Can an international cyber convention ever succeed?

international cyber conventionThe Cold War is a distant memory for most, but today we see a new struggle for dominance on the global stage – with cyber weapons being the latest focal point. The advance of sophisticated social engineering means that small but skilled groups of cyber attackers now have the potential to do more damage to a country’s infrastructure than a physical military strike.

Earlier this year, Brad Smith, President and Chief Legal Officer at Microsoft, gave a speech calling on governments to implement a Digital Cyber Geneva Convention to protect civilians from nation-state attacks. This convention would establish protocols for attacks that affect private enterprises and individuals, as well as civilian infrastructure such as power grids.

Mr Smith’s vision is commendable but unfortunately comes at a time when the combination of heightened international tensions and the proliferation of attack tools and threat actors makes the likelihood of a successful agreement more of a challenge than ever.

Indeed, United Nations negotiations on restricting cyber warfare collapsed in June, as members were unable to make progress on key issues. The talks had been in progress since 2004, with experts from 25 members of the UN security council participating. However, incidents such as the 2016 hacking of the US Democratic National Committee (DNC) caused further splits along old Cold War lines, and the final straw proved to be the right to self-defence against cyber attacks.

In the face of this breakdown and increasing global friction, will we ever be able to reach an agreement on how international cyber activity should be controlled and regulated?

The challenge of attribution

One of the biggest hurdles standing in the way of a Digital Geneva Convention is the challenge of attack attribution, and proving the perpetrator’s intention against the actual impact of the incident. Standard military action is usually fairly clear cut, but cyber attacks are much murkier, with very little concrete evidence.

A good example of this is the infamous Stuxnet attacks of 2010, which targeted industrial control systems in Iran but eventually spread to hit more than 200,000 machines around the world. While Israel and the United States have both been strongly suspected of launching the attack against Iran, nothing was ever conclusively proven. Likewise, even if the perpetrator could be proven, it is impossible to demonstrate if they also intended to hit other countries such as India and Indonesia, or if this was accidental.

Similarly, with the recent WannaCry ransomware attack, North Korea is widely believed to be the perpetrator, but the country itself has denied responsibility and many of the signs could be the result of attackers reusing old code, or even a false-flag attack. While apparently a money-making exercise, the attack also caused serious issues for the NHS in the UK, as well as considerable damage to private enterprises around the world. Even if concrete attribution was possible, how could we determine whether it was intended as a revenue generator that spiralled out of control, or an attempt to harm nation states with the ransomware serving as camouflage?

The blurred lines between citizens and governments

Another foggy issue is the need to determine the difference between an attack on a nation and an attack on a private citizen. Take, for example, the phishing attack that yielded criminal access to John Podesta’s emails during the 2016 US presidential elections.

Although the attack was clearly aimed at disrupting the campaign of Hillary Clinton by releasing sensitive material, it was actually Podesta’s personal account that was hit and many of the emails exposed were sent to him from people with no political role at all. The offenders could argue he was a legitimate military target and was just using the wrong kind of email account, but what type of collateral damage is reasonable to stay within the boundaries of a pledge?

Even fairly low-level criminal actors have access to a wide range of tools, such as VPNs and proxies, to hide their identity and evade the authorities. When it comes to activity by nation states, additional evasion techniques mean a country can have almost complete deniability.

In some cases, we may also see that nations don’t want to pursue cyber attackers on the international stage. Again, looking at the Podesta email attack, while Russia is generally accepted as the culprit, there are many who do not wish to pursue the case as it brings the legitimacy of the election into question. Particularly in politics, we are very likely to see future attacks denied even by the victim nation itself.

What can we do?

With the attribution of even the most notorious attacks of the last decade proving to be almost impossible, the traditional concept of a convention is extremely difficult to apply. How can sanctions and other standard international responses be effectively levied if the suspected perpetrator has complete deniability of their involvement?

Putting together an agreement is not only about finding terms that all potential signatories can agree on, but the agreement must also make technical sense. It must start with a firm technical foundation, taking into consideration what actions cause damage, and to whom. This understanding is crucial to any kind of international agreement succeeding.

While we are likely going to be waiting many years for any kind of Digital Geneva Convention, it is up to governments and private organisations alike to develop their own security and protect their assets and citizens. As it stands, we need to see a higher level of understanding of the threats, particularly at the decision-making level.

Improving our collective understanding must start with conveying ideas and concepts in a meaningful way. We often see attacks described with the wrong terminology, with everything being simply described as hacking or phishing. This kind of over-simplification ignores distinctions such as the difference between phishing and Business Email Compromise (BEC) or malware delivered by email.

When these mistakes filter all the way up to the people making purchasing decisions, it means they will do the wrong thing – an issue in both private and public sector organisations. Indeed, in many cases, governments are far behind private enterprises in their understanding. Until this changes, we can’t expect to move forward on an international level either.