This House would create an international treaty/ban on cyber-attacks

Conflict needs to be regulated, and something that can start conflicts even more so. Warfare and conflict is currently regulated by the Geneva Conventions that seek to limit the effects of armed conflict and regulate the conduct of the involved actors.[1] Just as importantly there are rules on what weapons can be used through various treaties that ban weapons such as the Land Mine Ban,[2] and on when a state can legally initiate conflict through the UN Charter.

In just the same way when a new area of potential conflict arises that too must be regulated by treaty. The internet and the threat of cyber-conflict is that new area at the moment. While cyber warfare is not currently a large scale threat it is still a form of conflict that could escalate just like any other - the Pentagon has explicitly stated it could respond militarily to a cyber-attack.[3] As a result it is most sensible to draw up the rules and regulations early, to ensure everyone knows the consequences and prevent damage by making sure that states agree not to engage in offence cyber-attacks against each other.

[1] ‘The Geneva Conventions of 1949 and their Additional Protocols’, ICRC, 29 October 2010, http://www.icrc.org/eng/war-and-law/treaties-customary-law/geneva-conventions/overview-geneva-conventions.htm

[2] ‘Convention on the prohibition of the use, stockpiling, production and transfer of anti-personnel mines and on their destruction’, un.org, 18 September 1997, http://www.un.org/Depts/mine/UNDocs/ban_trty.htm

[3] Brookes, Adam, ‘US Pentagon to treat cyber-attacks as ‘acts of war’’, BBC News, 1 June 2011, http://www.bbc.co.uk/news/world-us-canada-13614125

While there are bans on certain weapons these are because such weapons are considered beyond the pale. This is either because they are horrifying as in the case of nuclear, chemical and biological weapons, or indiscriminate as with land mines. This does not apply to cyber warfare. Other regulations similarly do not provide a good parallel as the Geneva conventions seek to limit the effects of armed conflict a similar treaty is clearly not necessary for cyber-conflict because the effects will already be limited by the type of conflict. Ultimately cyber-attacks are much more akin to espionage and are not regulated because they are small scale, localised, and have limited effects as well as being difficult to trace.

Once a treaty is set up to limit or eliminate cyber-attacks monitoring is unlikely to be a problem because states will be willing to monitor each other. States in order to defend themselves from cyber-attacks already monitor the cyber-attacks that occur – the United States for example already has several cyber defense forces.[1] If that is not enough then there are numerous private groups that will be monitoring cyber-attacks as most are made against corporate rather than government targets. For example private company Mandiant exposed a unit of the People’s Liberation Army for its cyber-attacks in February 2013.[2] Once a cyber-attack has been traced and evidence gathered if the appropriate domestic authorities won’t deal with the culprit then an independent international institution can decide on the punishment for the government that is not living up to its treaty commitments.

If there is a need for international monitoring rather than simply a dispute settlement mechanism then there are models available through current treaties; a UN organisation similar to the International Atomic Energy Agency or International Criminal Court could be set up that can investigate incidents when asked.

[1] US Department of Defense, ‘The Cyber Domain Security and Operations’ http://www.defense.gov/home/features/2013/0713_cyberdomain/

[2] Mandiant, ‘Exposing One of China’s Cyber Espionage Units’, mandiant.com, February 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Not all nations are equal. In an area where high technology is essential rich nations may be able to monitor all cyber intrusions but there will be many countries without the necessary systems. This treaty would therefore in effect be making poor countries without cyber defences into fair game. In theory they would be protected by the treaty, in practice with no monitoring there would be nothing they could do.

Ever since the state rose to ascendancy over powerful internal actors, such as the nobility in a feudal system, the state has had a monopoly on the use of force. The state quickly became the only institution with the resources to maintain military forces and has become the only legitimate wielder of force. The internet however changes this. Cyber-attacks are often by individuals or groups who can carry out a cross border attack without the aid of their home country.

In 2011 CIA director Leon Panetta told Congress “when it comes to national security, I think this represents the battleground for the future. I've often said that I think the potential for the next Pearl Harbor could very well be a cyber-attack.”[1] If cyber-attacks are so important it stands to reason that the groups who are able to engage in such activities should be as limited as possible. While it is not always possible states try to make sure that the weapons of war for the most part remain in the hands of responsible actors. This should apply as much in cyberspace as elsewhere. While terrorist groups do exist – and are occasionally armed by states – for the most part they are seen by every government as being illegitimate.

[1] Serrano, Richard A., ‘U.S. intelligence officials concerned about cyber attack’, Los Angeles Times, 11 February 2011, http://articles.latimes.com/2011/feb/11/nation/la-na-intel-hearing-20110211

While it is true that governments for the most part seek to prevent non-state actors that engage in violence we should not assume that the response will be the same for activities that are not violent. The rise of multinational companies has sometimes (particularly in the 1970s) been mentioned as a threat to the state (particularly poorer states where the MNC may be richer than the state) yet many countries promote their MNCs because they bring them wealth and therefore power.[1] Similarly having non state groups that are able to engage in cyber-attacks bring an advantage to those states that have them as they provide benefits both in conflicts (essentially creating a cyber-militia) and in peace where they engage in espionage so damaging competitors businesses.

[1] Kobrin, Stephen J., ‘Sovereignty@Bay: Globalization, Multinational Enterprise, and the International Political System’, The Oxford Handbook of International Business, 2000, http://scholar.googleusercontent.com/scholar?q=cache:8OQRH9PQoA8J:scholar.google.com

A treaty that bans, or sharply curtails cyber-attacks would benefit every state. Even those who may currently benefit from cyber espionage would be better off signing up to the treaty.

First most cyber-attacks are not carried out by the state even in countries like China where the state is using the internet as an offensive tool. In its annual report to congress the Department of Defence stated some cyber-attacks “appear to be attributable directly to the Chinese government and military” but this does not sound like a majority.[1]

Secondly no state wants a risk of conflict as a result of an unregulated new field of potential conflict. Or even to risk relations with other nations; cyber-attacks in large part go on because they are cost free.

And finally all nations are the victims of cyber-attacks. The United States has repeatedly condemned cyber-attacks against it but China also claims that it is the victim of cyber-attacks. China’s Minister of National Defense General Chang Wanquan says “China is one of the primary victims of hacker attacks in the world.”[2] Having a treaty against cyber attacks would not only make business easier for all countries but it would build up trust between nations where it is currently being eroded.

[1] Office of the Secretary of Defense, ‘Annual; Report to Congress Military and Security Developments Involving the People’s Republic of China 2013’, Department of Defense, http://www.defense.gov/pubs/2013_China_Report_FINAL.pdf p.36

[2] Brook, Tom Vanden, ‘Cyber attack? What cyber attack?’, USA Today, 19 August 2013, http://www.usatoday.com/story/nation/2013/08/19/china-cyber-attack-pentagon/2671579/

It is unlikely that all states would see this as beneficial to them. There will always be some states that benefit more from engaging in cyber-attacks than others – usually the underdog in other areas. If cyber-attacks are an area being used to redress the balance then why should they be willing to restrict their freedom of action? This is why Russia is unwilling to engage in deep cuts in the number of nuclear weapons it has – they are the main area of armaments in which they have an advantage over their potential adversaries.

Conflict needs to be regulated, and something that can start conflicts even more so. Warfare and conflict is currently regulated by the Geneva Conventions that seek to limit the effects of armed conflict and regulate the conduct of the involved actors.[1] Just as importantly there are rules on what weapons can be used through various treaties that ban weapons such as the Land Mine Ban,[2] and on when a state can legally initiate conflict through the UN Charter.

In just the same way when a new area of potential conflict arises that too must be regulated by treaty. The internet and the threat of cyber-conflict is that new area at the moment. While cyber warfare is not currently a large scale threat it is still a form of conflict that could escalate just like any other - the Pentagon has explicitly stated it could respond militarily to a cyber-attack.[3] As a result it is most sensible to draw up the rules and regulations early, to ensure everyone knows the consequences and prevent damage by making sure that states agree not to engage in offence cyber-attacks against each other.

[1] ‘The Geneva Conventions of 1949 and their Additional Protocols’, ICRC, 29 October 2010, http://www.icrc.org/eng/war-and-law/treaties-customary-law/geneva-conventions/overview-geneva-conventions.htm

[2] ‘Convention on the prohibition of the use, stockpiling, production and transfer of anti-personnel mines and on their destruction’, un.org, 18 September 1997, http://www.un.org/Depts/mine/UNDocs/ban_trty.htm

[3] Brookes, Adam, ‘US Pentagon to treat cyber-attacks as ‘acts of war’’, BBC News, 1 June 2011, http://www.bbc.co.uk/news/world-us-canada-13614125

While there are bans on certain weapons these are because such weapons are considered beyond the pale. This is either because they are horrifying as in the case of nuclear, chemical and biological weapons, or indiscriminate as with land mines. This does not apply to cyber warfare. Other regulations similarly do not provide a good parallel as the Geneva conventions seek to limit the effects of armed conflict a similar treaty is clearly not necessary for cyber-conflict because the effects will already be limited by the type of conflict. Ultimately cyber-attacks are much more akin to espionage and are not regulated because they are small scale, localised, and have limited effects as well as being difficult to trace.

Once a treaty is set up to limit or eliminate cyber-attacks monitoring is unlikely to be a problem because states will be willing to monitor each other. States in order to defend themselves from cyber-attacks already monitor the cyber-attacks that occur – the United States for example already has several cyber defense forces.[1] If that is not enough then there are numerous private groups that will be monitoring cyber-attacks as most are made against corporate rather than government targets. For example private company Mandiant exposed a unit of the People’s Liberation Army for its cyber-attacks in February 2013.[2] Once a cyber-attack has been traced and evidence gathered if the appropriate domestic authorities won’t deal with the culprit then an independent international institution can decide on the punishment for the government that is not living up to its treaty commitments.

If there is a need for international monitoring rather than simply a dispute settlement mechanism then there are models available through current treaties; a UN organisation similar to the International Atomic Energy Agency or International Criminal Court could be set up that can investigate incidents when asked.

[1] US Department of Defense, ‘The Cyber Domain Security and Operations’ http://www.defense.gov/home/features/2013/0713_cyberdomain/

[2] Mandiant, ‘Exposing One of China’s Cyber Espionage Units’, mandiant.com, February 2013, http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Not all nations are equal. In an area where high technology is essential rich nations may be able to monitor all cyber intrusions but there will be many countries without the necessary systems. This treaty would therefore in effect be making poor countries without cyber defences into fair game. In theory they would be protected by the treaty, in practice with no monitoring there would be nothing they could do.

Ever since the state rose to ascendancy over powerful internal actors, such as the nobility in a feudal system, the state has had a monopoly on the use of force. The state quickly became the only institution with the resources to maintain military forces and has become the only legitimate wielder of force. The internet however changes this. Cyber-attacks are often by individuals or groups who can carry out a cross border attack without the aid of their home country.

In 2011 CIA director Leon Panetta told Congress “when it comes to national security, I think this represents the battleground for the future. I've often said that I think the potential for the next Pearl Harbor could very well be a cyber-attack.”[1] If cyber-attacks are so important it stands to reason that the groups who are able to engage in such activities should be as limited as possible. While it is not always possible states try to make sure that the weapons of war for the most part remain in the hands of responsible actors. This should apply as much in cyberspace as elsewhere. While terrorist groups do exist – and are occasionally armed by states – for the most part they are seen by every government as being illegitimate.

[1] Serrano, Richard A., ‘U.S. intelligence officials concerned about cyber attack’, Los Angeles Times, 11 February 2011, http://articles.latimes.com/2011/feb/11/nation/la-na-intel-hearing-20110211

While it is true that governments for the most part seek to prevent non-state actors that engage in violence we should not assume that the response will be the same for activities that are not violent. The rise of multinational companies has sometimes (particularly in the 1970s) been mentioned as a threat to the state (particularly poorer states where the MNC may be richer than the state) yet many countries promote their MNCs because they bring them wealth and therefore power.[1] Similarly having non state groups that are able to engage in cyber-attacks bring an advantage to those states that have them as they provide benefits both in conflicts (essentially creating a cyber-militia) and in peace where they engage in espionage so damaging competitors businesses.

[1] Kobrin, Stephen J., ‘Sovereignty@Bay: Globalization, Multinational Enterprise, and the International Political System’, The Oxford Handbook of International Business, 2000, http://scholar.googleusercontent.com/scholar?q=cache:8OQRH9PQoA8J:scholar.google.com

A treaty that bans, or sharply curtails cyber-attacks would benefit every state. Even those who may currently benefit from cyber espionage would be better off signing up to the treaty.

First most cyber-attacks are not carried out by the state even in countries like China where the state is using the internet as an offensive tool. In its annual report to congress the Department of Defence stated some cyber-attacks “appear to be attributable directly to the Chinese government and military” but this does not sound like a majority.[1]

Secondly no state wants a risk of conflict as a result of an unregulated new field of potential conflict. Or even to risk relations with other nations; cyber-attacks in large part go on because they are cost free.

And finally all nations are the victims of cyber-attacks. The United States has repeatedly condemned cyber-attacks against it but China also claims that it is the victim of cyber-attacks. China’s Minister of National Defense General Chang Wanquan says “China is one of the primary victims of hacker attacks in the world.”[2] Having a treaty against cyber attacks would not only make business easier for all countries but it would build up trust between nations where it is currently being eroded.

[1] Office of the Secretary of Defense, ‘Annual; Report to Congress Military and Security Developments Involving the People’s Republic of China 2013’, Department of Defense, http://www.defense.gov/pubs/2013_China_Report_FINAL.pdf p.36

[2] Brook, Tom Vanden, ‘Cyber attack? What cyber attack?’, USA Today, 19 August 2013, http://www.usatoday.com/story/nation/2013/08/19/china-cyber-attack-pentagon/2671579/

It is unlikely that all states would see this as beneficial to them. There will always be some states that benefit more from engaging in cyber-attacks than others – usually the underdog in other areas. If cyber-attacks are an area being used to redress the balance then why should they be willing to restrict their freedom of action? This is why Russia is unwilling to engage in deep cuts in the number of nuclear weapons it has – they are the main area of armaments in which they have an advantage over their potential adversaries.

There are immense challenges to making a treaty seeking to prevent or curtail cyber-attacks work. Even on issues where there are clear security concerns it is unusual for the involved nations to be willing to get along and cooperate. This has proven to be the same with regards to the internet governance with Russia and China wanting greater state control while the US and Western Europe is opposed.[1] Even on issues where lives are being lost there is often no global agreement as can be seen by the deadlock in the UN security council over what to do about the civil war in Syria.[2]

Additionally there is the problem that working out who engaged in a cyber-attack is difficult. Such attacks are often routed through proxy computers to launch their attacks. If attacking a difficult target that may seek to strike back the attack will be through numerous proxies which will be in numerous countries to make tracking back difficult.[3] This means there can be misattribution of attacks creating confusion about which state needs to act domestically to prevent the cyber-attacks – or in the worst case resulting in a response aimed at the wrong country. For example South Korea has blamed its Northern neighbour for an attack on the website of the South Korean Presidency but the hacking is more likely to have been the work of someone in South Korea itself as a South Korean detailed his plans on Twitter before the attack.[4] If it is difficult to attribute who launched the attack then it would clearly be easy to get around any ban.

[1] Nebehay, Stephanie, ‘China, Russia seek greater control of Internet’, Reuters, 7 March 2013, http://www.reuters.com/article/2013/03/07/net-us-internet-usa-idUSBRE92617220130307

[2] Black, Ian, ‘UN may struggle to respond to reports of Syrian chemical attacks’, The Guardian, 21 August 2013, http://www.theguardian.com/world/2013/aug/21/un-security-council-syrian-chemical-attacks

[3] Greenemeier, Larry, ‘Seeking Address: Why Cyber Attacks Are So Difficult to Trace back to Hackers’, Scientific American, 11 June 2011, http://www.scientificamerican.com/article.cfm?id=tracking-cyber-hackers

[4] Koo, Soo-Kyung, ‘Cyber Security in South Korea: The Threat Within’, The Diplomat, 19 August 2013, http://thediplomat.com/2013/08/19/cyber-security-in-south-korea-the-threat-within/

There is no reason to assume that nations cannot get along on the issue of cyber security just because cooperation has not been prevalent so far. The US and China despite regularly accusing each other of launching cyber-attacks have set up a joint US-China working group on cyber security.[1] There is clearly a willingness to work together on this issue.

As to working out who is behind attacks the United States at least claims to be capable of doing this. Panetta says the Department of Defence can track attacks so “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.”[2] That computers in multiple countries should be taken over in order to launch an attack should simply provide another reason why all nations should want to be involved in preventing cyber-attacks.

[1] ‘US-China cyber security working group meets’, BBC News, 9 July 2013, http://www.bbc.co.uk/news/world-asia-china-23177538

[2] Garamone, Jim, ‘Panetta Spells out DOD Roles in Cyberdefense’, American Forces Press Service, 11 October 2012, http://www.defense.gov/news/newsarticle.aspx?id=118187

Any treaty that seeks to ban cyber-attacks would simply be an attempt to cement the position of the most powerful countries at the expense of weaker ones. This is because cyber-attacks are, like terrorism, weapons that can be used by anyone to attack a much bigger target. To launch a cyber-attack there is little need for training, only a small amount of comparatively cheap equipment (to military hardware at any rate), and an internet connection.[1] And it is difficult to defend against. This makes it ideal for poor nations to maintain cyber warfare as a credible threat to their bigger neighbours while their neighbours threaten them conventionally with their bigger militaries. We have seen before arms treaties that are fundamentally biased in favour of a small group of powerful states. Most notable is the Nuclear non-proliferation treaty where there are five recognised nuclear weapons states who are allowed the horrific weapons and everyone else is banned from having them. This discrimination was accepted as a result of the agreement that the nuclear weapons states would eventually disarm. It has not happened so leaving a troubled treaty system that appears to be regularly flouted.[2]

[1] Phillips, Andrew T., ‘Now Hear This – The Asymmetric Nature of Cyber Warfare’, U.S. Naval Institute, Vol.138/10/1316, October 2012, http://www.usni.org/magazines/proceedings/2012-10/now-hear-asymmetric-nature-cyber-warfare

[2] Miller, Steven E., ‘Nuclear Collisions: Discord, Reform & the Nuclear Nonproliferation Regime’, American Academy of Arts & Sciences, 2012, https://www.amacad.org/multimedia/pdfs/publications/researchpapersmonographs/nonproliferation.pdf

Everyone would benefit from the potential closure of a zone of possible future conflict. While cyber warfare may give a smaller state a brief advantage due to some low cost methods of attack ultimately the superior resources, both in defence and attack in cyberspace of the richer state would be telling. In the United States the Defense Advanced Research Projects Agency (DARPA) alone has a budget of $1.54billion for research into cyber offence from 2013-2017[1] considering that there are numerous other agencies involved in cyber warfare or defence, or monitoring the internet it is clear that cyber-attacks are not some wonder weapon that can even the odds between states.

[1] Kallberg, Jan and Thuraisingham, Bhavani, ‘Cyber Operations: Bridging from Concept to Cyber Superiority’, Joint Force Quarterly, Vol.68, no.1, January 2013, http://www.ndu.edu/press/cyber-operations.html

Warfare needs to be closely regulated because of the numbers of people who can be killed and the devastation that can result. This is not something that is a concern with cyber-attacks. So far cyber-attacks have not been very effective. ‘Stuxnet’ was a computer worm targeted an important control system in the Iranian nuclear program sabotaging gas centrifuges by making them run out of control. It was created by US and Israeli intelligence yet was not particularly effective, and certainly did not kill anyone.[1] Other major attacks have infected a large number of machines, such as ‘Shamoon’ that attacked the Saudi state oil company ARAMCO which affected 30,000 computers, but again this is simply destruction of property.[2] No matter how indiscriminate cyber-attacks may be that they don’t cause large numbers of deaths means there is little need to ban such attacks – it simply does not matter if attackers don’t follow a set of conventions like the Geneva conventions.

[1] Barzashka, Ivanka, ‘Are Cyber-Weapons Effective? Assessing Stuxnet’s Impact on the Iranian Enrichment Programme’, RUSI Journal, Vol.158, Issue 2, 28 April 2013, http://www.tandfonline.com/doi/full/10.1080/03071847.2013.787735

[2] Garamone, Jim, ‘Panetta Spells out DOD Roles in Cyberdefense’, American Forces Press Service, 11 October 2012, http://www.defense.gov/news/newsarticle.aspx?id=118187

Clearly cyber-attacks are not currently deadly but this does not mean they will not become so in the future. Leon Panetta has warned “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11”. Such an attack would be indirect – unlike setting a bomb – but could be just as effective “An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”[1] At the moment systems are not really connected enough to allow this but it is pretty much certain that technology will become more sophisticated, control more systems, and become more and more connected. This is immensely beneficial economically but does create vulnerability.

[1] Garamone, Jim, ‘Panetta Spells out DOD Roles in Cyberdefense’, American Forces Press Service, 11 October 2012, http://www.defense.gov/news/newsarticle.aspx?id=118187