By Emily Kabeshita
In the past year, reports of cyberattacks have dominated news headlines around the world. Americans watched as the hacks during the 2016 U.S. presidential race threatened their basic sense of democracy, while ransomware attacks like NotPetya, which cost German production firms millions of euros in damage, and WannaCry, which shut down hospitals, energy plants, and businesses across Europe and Asia, have brought fear to many governments and civilians. [i]
In response, current Microsoft president Brad Smith has proposed a “Digital Geneva Convention” to bring governments and the tech sector together to protect civilians from nation-state cyberattacks. [ii] Consisting of six statutes — which include prohibiting the targeting of tech companies, the private sector, and critical infrastructure, exercising restraint and non-proliferation in cyber weapon development, and more — the ambitious proposal has received support as a countermeasure to the growing cyber conflict that is expected to cost businesses and governments $3 trillion by 2020. [iii]
Individual countries’ shortfalls in risk management and mitigation should be a big reason for concern. In the U.S., for example, the eight months that it took Homeland Security to merely confirm that election systems in 21 states were targeted by hackers last fall exposed deficiencies in transparency, timely response, and standardized cyber protocols across the government. [iv] Additionally, the WannaCry attack developed from stolen NSA cyber weapons — another incident shrouded in secrecy — has called the integrity of U.S. cyber security into question.
Some IT security professionals tout the ability of the proposed Digital Geneva Convention treaty to effect change on a global scale. Founder and CEO of Russian IT security company Kaperskey Lab, Eugene Kaperskey, ardently supports the treaty for this reason, stating that “Microsoft’s proposal, in focusing on the protection of civilians is a viable way forward… Any use of cyber weapons against civilian infrastructure and critical industries should be absolutely off-limits for any responsible member of the international community; just as chemical weapons are.”
But such a treaty would face major challenges, which previous humanitarian efforts can help illuminate. In a study of the original Geneva Conventions and the International Committee of the Red Cross conducted across 72 countries from 1989 to 2004, it was determined that international humanitarian laws and organizations weaken over time, do not reduce civilian deaths, and depend heavily on “naming and shaming” to enforce accountability. Countries like Syria have demonstrated this, as respect for international decorum has not deterred them from going against the Geneva Conventions and engaging in chemical warfare and civilian carnage.
Accountability in cyberspace may prove even more difficult. According to Jason Healy, a senior research scholar at Columbia University, the nature of cyberspace makes it difficult to distinguish between defensive and offensive cyber operations; and dangerous cyber weapons can not only be stockpiled, but also used in “non-attributable” ways, meaning that attacks can’t be accurately traced back to a perpetrator. These are all major challenges to determining if an offense was committed, assigning blame, and imposing sanctions, and it’s not clear how a broad treaty could be enforced in this environment. As the U.S. State Department’s outgoing coordinator for cyber issues, Chris Painter, puts aptly: “Let’s not try to rush into a treaty that would take years and we’re not really even sure what that’s about.”
Perhaps more challenging, however, would be a treaty that frames the cyber conflict as being on the brink of full-on cyberwar and causes countries to take up drastic defense measures. Given the capability of governments, like Russia and China, to use surveillance and censorship as a means to deter cybercrime, cyber experts like Alex Klimburg, program director at the Hague Center for Strategic Studies, warn that the web may become a domain of restricted expression and information. Klimburg worries that by framing cyberspace “as a place of conflict, we will effectively see a trend developing amongst Western governments that questions how the Internet is currently managed….And we have to take extraordinary care that authoritarian interests don’t gain more than a toehold in this domain.” If the web is to remain a universal, common good, these are challenges that must be fully weighed.
Given the difficulties posed by an international cyber treaty, countries would do well to consider an alternative approach. States can greatly reduce their vulnerability to cyber threats by prioritizing and standardizing good cyber hygiene — best practices in risk prevention and incident response — across public and private sector networks.
In a panel discussion on international cyber defense, former Deputy Secretary of Homeland Security Jane Holl Lute stated that the most determined hackers will find a way into any system — no matter how secure. However, basic preventative defense measures that comprise good cyber hygiene, states Lute, can stop 80 to 90 percent of attacks, allowing governments to dedicate more time and resources towards the remaining 10 percent.
Effective change in cyber norms could be implemented and incentivized on a state-by-state basis, such as via the Promoting Good Cyber Hygiene Act, a bipartisan bill introduced in U.S. Congress last month. Working alongside the National Institute of Standards and Technology and tech companies, the act would establish and continually update [v] voluntary cybersecurity standards for public and private-sector networks, as well as direct the Department of Homeland Security to further study cyber threats and vulnerabilities.
With incremental steps and individual commitments to good cyber hygiene, governments, businesses, and people worldwide can establish firm foundations in cybersecurity; and as the cyber conflict continues to evolve, such foundations will allow the U.S. and international community’s to better understand, adapt to, and confront changing cyber threats.
Emily Kabeshita is an intern at the Stimson Center.
[i] Shalal, Andrea. “Germany Says Cyber Threat Greater than Expected, More Firms Affected.” Reuters, Thomson Reuters, 7 July 2017, www.reuters.com/article/us-cyber-attack-ukraine-germany-idUSKBN19S1EU.
[ii] Smith, Brad. “The Need for a Digital Geneva Convention.” Microsoft on the Issues, Microsoft, 14 Feb. 2017, blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/.
[iii] Smith, Brad.
[iv] Kopan, Tal, and Marshall Cohen. “State Election Officials Express Frustration after Meeting Feds.” CNN, Cable News Network, 8 July 2017, www.cnn.com/2017/07/08/politics/nass-conference/index.html.
[v] Chalfant, Morgan. “Senators Introduce ‘Cyber Hygiene’ Bill.” The Hill, Capitol Hill Publishing Corp., 29 June 2017, thehill.com/policy/cybersecurity/340160-senators-introduce-cyber-hygiene-bill.