consultative process for a new draft convention. On the other hand, it should certainly be consulted, as should, for example, a company like Microsoft which has a de facto monopoly on the market."

"Most states meet most of their obligations most of the time.”

International law

How can such a convention be enforced/complied with? 

"This is a matter of legal theory: Why do states respect international law? The big problem in international law is that states are both creators of norms and subjects of those same norms. They must therefore define the law they apply to themselves. It is consequently all a matter of consent and acceptance of respect for that law. To paraphrase the expert Louis Henkin, "most states meet most of their obligations most of the time.” International law thus remains a frame of reference against which states can judge their peers.

Another difficulty is that these are 'cyber' attacks and therefore it is difficult to identify first the type of attack and then the perpetrator. And usually the perpetrator of the attack in question denies the facts. And that's without mentioning possible reprisals in case of denunciation."

What about possible sanctions? 

"Ideally, in the general interest  we could adapt the sanctions of the "classic" regime of state responsibility, as well as criminal sanctions against individuals in the case of cybercrime. But it is still necessary for states to accept a regime of sanctions that it or its nationals could fall victim to. As we have seen with the International Criminal Court, states are sometimes reluctant and protect their interests."

Could a convention prevent cyberwar? 

"Once again, a distinction must be made between cyberattacks in times of armed conflict and cyber operations in times of peace

In armed conflict, the Geneva Conventions and IHL (or 'jus in bello') were never intended to avoid war, but to limit the consequences for those affected by the conflict. The question of the prohibition of the use of force is a matter of 'jus ad bellum' now enshrined in the UN Charter. The two issues are entirely independent of each other, in order to safeguard the protections provided by IHL.

In times of armed conflict, a 'cyber convention' would therefore not prohibit cyberwarfare but could limit the damage to the civilian population.

In times of peace, however, such a convention could provide a frame of reference for states to determine the responsibility of each party, which would have a certain dissuasive power. 

I would add that it is never too late to agree on such a convention, even if it seems complicated. In the best of all possible worlds, this type of cyber convention could limit damage and malicious operations on the legal level. But it would be complicated at the level of international relations and the current geopolitical context, even though an international convention has existed since 2015 on industrial espionage between China and the United States. It would probably have been ideal to create a cyber convention before the full destructive capability was available, as was the case with the 1967 space treaty which prohibits any military use of space."

Marc Husquinet has more than 35 years of experience in IT-journalism. First for nearly 30 years with Data News, the leading IT magazine on the Belgian market. After that, as a perfectly bilingual independent journalist. Today, he makes his expertise available to IT-companies, either as a journalist/copywriter or as a specialised translator.

Read more on cyberwar