The world badly needs a cyber-warfare truce - what are the chances?

Profile picture for user denis_pombriant By Denis Pombriant February 23, 2018
Cyber warfare is combat on the cheap, writes Denis Pombriant, as he sets out the case for an international truce to limit the scope for cyber attacks

Hooded hacker cyber warfare security concept © yiorgosgr -
Disruptive technological innovations diffuse and reach saturation points in several ways. Often the innovation attracts competition and then sparks price wars or feature function wars — or both — that can lead to margin erosion and commoditization. Another aspect of some disruptions can be international competition and excessive friction between nations. For example, during the Industrial Revolution textile manufacturing conferred such a competitive economic advantage to nation states that those in possession of the technology (for example, Britain) often went to great lengths to prevent emigration of people with that knowledge.

We’ve reached an analogous point in the information revolution as it closes in on its fiftieth birthday. Having and manipulating information to national advantage has become a more powerful capability than conventional weapons and for good reason.

Cyber warfare is combat on the cheap. People don’t usually die in cyber war, at least initially, and the weapons are so inexpensive that tiny countries like North Korea can take on great powers like the US on equal footing — as the Sony Pictures hack of a few years ago shows. The potential damage from a cyber attack can be severe, as documented in this CNET report on the release of last year’s UN Global Cybersecurity Index:

As cyberattacks grow more sophisticated and capable of knocking down power gridslocking up hospitals and robbing companies, online security has become a major concern for national defense.

The scope of the cyber-warfare problem

All countries have taken advantage of cyber warfare for various ends that the parties can easily justify. For instance, the US attacked Iran’s uranium processing centrifuges with the Stuxnet worm to slow its production of fissile material. We don’t even need to go into the Russian hack of the 2016 US election — for more information you can always read the Mueller indictments. Finally, many US companies in Silicon Valley and even the armed forces have reportedly been victims of Chinese data pilfering.

So cyber aggression is already a big deal and it’s not likely to go away on its own. Neither can we ignore that many cyber attacks have a tinge of warfare about them. Under other circumstances, if a foreign adversary penetrated sovereign territory and destroyed vital infrastructure or stole valuable materials, those acts could be construed as warfare and counter measures would be justified. On the flip side, business partners don’t make a habit of stealing from each other.

Unfortunately, the world community doesn’t have a great track record in preempting such scenarios. Nations have historically committed to defensive alliances as a means of warding off potential attacks. The thinking was that the retaliation would be so devastating that it would cause all parties to think twice before committing belligerent acts. One of the most spectacular failures of this thinking was World War I which spawned World War II.

Since those times the world community has done a better job of building international organizations and adjudicating bodies aimed at preventing such calamities, but the record is far from perfect. The US is among a small group of countries that still starts wars, for instance, albeit with specific aims and limitations, but the track record is that it’s much harder to end a war than to start one.

The need for a cyber-warfare truce

With all that as prelude, we should consider developing international organizations and protocols that stem the proliferation of hostile acts of information terrorism. As UN Secretary General, Antonio Guterres, said just this week in calling for rules to limit cyber warfare:

I am absolutely convinced that, differently from the great battles of the past, which opened with a barrage of artillery or aerial bombardment, the next war will begin with a massive cyber attack to destroy military capacity ... and paralyze basic infrastructure such as the electric networks.

This might amount to an attack with weapons of mass destruction (WMD), even if few people initially would be killed because of the scope of damage it could inflict. Worse, such an attack could easily escalate to using real WMDs which might look like a rerun of the lead up to WWI.

No protocol can be fail proof, especially if some parties refuse to adhere to their spirit. But having agreements and structures in place makes it easier to identify wrong-doing. With that, individual countries could, at their discretion, nullify trade agreements, for example, or other mutually beneficial covenants in retaliation. Since the purpose of cheating is in many cases to improve one’s competitive position, such approaches could place unacceptable penalties on perpetrators and help control the problem without shooting.

My take

We’re in uncharted waters here.

In today’s world, the opposition to a cyber treaty is comprised of exactly those countries that have the most to gain from this form of war on the cheap — Russia, China, and Cuba. Russia and China are no match for the fire power of the West despite the fact that they are both nuclear powers. The US alone spends eight times as much on defense as the next 10 countries. So it makes sense these countries would oppose curbs on cyber war. Last year, long-running UN-sponsored negotiations broke down along precisely those lines:

Thirteen years of negotiations at the United Nations aimed at restricting cyberwarfare collapsed in June [2017], it has emerged, due to an acrimonious dispute that pitted Russia, China and Cuba against western countries.

This should be unacceptable.

By mid-century there could be half a trillion Internet-connected devices, many running vital infrastructure without direct human control and open to the possibility of hacking. The threat of people or nations acting with malevolent intent to control these devices, especially moving or flying devices, poses an unacceptable risk to global society and the time to prevent that scenario is right now.

In the twentieth century the international community, sensing a common need, worked to make war less cruel by imposing mandatory approaches to handling prisoners captured on the battlefield via the Geneva Conventions. They also outlawed some weapons of mass destruction like chemical and biological weapons. Also, the nuclear powers have until recently been moving in the direction of limiting stockpiles and reducing the risk of nuclear exchanges.

Cyber seems to be the new weapon of choice and there are good reasons already noted for nations to use it because it confers an asymmetric advantage. But war should be a last resort not a hobby. With so much riding on information technology today, and a forecast of even greater reliance on it in the future, it makes abundant sense that we move to neutralize the threat of cyber war now.