The world needs a digital Geneva Convention to fight cyber attacks -

The world needs a digital Geneva Convention to fight cyber attacks

Scott Gilmore: The damage from cyberattacks is real, and the threat risks escalating into lethal conflicts

Screenshot of live cyber attack tracking throughout the world. (FireEye)

Screenshot of live cyber attack tracking throughout the world. (FireEye)

Imagine a medieval knight charging across the battlefield on his warhorse, visor down, lance lowered. He was the M1 tank of his time, and just as costly. In order to afford the horses (there had to be several spares), the squires, food to feed them all, his weapons and of course his shining armour, a knight required an estate with up to 500 serfs working the soil. And, like a modern tank, he was critically important in any campaign. Clad in over 100 lb. of steel and riding a destrier that weighed more than a ton, the knight was an unstoppable force that could break the strongest line of defence.

Then, in the 11th century, a few small technical changes were made to the crossbow. These added a little more power to the bolt, just enough to pierce plate armour. Suddenly, our charging knight is crashing into the mud with a bolt through the chest, fired by a serf standing 300 yards away.

Not long after, in 1096, Pope Urban II issued a papal decree banning the crossbow. The pope was not motivated out of particular concern for the horrifying wound a bolt could make, but because it threatened to dramatically destabilize the balance of power. If untrained peasants, armed with cheap crossbows, could kill a knight, then suddenly the wealthiest kingdoms were vulnerable to threats from the poorest, which made conflict far more likely.

This fear of the instability created by a new technology is what has motivated most of the arms control conventions in history. For example, in 1675, the Strasbourg Agreement prohibited poison-tipped bullets. After the First World War, the Geneva Protocol banned biological and chemical weapons. In 1967, the Outer Space Treaty forbade placing atomic bombs in orbit. Today, we face a new technology, one that is dramatically destabilizing the world: cyberattacks. It may be time for a digital disarmament treaty.

RELATED: Goal of latest mass cyberattack possibly not financial, say experts

In 1970, a computer technician named John Draper committed one of the first cyberattacks when he used a plastic whistle that came in a Captain Crunch cereal box to mimic the tone that opened up a trunk line on payphones, giving himself 75 cents worth of free long-distance calls. And last year, cyberattacks like the one that recently compromised the credit reporting firm Equifax caused trillions of dollars in damage to the global economy. The size, frequency and impact of these attacks are increasing at an exponential rate.

But the most troubling part of cybercrime is how it has been enthusiastically embraced by states. Countries that cannot project power by conventional means, such as Russia, North Korea and Venezuela, are waging a digital war, and they are causing real damage. For example, in December 2015, the Russian government attacked the Ukrainian electricity grid—not with rockets, but with phishing emails and viruses. But the impact was the same: a quarter of a million people were left without power. In fact, in some cases, the damage caused by a digital attack far surpasses that done by conventional weapons. Consider the Russian destabilization of the American political system.

The potential damage of cyberwarfare is growing as more states create their own capabilities, and as the global economy becomes more digitized. Some experts are warning that the growth of the “internet of things,” which connects even small household appliances to the internet, is creating massive new vulnerabilities to domestic infrastructure, the equivalent of allowing the Russians to park an artillery brigade on the outskirts of Denver.

What is more worrying, though, is the risk that these digital attacks will boil over into conventional or even nuclear war. How would Washington respond to a North Korean virus that shut down infrastructure in the United States? Or an Iranian attack on their air traffic control systems? We don’t know. And that’s the risk. Belligerents are launching assaults without understanding what it may provoke.

READ MORE: How MacEwan University got duped out of $11.8 million by scammers

There have already been some diplomatic efforts to control cyberattacks. Twenty-five of the United Nations’ 193 member states convene on a regular basis to flesh out some basic principles of détente. But these are both non-binding and somewhat vague. There have also been some bilateral agreements, such as a recent accord between Beijing and Washington to stop the cybertheft of intellectual property.

In spite of these nascent efforts, the threat of cyberattacks continues to grow. Which is why Microsoft made a bold proposal earlier this year to establish a digital Geneva Convention. The original treaty set binding requirements on the treatment of prisoners of war and non-combatants. What Microsoft is proposing would completely ban nations from conducting cyberattacks and establish a neutral international body that would investigate and attribute attacks that do occur.

So far, there has been no serious reaction from governments, including Canada. Nonetheless, the need is obvious. Right now, nation states feel free to attack anything—power grids, credit card companies, payroll systems—without much fear of reprisal. The damage is real, and the threat is creating new uncertainties and risks escalating into lethal conflicts. Pope Urban II feared this type of instability, and we should too.



The world needs a digital Geneva Convention to fight cyber attacks

  1. And yet here we are buying conventional WWII weapons…however a missile is as useless as a horse.

  2. The US is the biggest cyber attacker.

    They demand compliance to spy on allied nations citizens and to a lesser degree their own.

    Snowden, Assange and others are heroes of the people.

  3. What right exactly would this Geneva convention ostensibly protect, lying?

    All this brew ha ha over Russian involvement is either about them aquiring and sharing the truth about Hillary emails or taking out pro Trump ads.

    If it’s about privacy, what about ours?

  4. Interesting article.

    It really raises a lot more questions than it answers though. I wouldn’t exactly consider Russia to be a country that “cannot project power by conventional means…” Nor the United States, and we’re all aware of the major role that hacking played in the US working to delay and destabilize Iranian and North Korean nuclear programs.

    Which begs the question: What are the implications of weaponized hacking? What would be the implications of a ‘Geneva Convention’ against it? One notes that Pope Urban’s decree didn’t prevent the spread of the crossbow, and that spread – plus the spread of other weapons, such as longbows and later gunpowder weapons – by destroying the martial dominance of the armored knight also helped to end the political and economic dominance by the feudal class. How might the last decade have played out in the absence of the ability of the US and others to disrupt the Iranian and North Korean nuclear programs by remote control? Might it have involved one or more invasions to accomplish the same ends?

    Given the ability of actors to hide their tracks, I’m wondering if a cyber ‘Geneva Convention’ would end up as a mechanism that would hamstring primarily western and democratic governments, while having no impact on the actions of rogue states, let alone non-state actors. I think a lot of thought needs to go into considering the likely outcomes of such an agreement.

  5. We could also ban unicorns at the same time: and fine them if they show up anywhere on the planet. This would be as effective a strategy to crack down on the unicorn problem as attempting to ban cyber attacks would be. “Journalism” has become such a joke. No wonder so many are abandoning mainstream media journalists: their gibberish is insulting to intelligent people.

Sign in to comment.