A stunning report by a US digital-security company accuses China’s military of conducting more than 100 cyberattacks on American corporate and government computers. If accurate, the report by the firm Mandiant only adds to the urgency to develop international norms in cyberwar and cyberespionage.
Each new tool of aggression requires its own rules of war. Cyberwarfare should be no different. Without a code of ethics for conflict in the digital universe, nations could eventually bring down each other’s water supplies, electric grids, military defenses, and vital institutions. And key values, such as privacy and a right to intellectual property, could also be lost.
Global rules now restrict the use of nuclear, chemical, and biological weapons. They also help safeguard civilians and prisoners of war. What the Mandiant report shows is that the world may be losing the struggle to come up with rules for cyberspace behavior.
The scale of the Chinese cyberthreat is now so massive that it might lead to a rush to imitate rather than a campaign to prevent a cyber blow-for-blow. One of the unusual aspects of cyberweapons is that once they are used, they can be easily replicated for a return attack.
Coming up with such rules will not be easy. For starters, simply defining what is a cyberweapon or a cyberattack could be a problem. Even if that issue is settled, how can an attack’s originator be correctly identified? And given the speed of digital technology, the distinction between defensive and offensive capabilities can be easily blurred.
Current rules of war under the Geneva Conventions and the International Committee of the Red Cross may cover some aspects of cyberwar, but not all. The United Nations and other global bodies need to make such rules clear.
Even within the United States, Congress and President Obama cannot agree on rules for national defense against cyberattacks. An attempt to pass a law last year that would have required companies to cooperate with the government in cybersecurity ran into concerns over civil liberties.
As a result, Mr. Obama issued an executive order last week offering incentives for companies to improve data sharing with the government. The aim is to protect vital infrastructure now run by private firms.
Like the current US policy on clandestine drone strikes against terrorists, Obama is moving toward a legal presumption of executive authority in being able to launch cyberattacks without approval by Congress or legal oversight by a court. If he does assume such powers, it raises a difficult constitutional issue that needs public debate.
Nations have a strong record of creating norms that restrain types of warfare. Before more reports of cyberattacks emerge, the world must see a common interest in rules to prevent cyberwar.