Sign In

Communications of the ACM

ACM News

Pressure Building for Rules of Engagement for Cyberwarfare

There are no well-defined international protocols for response to cyberattacks.

The 'ground-rules' for cyberwarfare could begin with international no-first-strike agreements.


There are currently no well-defined international protocols for responding to cyberattacks, leaving the question of what constitutes an appropriate response with no real answer.

A clear illustration of this arose in early March, when Lt. General Paul Nakasone, at his Senate confirmation hearing to be the new director of the U.S. National Security Agency and head of the U.S. Cyber Command, testified that no country fears any type of U.S. response from cyberattacks, because "they don't think much will happen."

Two recent appeals have called for the establishment of rules of engagement for cyberwarfare.

In February, in a speech given in Lisbon, Portugal, U.N. Secretary-General Antonio Guterres called for the establishment of international rules of conduct for cyberwarfare, noting that global threat levels continue to rise in the cyber arena.

About a year earlier, Microsoft proposed a digital Geneva Convention, an initiative that would constitute a multinational effort on the rules of engagement for cyberspace. Brad Smith, president and chief legal officer at Microsoft, outlined this initiative in a keynote delivered at the 2017 RSA Conference titled "The Need for a Digital Geneva Convention," in which he observed that cyberspace has become another battlefield, in addition to land, sea, and air.

Among Microsoft's proposals were that nation-states should agree to refrain from cyberattacks; that the technology sector has already become the equivalent of first responders during cyberattacks, and that a Tech Accord is needed to proactively promote a more secure Internet; and that a new international organization, with credible authority, is needed to objectively identify the perpetrators when nation-state attacks happen. This organization would be modeled along the lines of the International Atomic Energy Agency, which has managed nuclear non-proliferation for decades.

"We need to have states begin to agree to the applicability to the rule of international law to ensure that sovereign territory is not used for malicious purposes to harm other states," says Michael Schmitt, a professor at the University of Exeter in the U.K. Schmitt is also director of the NATO-sponsored Tallinn Manual project, which has compiled a detailed exploration of international law as it relates to cyberwarfare.

Regarding the Microsoft proposals, Schmitt's concern is that some of the proposals will be treated as aspirational or best practices, when more than half of what Microsoft is calling for is, in fact, international law. He adds that the trick is getting nations to acknowledge this.

The development of cyberwarfare policy is happening in real time, on a case-by-case basis, says Schmitt. "We act as if we can make up the rules of the game as we go along because there is nothing out there, when in fact there is a great deal out there," He adds that international law offers a pretty robust menu of response options, if we choose to apply them.

If modern warfare has changed, then cyberattacks might become a standard precursor to a physical war. The Russian invasion of the Ukraine in 2015 serves as a template, as it began with a successful cyberattack before the deployment of troops.

"If there is a shooting war going on, I don't think there are going to be a lot of restraints about cyberattacks," says John Arquilla, a professor at the Naval Postgraduate School in Monterey, CA.

Arquilla feels nations are going to be increasingly willing to use cyberweaponry, as we have already been a tremendous increase in the number of cyber exploits in recent years. Cyber is too attractive an option not to use, he says, because cyber tends not to be lethal or physically destructive, but simply achieves some level of disruption.

He contends cyberweaponry cannot be controlled in the same way nuclear weapons and fissile materials can be overseen. "You can't have the physical kind of arms control you have with physical weapons, but you can have behavior-based arms control for cyber weapons," Arquilla says. He explains there is self-interest in pursuing cyber arms control, just as there has been a self-interest in pursuing nuclear arms control.

Years ago, Arquilla suggested that if there is to be any kind of behavior-based control of cyberwarfare, it might begin with saying there will be no strategic cyberattacks waged first; there can be retaliation, but no first strike. That is analogous to nuclear deterrence, or the aerial bombing of civilian population centers during World War II. In those instances, all combatants at first agreed they would not bomb each other's cities. This held for a little while but gave way quickly, and  civilian populations were then targeted.

Arquilla cites the 2015 accord between the U.S. and China, in which the two countries agreed not to cyberattack each other's infrastructures, as an illustration of nations acting in mutual self-interest.

Patrick McDaniel, a professor at Pennsylvania State University, finds it troubling that cyberattacks are becoming the norm. In his view, the world has somehow transitioned into considering cyber warfare as an acceptable operational tool, just like any other lever in the arsenal.

When it comes to cyberwar, McDaniel does not feel there has been that overwhelmingly visible and damaging moment to date that causes states to take action. "I think the more recent nuclear power plant penetrations starts to get into that territory. Were one of these penetrations to cause a nuclear meltdown in the U.S., where you have major material and personnel losses from a cyberattack, that is going to force nations to act," he says.

McDaniel thinks there is an analogy to be made with chemical weapons and the first World War. Suddenly, there were weapons that governments and combatants didn't have before, and they didn't realize how dangerous these were until they saw the terrible results of their use. Governments concluded chemical weaponry needed some type of governance between countries, which resulted in a ban on chemical weapons by the League of Nations in 1925.

The crux of the discussion about norms and international agreements is that there is not a strong sense of what proportional response is for cyberwarfare, McDaniel explains. In kinetic warfare, there are doctrines governing military and diplomatic behavior, and there is an understanding of what a proportional response is, but according to McDaniel, we do not have those norms in cyberspace.

When thinking about the future, McDaniel is short-term pessimistic and long-term optimistic. Countries, he explains, act on security only when it becomes clear that the cost of not doing so is so high that it mandates action. There will be some kind of agreement that most countries will abide by, including some sort of mechanism for punishing bad actors to thwart their activities, he concludes.

Arquilla points out the Internet of Things makes it more likely that there will be massive capability at hand for rogue states and non-state actors to add to their firepower. He says it is time to be thinking about cyberarms control, even though "It is trickier than nuclear arms control, because you can't control the basic material of cyber, but you can control behavior and act in self-interest."

Exeter's Schmitt is very optimistic about educational efforts by the Netherlands, where it is understood that if there is going to be an intelligent discussion on the rules of the game, people ought to be educated about the basics of international law, and how that law applies in cyberspace. Schmitt maintains the Dutch have an aggressive, robust program, the so-called "Hague Process," and are educating people around the world on the basics, so everyone can start from the same position in negotiations.

Schmitt says another potential action would be to bring together like-minded states. For example, if the majority of European countries announced that sovereignty is something that can be violated in cyberspace, then the process can begin to make progress. "I think we are hobbled by the politics, but by gathering together like-minded states to issue statements of their understanding of the law," Schmitt says, "the states that get on the table first with their positions are going to control play for a while in this space."

John Delaney is a freelance writer based in Manhattan, NY.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account