The 5 Golden Rules of Cyber-War

War is happening right in front of our eyes: a cyber-war. Cyber-space is now the 5th domain of warfare recognized by NATO alongside land, air, sea and space.

With conventional war, rules of engagement and conduct have existed in one form or another and have been with us for centuries. But there is no standard in the cyber-world between combatants and civilians.

The lines have blurred. This is why we’re calling for urgent consideration of the rules and conventions governing cyber-war. Here is where we currently stand and what we could do next:

Digital Weapons and Proliferation

In January 2010, the United States and Israel released the world’s first digital weapon: Stuxnet. This “worm” was self-sufficient and automated, designed to spread through devices and lie in wait. With Stuxnet, a Government Agency could shut down SCADA-controlled critical infrastructure in any country at any time.

Since then, there has been a proliferation of nation-state-backed cyber-attacks and cyber-gangs.

In 2012, Shamoon malware brought Saudi Aramco oil production to a halt. This aggressive disk-wiping malware made no ransom request. Instead, it exists only to devastate a critical economic sector.

In 2015, the Iranian Cyber Army used an unknown digital weapon to control Turkey’s electrical distribution networks. With a keystroke, half of Turkey’s computers, traffic lights, hospitals, water and sewage stopped working.

From 2017 to 2018, the rise of WannaCry ransomware attacks using the EternalBlue exploit to infect older Microsoft machines stopped production at the Taiwan Semiconductor Manufacturing Company. Estimates place the damages between hundreds of millions and billions of dollars.

These attacks show two things. First, cyber-attack techniques are proliferating from nation-states to cyber-criminals. Second, the targets of cyber-attacks have grown past government assets to general economic infrastructure.

Where We Stand Today: Building Tension

In 2020 cyber-attacks found a new gear. Three incidents increased cybersecurity tensions to new heights: SolarWinds, Colonial Pipeline and JBS USA.

The SolarWinds supply chain attack infected a large section of the US federal government, portions of NATO, EU Parliament, Microsoft and VMWare. The nine-month-long infiltration was called an “Act of War” by one US Senator.

Many US citizens felt the effects of the 2021 Colonial Pipeline hack. This ransomware attack cut off gasoline supplies to much of the US southeast, leading to 17 states declaring a “state of emergency.”

JBS USA, one of the largest meatpacking companies globally, had operations on two continents halted by a Russian-based ransomware attack. Production ceased across multiple states, threatening 25% of US meat production.

Influenced by these events, US President Biden issued an executive order on “Improving the Nation’s Cybersecurity,” and NATO declared cyber-attacks to be an act of war.

Current Rules for Digital War

We are not the first to suggest rules for cyber-warfare.

The oldest and most successful framework is the Shanghai Pact, a cooperative political, economic and security agreement between Russia, China, India and neighboring countries.

From NATO, the Tallinn Manual examines how Jus ad Bellum (Just War) and international humanitarian law apply to cyber operations.

Aside from governments, some such as Microsoft’s Brad Smith have suggested that an independent organization could investigate and publicly disclose evidence that attributes nation-state attacks to specific countries. In addition, there should be a provision that technology companies remain neutral in any future conflict.

A possible future course of action could combine corporate and governmental power to enforce these conventions. But, whatever the future holds, an agreement is needed before a devastating war forces our hand.

Five Golden Rules of Cyber-War:

The Geneva Conventions are a well-known example of warfare rules; several provisions could be readily adapted for cyber-warfare:

  1. Red crystal designation: the protective class of the Red Crystal may be displayed by medical and religious institutions. Institutions displaying these emblems perform a humanitarian service and must be protected by all parties in a conflict.
  2. Protection of health: Destruction or interruption of medical and hospital establishments and services, public health and hygiene is prohibited.
  3. Protection of survival material: Indiscriminate attacks on food, water and other materials systems needed for survival are prohibited.
  4. Prohibited destruction of works and installations containing dangerous forces: Attacks on dams, dikes and nuclear electrical-generating stations are restricted to prevent releasing contained dangerous forces.
  5. Prohibited destruction: Destruction of real or personal property belonging individually or collectively to a private, public or social organization is prohibited.

These provisions are a starting point, an ice breaker for a larger conversation that will soon occur. 

What’s Hot on Infosecurity Magazine?