A think tank of US and Russian information security experts has proposed ‘rules of engagement’ for cyber warfare, akin to the Geneva Convention.
A report from the EastWest foundation, whose authors include representatives from Microsoft and military equipment supplier Nothrup Grumman alongside academics and military advisors, says that critical civil infrastructure such as hosptials and air traffic control systems should be protected by internationally agreed sanctions.
However, the report also acknowledges the many ways in which cyber warfare differs from traditional conflict. Classic distinctions between military and civilian targets are less meaningful, for example.
Also, it is often impossible to find out who carried out cyber attacks. Although speculation has linked American and Israeli intelligence services to the Stuxnet virus that infiltrated nuclear facilities in Iran last year, there has so far been no concrete proof.
In light of these observations, the potential of any agreed sanctions between governments to dissuade cyber attacks on critical infrastructure is questionable, as is the utility of the “war” metaphor to describe politically motivated information security attacks.
Speaking on the BBC’s Newsnight programme last night, Professor Peter Sommer of the London School of Economics remarked that while there is “something in it”, certain companies have a strong commercial interest in portraying cyber war as a matter of national security.
“The big military companies … are finding it extremely difficult to sell big, heavy equipment of the sort they are used to because the type of wars that we’re involved in tend to be against insurgents,” he said. “And so they are desperately looking for new product areas, and the obvious product area, they think, is cyber warfare.”
The EastWest foundation will present its report to international leaders today at the annual Munich Security Conference. Attendees will include Prime Minister David Cameron, US Secretary of State Hilary Clinton, and Russian Foreign Minister Sergei Lavrov. At the conference, British Foreign Secretary William Hague will urge national governments to adopt practices that protect Internet freedom, but that also limit “the darker side of cyber space”.
This week, the government opted in to the European directive on “attacks on information systems”, that will allow UK police to collaborate more closely with overseas agencies.
The directive “will benefit Britain and other countries that have active online economies, because it will mean that cyber-criminals will not be able to hide in European countries that do not have as well developed laws against cybercrime as we do,” said parliamentary under secretary James Brokenshire yesterday.
Earlier this year, the UK government allocated £650 million of its otherwise diminishing security budget to cyber security measures including a UK Defence Cyber Operations Group within the Ministry of Defence and an information sharing scheme with the US. It also raised cyber attacks to a “tier one” security threat, alongside terrorism and flu epidemics.