.
JOHANNESBURG — As Western governments look for ways to punish Russia for its brazen attacks abroad, one idea that has been getting a lot of media attention is the possibility of state-sponsored cyberattacks on Russia. Cyber operations may well be one of the most effective tools left in a depleted foreign policy toolbox but we cannot afford for rights and freedoms to become collateral damage in the new cyber arms race. We urgently need new norms and conventions that will protect civilian interests: a Geneva Convention for the digital world.
The Geneva Conventions are a set of rules that seeks, in times of armed conflict, to protect civilians who are not participating in the hostilities. There is no denying that the internet has become the new frontier for waging war, especially for countries like Russia and North Korea who are frustrated by limits on projecting their conventional power and by non-state actors wanting to exploit the asymmetries of power in the digital era.
Russia’s preparedness to use cyber means was best demonstrated in the 2016 U.S. elections and the Brexit referendum. But while it could be argued that these attacks did not resemble war or incur casualties, Russia’s attack on the Ukrainian electricity grid in 2015 with phishing emails and viruses left hundreds of thousands without power.
Naturally, those on the receiving end are keen to defend themselves but now they are already building offensive capacity. Indeed, cyber operations may well be one of the tools from the ‘full breadth of our National Security apparatus’ that Prime Minister Theresa May mentioned in her statement to the British parliament in March, as the response to the attempted murder of former Russian spy, Sergei Skripal. We know the UK has been investing in a National Offensive Cyber Programme that would “deploy offensive cyber capabilities as an integrated part of operations” and been part of plans to give NATO a more offensive role.
Yet, not only are these activities covert but the rules governing them are unclear or do not exist. This has to end. Just as the Geneva Conventions were instrumental in curbing the worst excesses of war in the 19th and 20th centuries, we need new rules of engagement in the 21st century that protect rights, freedoms, and civilians.
The promising news is that this issue is being taken seriously by some tech leaders, notably Brad Smith, President of Microsoft, who has recently called for a new Convention that bans states from conducting cyberattacks and the creation of a neutral international body that would investigate and attribute attacks that occur. This is welcome, especially given that any intervention in this area will need the cooperation of key private sector internet and technology companies, but it is critical that this process is led by genuine multilateral process. While public-private cooperation will be critical, we cannot afford this to be led by powerful companies with clear vested interests. And given this is also about creating a new set of norms for a digital era, it should also be grounded in genuine citizen participation.
It is also encouraging to see some diplomatic efforts to control cyberattacks, including regular meetings by a small group of UN member states and some bilateral agreements around cybercrime. However, these attempts have dealt with vague principles from legally binding commitments. We need a global response based on international law.
There is no underestimating how difficult these issues here are. Much of what goes on and how it is policed will inevitably be covert. Tracing who was responsible for cyber-attacks—let alone linking them to state authorities—will be extremely difficult. The nerve agent allegedly used in the Salisbury attack was apparently traced to the Russian state lab but in the internet era threats will be dispersed and far harder to trace.
But this shouldn’t stop us from trying. A new digital Geneva Convention may not stop new forms of attacks but it will be critical in several ways. For a start, it will define what is considered as unacceptable, fleshing out what (if any) moral consensus there is. It will also give us a legal basis to respond to those who do breach these norms, not just with mischievous states but also to create obligations on big internet companies and in policing cyber-criminals. It will also help guide the actions of those who may mean well but whose actions may create a dangerous race to the bottom.
And progress here will be a critical first step to addressing a greater set of challenges around digital freedoms. In 2018, we’re only just beginning to understand how the digital revolution will alter the make-up of our societies and lives. We need to be asking ourselves what a free society actually looks like in a digital world and what forms our democratic rights take online. It’s no longer just our right to assemble peacefully offline that needs to be protected, it is also our right to assemble and mobilize online. Much of the encryption that currently protects our privacy online looks set to be invalidated by the development of quantum computing.
Many might think that this is naïve wishful thinking when the internet feels like the Wild West—cyber criminals, state-sponsored hackers, unregulated private interests—but we have no option but to try to bring principle-based order to this chaos. Yes, Iran and North Korea have thumbed their nose on nuclear conventions and yes, Russia seems to have breached the chemical warfare principles, but in each of these cases it has helped to have a set of legal norms to fall back on.
Russia may be showing that it is not interested in international laws and norms but that shouldn’t be an excuse for those of us who claim to be civilized to throw out our own values and principles. Many argued that the current Geneva Conventions would have been impossible to achieve, let alone police and yet they are held up as one of the greatest achievements of modern humanity. As cyberwarfare becomes a new reality, we need a new set of rules.
About the author: Dr. Dhananjayan Sriskandarajah is Secretary General of CIVICUS, the global civil society alliance.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.
a global affairs media network
Why We Need A Digital Geneva Convention
United Nations offices in Geneva with county flags
April 23, 2018
JOHANNESBURG — As Western governments look for ways to punish Russia for its brazen attacks abroad, one idea that has been getting a lot of media attention is the possibility of state-sponsored cyberattacks on Russia. Cyber operations may well be one of the most effective tools left in a depleted foreign policy toolbox but we cannot afford for rights and freedoms to become collateral damage in the new cyber arms race. We urgently need new norms and conventions that will protect civilian interests: a Geneva Convention for the digital world.
The Geneva Conventions are a set of rules that seeks, in times of armed conflict, to protect civilians who are not participating in the hostilities. There is no denying that the internet has become the new frontier for waging war, especially for countries like Russia and North Korea who are frustrated by limits on projecting their conventional power and by non-state actors wanting to exploit the asymmetries of power in the digital era.
Russia’s preparedness to use cyber means was best demonstrated in the 2016 U.S. elections and the Brexit referendum. But while it could be argued that these attacks did not resemble war or incur casualties, Russia’s attack on the Ukrainian electricity grid in 2015 with phishing emails and viruses left hundreds of thousands without power.
Naturally, those on the receiving end are keen to defend themselves but now they are already building offensive capacity. Indeed, cyber operations may well be one of the tools from the ‘full breadth of our National Security apparatus’ that Prime Minister Theresa May mentioned in her statement to the British parliament in March, as the response to the attempted murder of former Russian spy, Sergei Skripal. We know the UK has been investing in a National Offensive Cyber Programme that would “deploy offensive cyber capabilities as an integrated part of operations” and been part of plans to give NATO a more offensive role.
Yet, not only are these activities covert but the rules governing them are unclear or do not exist. This has to end. Just as the Geneva Conventions were instrumental in curbing the worst excesses of war in the 19th and 20th centuries, we need new rules of engagement in the 21st century that protect rights, freedoms, and civilians.
The promising news is that this issue is being taken seriously by some tech leaders, notably Brad Smith, President of Microsoft, who has recently called for a new Convention that bans states from conducting cyberattacks and the creation of a neutral international body that would investigate and attribute attacks that occur. This is welcome, especially given that any intervention in this area will need the cooperation of key private sector internet and technology companies, but it is critical that this process is led by genuine multilateral process. While public-private cooperation will be critical, we cannot afford this to be led by powerful companies with clear vested interests. And given this is also about creating a new set of norms for a digital era, it should also be grounded in genuine citizen participation.
It is also encouraging to see some diplomatic efforts to control cyberattacks, including regular meetings by a small group of UN member states and some bilateral agreements around cybercrime. However, these attempts have dealt with vague principles from legally binding commitments. We need a global response based on international law.
There is no underestimating how difficult these issues here are. Much of what goes on and how it is policed will inevitably be covert. Tracing who was responsible for cyber-attacks—let alone linking them to state authorities—will be extremely difficult. The nerve agent allegedly used in the Salisbury attack was apparently traced to the Russian state lab but in the internet era threats will be dispersed and far harder to trace.
But this shouldn’t stop us from trying. A new digital Geneva Convention may not stop new forms of attacks but it will be critical in several ways. For a start, it will define what is considered as unacceptable, fleshing out what (if any) moral consensus there is. It will also give us a legal basis to respond to those who do breach these norms, not just with mischievous states but also to create obligations on big internet companies and in policing cyber-criminals. It will also help guide the actions of those who may mean well but whose actions may create a dangerous race to the bottom.
And progress here will be a critical first step to addressing a greater set of challenges around digital freedoms. In 2018, we’re only just beginning to understand how the digital revolution will alter the make-up of our societies and lives. We need to be asking ourselves what a free society actually looks like in a digital world and what forms our democratic rights take online. It’s no longer just our right to assemble peacefully offline that needs to be protected, it is also our right to assemble and mobilize online. Much of the encryption that currently protects our privacy online looks set to be invalidated by the development of quantum computing.
Many might think that this is naïve wishful thinking when the internet feels like the Wild West—cyber criminals, state-sponsored hackers, unregulated private interests—but we have no option but to try to bring principle-based order to this chaos. Yes, Iran and North Korea have thumbed their nose on nuclear conventions and yes, Russia seems to have breached the chemical warfare principles, but in each of these cases it has helped to have a set of legal norms to fall back on.
Russia may be showing that it is not interested in international laws and norms but that shouldn’t be an excuse for those of us who claim to be civilized to throw out our own values and principles. Many argued that the current Geneva Conventions would have been impossible to achieve, let alone police and yet they are held up as one of the greatest achievements of modern humanity. As cyberwarfare becomes a new reality, we need a new set of rules.
About the author: Dr. Dhananjayan Sriskandarajah is Secretary General of CIVICUS, the global civil society alliance.
The views presented in this article are the author’s own and do not necessarily represent the views of any other organization.