GORI, GEORGIA - AUGUST 11: (ISRAEL OUT)  Georgian soldiers escape their burning armoured vehicle on the road to Tbilisi on August 11, 2008 just outside Gori, Georgia. Russia called today for Georgian forces to surrender in the separatist enclave of Abkhazia after Georgia called a ceasefire and withdrew their forces from South Ossetia, leaving Russian forces now firmly in control in the disputed region.  (Photo by Uriel Sinai/Getty Images)
© Getty
Experimental feature

Listen to this article

00:00
00:00
Experimental feature

Since the 19th century, countries have tried to shape warfare through regulations and sanctions. The advent of the internet changed that. “Cyber warfare is much more convenient for states than kinetic warfare,” says Mariarosaria Taddeo, research fellow and deputy director of the Digital Ethics Lab at the Oxford Internet Institute. Compared with conventional weapons, digital means are cheaper and offer greater plausible deniability, she says.

There have been a string of attacks over the past decade alone, as Ewan Lawson, an associate fellow at the Royal United Services Institute think-tank, points out. These include the 2010 Stuxnet virus, which damaged a nuclear plant in Iran, disruption of Ukraine’s power grid in 2015 and 2016 and an attack in 2017on Saudi Arabia’s national oil company Saudi Aramco.

Cyber warfare poses a clear threat to national security and citizens’ lives. Yet to date, no binding global framework has emerged to control it. Ms Taddeo, who is also a Turing Fellow at the Alan Turing Institute, says that situation partially stems from the novelty and complexities of digital technology. Differences from conventional conflict also play a role. Applying conventions such as proportionality can be difficult when cyber targets are often non-physical, and they are usually disrupted, rather than destroyed. 

“We don’t have red lines, we have not understood yet in the international community what is the ‘must not do’ as a state: is it legitimate to target a nuclear plant? Is it legitimate to support a military operation?” Ms Taddeo says.

Michael Schmitt, a professor of public international law at Exeter university, has been studying the field since the 1990s. “At that time we were thinking about cyber attack in the context of very dramatic events,” he says. “Over time, at least from [the perspective of academics], what we have needed to most focus our attention on are day-to-day malicious events.”

Prof Schmitt, who is also a professor at the US Naval War College, says cyber warfare dropped down the agenda after the September 11 2001 attack on New York’s World Trade Center. The 2007 cyber attacks on Estonia and cyber weapons in the 2008 Russo-Georgian War rekindled the search for governance. This contributed to the drafting of the Tallinn Manual in 2013, which Prof Schmitt oversaw. While it is an academic and non-binding work, it remains one of the most in-depth examinations, providing 154 rules for governments based on current international law. 

Mr Lawson says the Tallinn Manual reflects a western view of cyber warfare, as covered by existing international law. “That suits countries like the UK and the US that have particularly effective digital espionage capabilities,” he says. On the other side are states including Russia who say cyber warfare is radically different from offline conflict. “If you talk to them, these countries tend to see cyber measures as part of a broader information war,” says Mr Lawson.

All three experts agree that a political combination of different conceptual schemes and conflicting national interests prompted the most promising effort to date: the 2017 UN Group of Governmental Experts’ report on developments in information and telecommunications in the context of international security. Despite significant progress, Ms Taddeo says, the UN group failed to provide a list of final recommendations to the General Assembly two years ago.

Prof Schmitt lays the blame on countries including Russia, China and Cuba. He is critical of their objections to recommendations, which include calling for the application of existing laws. “No serious military officer would think that cyber-operations are not bound by the [current] rules of warfare,” he says.

While Prof Schmitt sees some hope in the decision to reconvene the UN group this year, consensus in the organisation looks increasingly unlikely. A significant factor in this is the UN’s formation of the Open-Ended Working Group, a separate body established on a Russian proposal. Prof Schmitt is concerned that smaller states in the second group may be open to manipulation from Russia. He also fears that the two groups may reach different rules on cyber warfare. 

67

Number of countries which have signed the Paris Call for Trust and Security in Cyberspace declaration

Nevertheless, Prof Schmitt notes that there is a growing interest in cyber warfare and governance. “Nowadays everyone is thinking about this,” he says. Among the examples he refers to is the Paris Call for Trust and Security in Cyberspace, launched by French president Emmanuel Macron last year. The pact condemns malicious cyber activities during peacetime and reaffirms the applicability of international humanitarian law to technology.

The declaration was signed by 67 countries, and a number of private companies and organisations. While three significant players in the field, the US, Russia and China, did not become signatories, Mr Lawson sees continued dialogue as necessary for any resolution. 

Mr Lawson believes communication between states can sometimes be at cross-purposes. “A lot of the time it seems to me that states and actors are deliberately being vague or even slightly disingenuous around cyber warfare,” says Mr Lawson. “But actually, to a certain extent, it is about people talking past each other.”

Rather than building an arms control framework, he calls for vulnerability disclosures. That would mean a complete rethink of cyber security. Instead of hoarding intelligence about exploitable flaws in opponents’ systems, countries would reciprocally declare them. In theory, that would mean improved global cyber security and greater trust. It might be a long shot, but Mr Lawson is convinced other approaches are not working. “That’s the only sensible way in the future that we are going to manage this,” he says.

Get alerts on Technology when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)
About this Special Report

Part 1: FT correspondents dissect the common challenges facing the world from the cyber arms race to the migration crisis; they ask whether the governance tools available are fit for purpose

The next instalment of this report appears on November 4 2019

Follow the topics in this article