The Geneva Conventions generally are understood to establish standards that govern the behavior of combatant nations toward civilians, prisoners of war and soldiers who are not capable of fighting. Their adoption created norms of behavior for tempestuous times. While they may not always be scrupulously followed, the fact they have been ratified by 196 sovereign states suggests there is solid accord on the principles they set forth. Now the Geneva Convention model is being held out as a way to address cyber warfare.

The Chairman and ranking member of the House Subcommittee on the National Security Agency and Cybersecurity sent a letter to Secretary of State John Kerry and National Security Advisor Susan Rice that said, in part, “Nonproliferation agreements were negotiated to curtail the exponential growth of nuclear weaponry during the second half of the 20th Century. Now is the time for the international community to seriously respond again with a binding set of international rules for cyber warfare: an E-Neva Convention… .”  The letter asked for the U.S. to take the lead in developing a binding set of international rules for cyber warfare. The Congressmen pointed out that the United Nations Group of Governmental Experts on Information Security last year affirmed a nonbinding consensus among twenty nations that international law, including the United Nations Charter, applies in cyberspace, and suggested it might be possible to build on that effort.

The letter might have been a short-lived blip on the cyber radar except for one additional development. The recently enacted Cybersecurity Act of 2015 contains a provision that requires the State Department to create an international cyberspace policy within 90 days. It shouldn’t go unmentioned that the State Department recently has been having a problem meeting deadlines, but we can assume that at some point we will see a State Department plan that lays out a strategy for developing international norms covering standards of behavior for cyber warfare.

Given that the proponents of an E-Neva Convention saw no need for a G in describing their approach, I think we can borrow the G to make the following observations. Gee, it would be great to have universally agreed upon protocols for cyber warfare. Gee, it is exceedingly unlikely such protocols will be adopted anytime soon. It does appear that at the highest levels of U.S. governmental thinking there is an effort to draw clear lines of distinction between cyber warfare and other acts. We were able to say, for example, that the presumed Chinese sponsored attack on OPM was business espionage. We deemed the Sony hack attributed to North Korea a cyber attack and enacted sanctions against North Korea, in part because it was felt necessary to establish deterrence against further attacks. But how the U.S. sees and categorizes cyber activity does not determine how other nations will view the same actions. We are a long, long way from bridging the enormous gap that exists among nations over the use of cyber warfare.  But perhaps the fledgling State Department effort will make a contribution toward the day when that gap will be reduced or eliminated. As the Chinese philosopher Laozi said, “A journey of a thousand miles begins with a single step.”

By Tom Davis, SDI Cyber Risk Practive

January 12, 2016