In my previous article on whether there should be a cyberwar treaty, I argued that Cyberwar wasn’t like other types of conflict, and that it wasn’t likely that a treaty would ever happen.
Being a lawyer, I like to play devil’s advocate, so here’s a different perspective.
Jeffrey Carr, in his new edition of “Inside Cyber Warfare” says that there are currently 28 nation states that have cyber warfare capabilities. Does the rapid spread of Cyber Warfare capabilities mean that there should be a treaty? There are major differences in how Cyber conflicts would take place versus other types of conflicts. For example, unlike physical confrontation, any Nation in the world can attack any other Nation directly or indirectly. In addition, rogue political parties or factions within a nation can take actions that don’t necessarily represent the country’s views as a whole. Do the different dynamics of Cyber Warfare warrant a treaty? Does the amount of damage that can be caused by Cyber Warfare relative to the cost of hacking warrant a treaty?
How do we distinguish between Cyber Crime and Cyber Terrorism or Cyber Warfare? I think this is where progress is most likely to be made with any Cyber Treaties. In order to successfully track the global criminal, there needs to be a global network of cooperation between legal systems on a scale that doesn’t exist today. After 6,000 credit cards were stolen, the Israeli Government declared that this was an act of terrorism. Is that an overreaction? Should the Israeli Defense Forces respond by hacking the hacker?
Shouldn’t we be focusing on prevention? How much is law enforcement willing to engage with businesses and individuals to protect their information? How do we know when an incident of hacking should be escalated from being a law enforcement matter to being a national security matter?
Cyber Criminals can automate crime. They can commit hundreds of crimes per second, and in fact they can perpetrate multiple of types of crimes all at the same time. Law Enforcement can’t automate catching criminals, prosecuting them, or incarcerating them. This is necessarily done one criminal at a time. Law Enforcement will always be slower than Cyber Criminals.
There are other types of warfare that do have treaties. The Geneva Convention covers many aspects of physical confrontation, but there has never been a formal international espionage treaty, which Cyber Warfare is more analogous to. This isn’t to say that this isn’t a great time to start.
One might ask, what other organizations are there that the 28 Cyber Warfare Club members already belong to? Interpol is one example. InterPol, has a staff of about 600 and a budget of 80 million. In contrast, the FBI has a staff of 35,500 and a budget of 8 billion. To me, this means by necessity, cybercriminals will go global to reduce their risk from being caught domestically by the biggest law enforcement agency in the world.
The lowest hanging fruit for a Cyber Security Treaty, then, is probably Cyber Crime, not Cyber Warfare. Countries could coordinate their Cyber Crime efforts, which makes a lot of sense, especially in a global economy.
A Cyber Warfare treaty could address analogs in Cyber Security similar kinds of things that are already addressed in the Geneva Convention. For example:
- Cyber Attacks should not be targeted at activities that kill non-combatants (like targeting commercial airlines.)
- Cyber Attacks should not deprive individuals of a fair trial if accused of a war crime.
- Cyber Attacks should not target Hospitals.
- Cyber Attacks should not target biological or nuclear weapons storage facilities.
Even these few examples create their own problems, however. What if, for example, a Nation State attacks a biological weapons or nuclear weapons production facility (as was the case with Stuxnet)? Does this actually help enforce the Geneva Convention? What if there is a danger to civilians around where these facilities are located?
At least one Cyber Warfare treaty was created last year. The ANZUS treaty between Australia and America was extended to include Cyber Attacks. If one country is attacked, then it is considered to be an attack on both. It might be likely that other alliances will consider similar extensions this year (NATO, the UN, etc.).