Increasingly, cyber-attacks are not just carried out by individual hackers, but by states. There is a big risk that important infrastructures, and therefore also civilians, will be victims. This is why there have been calls for a Digital Geneva Convention. What exactly would that imply?
State-sponsored hacking is on the up
Hacking computers can take on many forms, with many purposes. Of course you have the script-kiddies who hack computers or networks, because they can and it gives them a kick to have control over other computers. But more often it concerns monetary purposes - think of the Wanacry ransomware, which made many victims last year. In the UK, hospitals even had to close because nursing staff no longer had access to the data which had been encrypted by cyber criminals. Shipping company Maersk lost 300 million dollars because of a similar malware, NotPetya. We have even come to the point where 74% of companies worldwide expect to be hacked every year. By 2020 the economic damage could be 3 billion dollars.
But there is another danger: state-sponsored attacks. Take, for example, the Sony-hack, in 2014 by North Korea, because of… a movie, The Interview, which featured president Kim Young-un. Other examples of state-sponsored hacks: a pro-Russian group of 'patriotic hackers' took down the government websites in Germany, the Ukraine and Poland, out of revenge for German support for Kiev. The Syrian Electronic Army hackers’ collective linked to Syrian president Bashar al-Assad regularly attacks websites of Western media, such as Le Monde.
Countries entrench themselves digitally
Governments are aware of the dangers of cyber-attacks, - by 'ordinary cyber criminals or by states. Germany recently announced that it established a cyber force which will be part of the army, in addition to the land, naval and air force. By 2021 this group must consist of 13,500 soldiers and 1,500 civilians. Their main task: protect crucial networks. In Belgium, the General Information and Security Service - also known as State security - is urgently looking for a hundred experts, computer nerds, to come work for the Service. They have to help protect Belgium against virtual terrorists.
After all, traditional military defence systems are no longer enough to protect a country. An aircraft such as the Eurofighter for example is not easy to shoot down, but it is full of electronic equipment. Hackers are able to hack this equipment and bring the aircraft down. Not a single component of a country's important infrastructures is not controlled by computers. Think of electricity networks, control rooms in nuclear power plants or at airports, financial networks. They are all vulnerable for hackers, regardless of whether it is sponsored by a hostile state. Resulting in enormous damage: economic, material, but also human lives.
Civilians and private companies are victims
More than 30 countries have already admitted to having offensive cyber capabilities. This is difficult to verify because cyber arsenals are secret by nature. This secret nature tempts governments to test their cyber arsenal, and in this way adjust their strategy. The presumable influencing of the American presidential elections and the British Brexit referendum are possible examples of this.
This new arms race contains a number of aspects that make it difficult to defend oneself against a cyber-attack. To start with, cyberspace is not a tangible concept, but something that extends across all countries. Which laws apply? Who has control?
Also, this cyber space is created, maintained, protected, operated by private enterprises, from underwater data cables to data centres, to servers, laptops and smartphones.
Of course the government plays a role in this, but the real targets of a cyber-attack are the private objects owned by civilians and companies. This also means that a cyber-attack by a particular country is not immediately combated by another country, but primarily by citizens or companies. They are the first victims.
A digital version of the Geneva Convention is necessary
In 1949, at the Fourth Geneva Convention, rules were agreed to protect civilians in times of war. However, state-sponsored hacking results in attacks on civilians in peace time. This is why the calls for a new Geneva Convention to protect civilians against cyber-attacks, are getting louder. Different governments, organisations, but also private enterprises support the initiative. A roadmap is starting to be drawn to achieve this Convention.
Already two decades ago the United Nations established a body to determine how to deal with the various aspects of information technology, in particular cyber security. It was confirmed in 2015 that international laws also apply to cyberspace. That sounds trivial, but this legal security did not exist before. And 11 cybersecurity standards were laid down.
20 countries, including the US, China, Russia, France and the UK supported this consensus, and the G7 confirmed it again in April. This was followed by bilateral cybersecurity treaties between China and Russia, the US and China, the US and India, China and the UK, and this year resulted in a cybersecurity co-operation treaty between China and Australia.
Unfortunately, the terms of these agreements remained vague. This is why the World Economic Forum is calling for further steps to come to a Digital Geneva Convention. According to this Microsoft paper, it would need to have the following goals:
- Governments must undertake not to carry out cyber-attacks aimed at the private sector or critical infrastructure, or steal intellectual property by hacking. The government should also support the private sector to detect, limit and respond to attacks and help them recover. Governments should also inform manufacturers when vulnerable patches are discovered in their product, instead of keeping them secret for espionage or other purposes.
- An independent organisation, comprising public and private sector members, needs to be established. This needs to investigate, possibly, the proof that a state-sponsored attack can be attributed to a particular country and make its findings public. Compare this with the International Atomic Energy Agency which plays a key role in nuclear disarmament.
- The first line of response in a cyber-attack are IT companies. They need to be prepared to actively ward off and respond to attacks. Just like the Fourth Geneva Convention relies on the Red Cross to help civilians in times of war, the technology sector must actively help to protect us against state-sponsored cyber-attacks.
- Not only must governments respect the cybersecurity standards themselves, they must also hold other nations accountable if they violate the standards. In other words, imposing punitive measures such as economic sanctions, or public condemnation. If it is not condemned, the other countries may conclude that their behaviour is permitted, and the Convention has no power or strength.
Technology sector like neutral Switzerland
If it were up to Microsoft, IT companies would have to become a neutral digital Switzerland as it were. Companies should undertake to not produce attacking software, or to take part in attacks. Patches for weak spots in software should be made available to users, regardless of the hackers or their motives. And joint practices should be agreed about how a vulnerable spot in a service or product is notified to the public.
Software companies usually work across national boundaries. Their neutrality should be beyond dispute. Every country should, regardless of its policy, be able to count on a national and international IT infrastructure it can rely on.
The Digital Geneva Convention is therefore not just a noble, utopian concept, but an essential initiative that has to protect civilians against a real threat. It is up to the politicians and the technology sector to put this concept into specific agreements.