International Policy Digest

Seb Daly/RISE via Sportsfile
Tech /06 Aug 2017

Geneva Convention in Cyberwarfare? Don’t Count on It.

Earlier this year, the president and chief legal officer of Microsoft, Brad Smith, called for the development of a Geneva Convention-type agreement aimed at cyberattacks and cyberwarfare. He believes nations should restrict the use of destructive malware and ransomware, especially in the area of civilian infrastructure.

Are enterprise networks and clouds safe? Are all data centers safe from cyberattacks? Not according to any of the major security studies being floated by major security and network companies. As I observed in an earlier article: “Today, cyberattacks aren’t measured in days or even hours. A whole cyberwar can last only a couple of seconds – or less.”

In cyberwar, there are no frontlines, only virtual lines across electronic borders. Battlefields are now in server farms in data centers and across Intelligent Infrastructure (the power grid and the communications networks). Some attacks could happen and no one would even know about them for a year. Some attacks are virtually untraceable.

The “essence” of war waged on Intelligent Infrastructure takes on a whole new set of accelerated strategies and tactics.

Cyber weapons are not part of the Geneva Convention and the way they are used now, I highly doubt there will ever be a consensus to sign away their latest capabilities, especially in the area of asymmetrical warfare. To think everyone is going to come to a consensus to limit them or restrict them to only certain areas is ludicrous. They will never get rogue states or terrorist groups to sign anything.

When other forms of diplomacy end, and nations go to war, there are certain rules of engagement when it comes to what you can and cannot do. This does not apply to cyberwarfare or cyberattacks. The only limitation you have is how creative you can be. Everything is fair game.

In past Geneva Conventions, the treatment of sick and wounded combatants were codified into an international treaty back in 1864. Since then, several types of warfare, including chemical warfare, have been banned after both World War I and World War II as the Geneva Convention was modified and added to in subsequent conventions. After World War II, 196 nations signed the updated version of the Geneva Convention.

This widely-accepted, international treaty which has been in effect for well over a century has its limitations. Nothing is discussed about the impact of cyberwarfare on both combatants and civilians. Even if 196 nations sign as they did for the last Geneva Convention in 1949, what about all the terrorist groups that are not bound by any one governmental entity or sovereign state boundaries? Why would they sign? To them, everything is fair game.

Cyber weapons are the great equalizer for small countries and terrorist groups to have real leverage on large countries who have vast military resources and capital. You don’t need to match up head-to-head against a squadron of F-35s, A10s, or 1,000 tanks, if you have a competent cadres of software experts who know how to engineer destructive malware and ransomware. In fact, the F-35s and 1,000 tanks are virtually useless against a cyberattack.

The panacea of limiting cyberwarfare is wishful thinking. The pragmatic reality of cyberwarfare is that it is not necessarily only nation-states doing the fighting and initiating attacks. Groups that have no sovereign boundaries are not going to sign any restrictive agreement. And, you cannot force them to. The only limits cyber-warriors have is the creativity that they possess.

The whole idea of trying to compartmentalize and limit the battlefield into one neat, “virtual battleground” goes against all the framework of asymmetrical attacks and the ideologies of terrorist groups employing guerilla tactics, who do not have traditional ties and limits of a physical border-type government, let alone government and humanitarian values.

The answer to creating a stronger defense against cyberattacks is to have a higher-quality level of operating system software which does not have all the Swiss-cheese holes of vulnerabilities in it. Other software companies developing applications and security software today need to improve what they already have as well.

The latest studies show, cyberattacks are on the rise. This is not a problem that is going away or lessening as time goes by. Do not count on any electronic asset being put into a totally non-impermeable state.