Giving Cyberwar a Geneva Convention
By: Joshua Stanley
There has been no shortage of cyberattacks against the US filling up the news headlines over the last several years, from the Office of Personnel Management hack to the interference with the 2016 election and the WannaCry ransomware. In response, the Defense Department (DoD) released the summary for its Cyber Strategy last September, sounding off noble objectives such as defending critical infrastructure, securing DoD information systems, and expanding cyber cooperation with allies and other industry partners, amongst other sweeping aims. There was one troubling subheading, though: “Build a More Lethal Joint Force.” With that kind of language, the need for a binding, international agreement similar to the Geneva Convention for the rules of cyberwar seems as urgent as ever, and such urgency only grows with society’s dependence on the arena in which cyberwar is waged.
Current US military doctrine defines offensive cyber operations as those with the intent to project power by applying force in and through cyberspace via actions disrupting or destroying its intended projects. Tactics and methods for applying such force will be developed with increased speed now that the government is shifting its focus from cyber-defense to a more aggressive posture, as outlined in the Cyber Strategy. Unfortunately, this is essentially where the doctrine for cyberwarfare ends, as it is not nearly as defined as that reigning over conventional conflicts waged on the surface. Fomenting this cyber chaos is debate on Capitol Hill about how best to divide the cyberwar duties between the Department of Homeland Security, DoD, FBI, and NSA. An ill-defined doctrine implemented by a disorganized security apparatus is bound to execute disastrous maneuvers on the binary battlefield.
The international legal community has long recognized this unacceptable void of law and order, but has struggled to respond effectively with clear-cut definitions, thresholds for actual cyber war, and stalled efforts for UN agreements. The Tallinn Manual on the International Law Applicable to Cyber Warfare has proven to be the most comprehensive private international effort to codify law on the matter, as it utilizes traditional law of war treaties like the Geneva Convention and subsequently translates relevant principles to the realities of our digital age. However, even the recent update (at over three hundred pages) has yet to be formally adopted by a state actor and instead there has been a troubling trend of analysts extending its scope far past the limits of warfare it originally intended.
Not to be outdone, the technological industry is as concerned about cyberwarfare as the legal community, if not more so, and it is proving so with committed efforts to instill order. Microsoft has spearheaded these efforts, working with other tech companies on two projects: the Cybersecurity Tech Accord and the Digital Geneva Convention. The Tech Accord consists of participating companies pledging to adhere to a number of shared principles for protecting their collective users and customers, thereby improving the “security, stability, and resilience of cyberspace.” The Digital Geneva Convention initiative is government-centric, aiming to legally compel states to limit their actions in peace time. But again, these noble efforts are hamstrung by debates over definitions, the question of preserving human rights in the war zone of the world wide web, and, perhaps most critically, the growing gulf between Washington lawmakers and Silicon Valley techies that borders on being a national security threat in its own right.
Undeterred, UN Secretary-General António Guterres launched the High-Level Panel on Digital Cooperation last July. Co-chairs Melinda Gates and Jack Ma are leading twenty members of government, the private sector, civic society, academia, and the tech industry to identify policy, research, and information gaps and to make proposals for strengthening international cooperation in digital space. The Panel’s final report is expected sometime this June.
Hopefully, all of these efforts can coalesce into a binding international convention on cyberwarfare honoring the law of war principles of necessity, proportionality of force, and civilian protection. But, if history both ancient and recent are any indication, the gift of such a convention will follow far behind the growing capabilities of cyberwarfare.