Hacking, viruses, denial-of-service...all fair game in the modern world of conflict. Maybe it's time we drew up some new rules of engagement

In November 2015, the world held its breath for a few hours after Turkey shot down a Russian jet it claimed was violating its airspace during operations in Syria. In the end the incident played out fairly predictably. The Russian and Turkish governments issued some bellicose statements, a planned meeting of foreign ministers was cancelled, sanctions were slapped on, and some existing agreements were torn up. Annoying for the people involved yes, but there was never really any threat of either side firing another shot.

The reason the incident didn’t take on greater importance is because the rules of international relations are fairly well rehearsed and understood at this point. Earlier agreements from the 1648 Treaty of Westphalia onwards meant that both sides knew how far they could push the other before something undesirable happened. The anarchic international system has been somewhat tamed by rules and norms.

Enter cyberwarfare

Back in September, another diplomatic fracas between two nations that took place without those sorts of precedents. US companies came under attack, allegedly from the Chinese government in a bid to steal intellectual properties and gain a competitive advantage. This led to a war of words which became so heated that it was a major talking point during a visit to the White House by the Chinese President – and ended with both countries pledging to do more to limit attacks.

In 2007, Estonia suffered a cyber Blitzkrieg. Persistent attacks over several weeks disabled emergency services, and prevented businesses and banks from communicating. According to Shaun Roberts, writing in the North Kentucky Law Review, some Estonians were left without internet connections for up to two weeks. While no one ever claimed responsibility, the attack was (inevitably) linked to hackers with ties to the Kremlin.

Back in 2008, it was estimated that 140 states have cyber programmes. That number is no doubt larger now. And here’s the thing: There’s no norms, or conventions governing cyberwarfare. The game has 140 players, and no one has written the rules.

What counts as a weapon?

For its part, the United States has published a “cyberspace strategy” outlining how it would respond to such an attack – saying that “We reserve the right to use all necessary means – diplomatic, informational, military and economic – as appropriate and consistent with applicable international law in order to defend our nation, our allies, our partners and our interests.”

We’ve arguably already seen this doctrine in action. Last Christmas Sony Pictures was subject to a devastating hack which leaked internal emails and unreleased films. Blame was placed with North Korea – which was upset with the comedy film The Interview – the premise of which was the assassination of Kim Jong Un. In response, North Korea was essentially entirely cut off from the internet in a mysterious counter-hack – the speculationbeing it was the US government’s not-so-subtle response.

But the cyber strategy is essentially a platitude. The problem with cyberwarfare (other than the sad fact that “cyberwarfare” has become the accepted name for the phenomenon) is that there are no rules. And rules are important if we don’t want every cyberthreat to risk spiralling out of control.

There is, as of yet, no common agreement on many questions – and scholars grappling with existing laws both international and national are essentially struggling with statutes and conventions that are ill-equipped to deal with such a new paradigm.

For example, the Article 51 of the UN Charter affirms the right of member states to individual or collective self defence in the event of an “armed attack” – but this leaves “armed attack” loosely defined. If one nation were to remotely disable another’s defence systems, leaving it vulnerable, would this constitute an “armed attack”? Would launching a missile in response be justified?

Essentially, understanding cyberwarfare through the lens of existing laws and treaties is a hotly contested game of analogies. Are computers and networks “weapons” if they are used to launch a distributed denial-of-service attack, just as an aeroplane becomes a weapon when hijacked by terrorists? Does the state an attack is launched from, or the state through which data passed constitute complicity in any attack by non-state actors? Or should the networks on which the internet exists be treated as a global commons, analogous to international waters?

Soldiers and Civilians

Unlike in a traditional so-called “kinetic” war (one fought with tanks and bombs), the ‘combatants’ on either side tend to be private individuals and private organisations – not direct agents of the state. In a fascinating paper by Susan Brenner and Leo Clarke, the authors outline how existing laws (not to mention the Geneva Convention) break down in cyberspace, and how a future military challenge will be for the state to take command and control of IT workers and telecommunications systems when engaging in cyber-defence.

Given that otherwise civilian systems are integral to waging cyberwar, would it be just to attack civilians? As the fourth Geneva convention, which deals with civilians, was written decades earlier, it doesn’t really weigh in on, say, whether leaking private email correspondence to undermine morale would be jus in bello.

Non-State Actors

The broader problem is also hiding in plain sight and is one we have encountered before: Non-State Actors. Just like the post-9/11 discussions around terrorism, with cyber there is a breakdown between what is the domain of “military” and what is the domain of “law enforcement”.

Think about all of the cyberattacks which have hit the news in recent years. Sure, some have been attributed to states, but many turn out to be small groups or individuals. When 157,000 customer records were stolen from TalkTalk in October, the people arrested after were teenagers (the case is on-going). Some of Anonymous’s top operatives appear to be barely out of school.

Treating cyberattacks as a crime issue makes sense in countries that cooperate – but what if the the hacks were from a hostile state? No matter how nicely President Obama asks, it is unlikely that North Korea will hand over the Sony hackers. This means the choice is either do nothing, and risk the same happening again, or a “military” style response against the host government. Presumably the supposed American response to the North Korean hack described above was not to punish the specific individuals responsible, but was an attempt to coerce the North Korean government to stop or prevent and similar future attacks.

What to do?

So we’ve admitted that nobody really knows what they are talking about, and we have analysed the problem: That this vacuum leaves space for potentially tense international awkwardness and escalation. So what can we do? Do we need a new Geneva Convention or Peace of Westphalia for Cyberwar?

Curiously, the countries pushing for such a convention are not the ones you might expect. In 2011, Russia and China teamed up with international power-players Tajikistan and Uzbekistan to draft a UN Assembly resolution calling for such an agreement. According to Louise Arimatsu, who wrote a paper for Chatham House on the subject, the reason these states are so keen on such an agreement is because it would give them a stronger hand domestically when it comes to controlling the internet.

Binding international rules would also be in the interests of these countries because they could short-circuit any assumed American advantage when it comes to technical disparity with the United States and Europeans powers. Even if the US retained any “cyber weapons”, if they were outlawed by international convention using them would undermine the legitimacy of any actions, just as spraying mustard gas (banned since 1925) would do today.

The US meanwhile has been broadly (if not loudly) opposed for exactly the opposite reasons. It would be tantamount to giving up a competitive advantage. There’s also concerns over how such rules would impact American espionage. Unlike in the real world, where there is an implicit, if not explicit separation between espionage and acts of war, cyberwar once again blurs the distinctions. If breaking into enemy’s computers is how 21st century spy work is done, it would suit the US not to have to worry about international law every time it does it.

According to Armitsu’s paper too, legal wonks on both side are conflicted as to whether any new agreements would be better derived from a formal document, or whether it would be better to let the rules evolve organically over time by convention.

So in attempting for forge any new international agreement, the incentives are not aligned, suggesting that any agreement is unlikely to happen any time soon.

In any case, even if they could get this far, the practical steps involved in any agreement seem insurmountable too. Nuclear weapons were tamed in the 1980s by arms control treaties and the epigram “trust, but verify”. How this would work with cyber is anyone’s guess.

Unknown unknowns

So this is where we are with cyberwarfare. To paraphrase a former US Defense Secretary: There are “known knowns” – the things about cyber that we know. There are “known unknowns”: As described above, there any many things we know that we do not yet know about how we will govern cyberwarfare in the future. And finally, there are no doubt many “unknown unknowns” too – things we do not yet realise that we do not know. I just hope that until the world has figured out how to tame it, we take into account one other lesson from Donald Rumsfeld before engaging in cyberwar: It's easier to get into something than to get out of it.