SAN FRANCISCO—Between cyberattacks against power grids and election influence campaigns, nations are increasingly waging war through the internet with the rest of us stuck in the middle. At RSA, experts pondered what, if anything, can be done to make everyone play nice.

The main concern for panelists was how to enforce norms and agreements between countries about what they can and cannot do online. One method is to form a coalition of countries to unanimously and publicly condemn the actions of another country. This is especially true with the use of sanctions.

"Our sanctions policy is that much stronger when other countries join us in those sanctions," said Rob Strayer, the Deputy Assistant Secretary for Cyber and International Communications and Information Policy at the US State Department.

The US can also respond to a cyberattack with one of its own, although Strayer said the US should not initiate this action. He also acknowledged the role of the military to potentially bring a "kinetic" response, meaning bullets and missiles.

Others on the panel were less optimistic about controlling nation-state behavior in the online space. "I have become skeptical about norms of behavior that states will follow even when it's not in their interest to do so," said Paul Rosenzweig, a Senior Fellow at the R Street Institute and former deputy assistant secretary for policy at the US Department of Homeland Security. The problem is that the US has been doing a bad job of convincing countries that its policies are in other countries' best interests, he argued.

James Lewis, SVP at the Center for Strategic International Studies and former UN advisor on cybersecurity issues, was even more stark in his assessment. "One thing to bear in mind is that in the application of existing international law, military necessity overrides all other constraints.

"If an action is necessary, you can shoot a hospital, you can shoot a school bus, you can shoot anything you need as long as you can justify it, and that's how they feel about cyberspace."

More than norms, Lewis said what's needed is an understanding between nations about accountability and consequences. "We are in an undeclared war in cyberspace with two countries, maybe three," said Lewis. "Until we make people pay a penalty for behaving badly, things won't change."

Lewis later spoke to how a lack of consequences became particularly apparent in 2016. "One of the problems we had at the end of the last administration was our opponents had concluded they had overestimated the risks of taking action against the United States." There is now an effort within the US to change that perception, he said.

Although the discussion about how to enforce norms between countries was frequently pessimistic, it has worked before. That was the view of Tom Corcoran, Head of Cybersecurity for Farmers Insurance and a former senior staffer on the House and Senate Intelligence Oversight Committees.

"There was a point when China was really running rampant through the internet, smashing and grabbing—not even trying to be clever about what they were doing," said Corcoran. The US and allies pushed back on this, and China eventually changed its behavior, but Corcoran also conceded the real story may be more complicated. "We don't know what drove the Chinese to come to the table and to stop doing it."

This has been compounded by a resurgence in Chinese online operations. "I would suggest that we're no longer delivering that cohesive message to the Chinese that that's not acceptable," said Corcoran.

No More Lone Wolves

While the main subject of the panel was nation-states, the issue of lone or rogue hackers did emerge. What didn't emerge was consensus on the threat.

"All the agreement in the world amongst nation-states will not get us all the way there when non-state actors have increasing capabilities," said Rosenzweig. Ideological groups should be of particular concern, he continued, because they won't necessarily behave rationally. "Anybody with 10 really bright guys and servers and access to the network can play in this space."

Lewis vehemently disagreed. "Non-state actor are not a threat and they're not on a path to become a threat," he said. What has been worrisome is that countries like China and Russia have been willing to tolerate non-state groups operating online from within those respective countries. "There are criminal groups in Russia that are better than most states, but they're much aligned with Russian policy.

"If Russia decided to enforce the law, things might be different," said Lewis.

Role of Industry

The RSA conference is a trade show first and foremost. So it wasn't surprising that panelists examined what, if any, role the industry has to play in creating and enforcing norms between nations.

One major role Cocoran sees for industry is allowing the US government to publicly name bad actors. US intelligence, he said, was sometimes aware of who was behind a particular online operation, but couldn't speak about it. When industry made the same attribution public, it was easier for the US government to follow.

"The most remarkable thing that's happened in the last five or 10 years," said Rosenzweig, "is that Microsoft has a foreign policy." He described how Microsoft and other companies have teams of people essentially playing diplomatic roles in order to realize their business interests. "The norm setting being done here is not being done by nation-states exclusively," he said.

Lewis agreed that industry has to be involved for there to be legitimate outcomes, but was hesitant to say industry will play a large role. "States still have a monopoly on power," he said. "Some states may choose not to use it; unfortunately our adversaries don't work that way."

While often hidden from public view, what nations do to each other through cyberattacks is becoming increasingly visible. In 2012, it was revealed that Stuxnet malware had been used to physically damage centrifuges in an Iranian radioactive enrichment facility. In 2016, Russia was accused of inciting a massive power outage in Ukraine.

The most obvious instance of a cyberattack for US readers is, without question, Russian interference in the 2016 election. Unlike efforts to bring down a power grid, this plot reportedly centered on sowing division and doubt among Americans through a massive online misinformation campaign. The full scope of this effort is still being investigated.

This article originally appeared on PCMag.com.