Home / Our news and views / Can/should traditional rules of war apply to cyber-space?

Can/should traditional rules of war apply to cyber-space?


BRUSSELS – The international community is struggling to define how a government should respond to cyber-attacks outside a war situation but which cause major disruption or even deadly fall-out.

After several years of effort, the UN tried to nail down the issue by defining a set of guidelines but its group of national experts ultimately failed in summer 2017 to agree on what those should be.

That has left governments adrift in a sea of ambiguity, though international organisations – led by the EU – insist that the traditional rules and treaties regarding physical war apply directly to the digital world.  There is a sense, however, that such a stance is but whistling in the dark for lack of a viable alternative.

One result of this anomaly is that “the allies now find themselves in a sort of ‘Article Four-and-a-half’ situation today, caught between crisis consultation and how to reaction to an attack,” says a senior allied official, referring to Articles Four and Five of NATO’s founding Washington Treaty. Those articles govern crisis consultation procedures with other allies versus the activation of collective defence, respectively.

“Cyber defence now equals collective defence, but the evidence so far shows that most malicious cyber activity falls below the level of warfare and armed attack,” the official told a cyber warfare conference in Brussels on 10 April organised by the Wilfried Martens Centre for European Studies. “What to do when there is a [cyber-attack] crisis that falls under the threshold of armed conflict, but whose consequences are serious enough that they must be dealt with? This is not clear.”

NATO is not alone in trying to muster a legal response to such cyber-attacks.

Karoly Dan, Hungary’s ambassador to the OSCE and UN, told the gathering that regional organisations probably “have a better chance of reaching agreement and coming up with solutions for state behavior” than the UN.

Noting that the OSCE has developed the world’s “most advanced” regime of arms control, he said the Vienna-based entity has developed a set of cyber warfare confidence-building measures “to reduce the risks of conflict stemming from the use of ICTs [information and communications technologies]”.

Dan said other regional groups such as the Organisation of American States and ASEAN, the forum of southeast Asian nations, “are following our approach as well”, though he added that how far they can go will depend on how closely their cultures are related: “The central problem will be to bring countries to the table who have virtually zero trust in one another to talk about cyber behaviour.”

Tomi Huhtanen, the Martens Centre’s executive director, said many experts consider that recent cyber-attacks such as WannaCry are just a test to see how the targeted countries react. “Russia and North Korea, for example, have not yet released their full cyber capabilities,” he said.

Exposing the perpetrators of such attacks could offer effective deterrence to them, said speaker Sico van der Meer, cyber security research fellow at The Netherlands’ Clingendael Institute of International Relations.

“We need better forensics, threat analysis and attribution. These should all be pursued within the UN, OSCE and other fora, hopefully pulling the ‘great powers’ into these agreements,” observed van der Meer.

     THE UPSHOT: Whether the international community will ever come up with a set of hard guidelines to hem in cyber behaviour is doubtful. Western countries with the most advanced cyber capabilities, not to mention Russia, North Korea, Iran and China, will never agree to restrict their tactics to defensive action alone, if they do not fully trust the others to do the same. Besides, their military leaders will always argue for keeping the cyber-offensive option open as a retaliatory resort.
     This is not to dismiss confidence-building measures, which would certainly be a pre-requisite for, and to underpin, any legal treaty. Yet CBMs are most effective when based on mutual verification procedures. And that raises a fundamental question: what to verify in the virtual world of cyber warfare?
     The cyber warfare realm is probably too abstract, complex and murky to be effectively framed by any international treaty or rules. The only thing that will discipline rogue or hostile nations is full disclosure of their tactics, which means developing air-tight forensic methods that would indisputably trace attribution to who did what. That’s where the West’s R&D effort should be focused.


Check Also

The EP pushes for international ban on the use of killer robots

BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...