Should there be a Geneva Convention for fighting cyberwar?

Microsoft security exec raises the issue of how to fight computer threats

The term "cyberwar" has been bandied about in recent years as a catchall term for the hackers stealing credit card numbers or spreading spam, but also much more nefarious schemes such as breaking into a electricity grid. At a recent cybersecurity conference, one Microsoft security executive said we might need global rules on how to fight such threats.

Scott Charney, vice president of Microsoft's Trustworthy Computing Group, spoke at the Worldwide Cybersecurity Summit in Dallas last week and said there needs to be a distinction between cybercriminals merely stealing money and cyberwar, possibly conducted by nation-states, that is aimed at crippling a target in another country, such as a power grid or an oil pipeline.

An Associated Press report on the conference, which was picked up by the Seattle Post-Intelligencer newspaper, quotes Charney as saying that international treaties designed to fight cyberwar are difficult to establish because of the murky nature of what "cyberwar" is.

The United Nations last month rejected a Russian proposal for a new cybercrime treaty, leaving in place a 2001 treaty that Russia opposes because it gives foreign governments too much leeway to pursue cybercriminals across borders.

"Lots of times, there's confusion in these treaty negotiations because of lack of clarity about which problems they're trying to solve," Charney said.

In a paper that accompanied his talk, Charney also wrote that if the concern is that countries need to brace for a cybersecurity "Pearl Harbor," that it needs to be made clear on what type of attacks governments can respond. "If the concern is an electronic Pearl Harbor, perhaps part of the response is an electronic `Geneva Convention' that protects the rights of noncombatants."

The notion of an electronic Pearl Harbor has come up before on this blog. I wrote about it after attending the RSA Conference 2010 in San Francisco in March. There a panel of cybersecurity experts warned that a cyberattack could occur that could cripple U.S. infrastructure if we're not prepared for it.

Richard Clarke, a national security advisor to the previous three U.S. presidents, also proposed a cyber security treaty, but lumped together criminal cyber attacks and state-sponsored attacks.

"You could have an international treaty that puts an obligation on every country to police its own cyberspace," he said. It wouldn't matter if a foreign government launched an attack or whether individual criminals did, he said; if it was traced to their country, they'd have to do something about it.

I think that's where the murkiness problem comes in. Charney says the confusion occurs when we lump together criminal activity and government sanctioned -- or at least condoned -- cyberwar, including possible terrorism.

I think a government or military response to a cyber threat should be reserved for attacks on infrastructure (taking down an electrical grid by a computer is the same as bombing the transmission towers) and on attacks by nations against others and a treaty to establish the rules of engagement is warranted. But responses to criminal cyber attacks should be left to law enforcement agencies and, in fact, in those instances, cooperation agreements between law enforcement organizations in each country would be beneficial as well.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10