Would 'Cyber Geneva Conventions' Defuse Online Aggression?

International treaties could force nation-states to police bad actors within their borders to avoid penalties.

With the troubling news of the recent invasion of Ukraine by Russia, the specter of a cyberattack by a nation-state on the US looms as a threat yet again. However, this time may be different, especially if the US and its allies respond with any kinetic, real-world attacks or resources. Russia is likely to respond with an intense cyberattack rather than use on-the-ground forces and risk a humiliating battlefield loss to the United States.

This isn't necessarily good news for the US. The Russians and their hacking affiliates have been probing and testing US defenses for years, often breaching them in troubling ways. Last year’s Colonial Pipeline ransomware attack shut down a crucial delivery system for gas for a portion of the country while driving prices significantly higher. All indications are that Russia could be quite successful with a massive cyberattack that directly impacts the American people while maintaining just enough deniability to hamper an immediate response.

If this were to happen, it's highly likely that support both among the people and Congress could increase sharply for the US to engage in a "hot" war with troops or a "warm" war, implementing no-fly zones and providing air support. Both have a high risk for the US. Best case would mean getting involved in another regional dispute that could take years or decades to resolve. Worst case, it could start a cycle of responses and counter-responses that could engulf the entire region or even the world in a war which would be devastating, in terms of lives and the economy.

Method of Attack
Imagine if one of our foreign adversaries flew planes over US soil and dropped bombs on civilians. Even if there were no injuries, only property damage, international outrage would ensue and we would probably go to war, or at least respond in kind. Or if Russia sent black-ops teams into the US to physically break into major US banks and steal money to fund at-home operations. Again, only serious peace talks would keep our jets and bombs from flying.

But attacks have been happening in the cyber realm for years — on multiple fronts from multiple adversaries with little retribution, other than useless arrest warrants for foreign nationals who reside in countries without extradition treaties with us. Or strongly worded policy statements with weakly enforced sanctions and warnings. And this response varies widely from country to country, depending on the country being attacked and its relationship with the bad-actor countries. We rarely intervene after attacks on countries other than our own.

The truth is, sooner or later, a nation-state attack — either from Russia or one of the other antagonist nation-states in cyber such as China, Iran, or North Korea — is going to land hard on our shore, causing civilian casualties. This may be intentional or unintentional. In the pipeline hack mentioned above, the criminals clearly exceeded the mandate from their political minders and the group actually issued a weak apology (while still taking the ransom money).

This was little solace to those inconvenienced by the cyberattack or forced to pay higher prices for the fuel. And these effects could become much more significant. Examples include dams failing, electrical grids being taken out, hospitals being shut down, or, worst case, an industrial facility or nuclear plant being damaged or destroyed, spewing toxic or nuclear waste across an area. Either way, a cyberattack definitely has the possibility to affect civilian populations and should be treated as a potential "weapon of mass destruction." And in the same manner, their uses should be addressed in multinational agreements and treaties similar to those of the Geneva Conventions.

No Way to Stop All Bad Actors
It's true that no treaty will stop all bad actors from using the proscribed weapons. But for now, cyberattacks are a relatively easy way, in terms of cost and manpower, to attack a country with no agreed-upon penalties in the international community for the actors. While there have been limited violations, the original Geneva Conventions have largely kept chemical and nuclear weapons off the battlefield since their first uses in World War I and World War II.

And even if they defy "Cyber Geneva Conventions," there would be an international court waiting for those leaders, military or civilian, who used cyber tactics. Some may escape final justice, but as the war crimes trials over the Bosnian War showed, many times the perpetrators can be captured and brought to impartial justice. The threat of this humiliation alone might keep some despots' fingers off the cyber trigger.

Also, many of the perpetrators of cyberattacks for nation-states are criminal groups only loosely affiliated with their nation sponsor. This is both a benefit and a downside, as non-military, non-state actors can be brought to justice more easily or at least their movements confined to their own country and their financial resources drained. And in the event of a truly devastating attack, a sponsor country might be moved to give up or expel the guilty parties to limit its own exposure.

No written words or signed treaties will ever eliminate all cyberattacks. The cost/reward ratio is still too low. We all know this from the theory of our security policies and procedures compared with actual compliance to them. But an international treaty, endorsed by the UN, could raise that cost and make "the big one" less likely to happen in the cyber realm.