In new warnings about cyberattacks by foreign entities, Britain and the United States have lately left the impression that innocent civilians, and not just governments, might become victims on a digital battlefield. On Nov. 15, for example, the US said North Korea is targeting banks, airlines, and telecom firms. And Britain claimed Russian hackers have targeted energy networks and the media. Prime Minister Theresa May accused the Kremlin of a campaign of cyber “disruption.”
The warnings are credible given evidence of Russian meddling in the 2016 US elections and North Korea’s 2014 hacking of Sony Pictures. Last spring, the so-called WannaCry virus shut down hospitals in Britain, rail ticket operations in Germany, and some FedEx operations in the US. Terrorism experts also warn of Islamic State or Al Qaeda shutting down critical infrastructure, such as electric grids.
“Algorithms can be as powerful as tanks, bots as dangerous as bombs,” says top United Nations official Michael Moeller.
Amid these rising fears, however, digital experts are calling for new international norms and agreements that recognize the need to wall off civilians from cyberharm. The idea is to replicate the kind of pacts that have largely curbed instruments of war, such as chemical weapons.
Under the Geneva Conventions that serve to protect the innocent during a conflict, cyberwarfare is already restricted to military targets. Just as warplanes cannot drop bombs on civilian hospitals, government hackers cannot hit civilian facilities, such as a factory.
Yet these humanitarian rules apply only during war. Many cyberattacks today are stealthy events by an adversary whose identity cannot be easily detected. Governments are responding by beefing up their cybercapabilities to respond in kind. This risks the possibility of widespread and mutual destruction of digital networks.
Just as the Geneva Conventions and other agreements have set legal bumpers for the use of physical weapons, the world needs a pact that restrains digital attacks. Microsoft’s president and chief legal officer, Brad Smith, has even called for a “digital Geneva Convention” out of his perception that “nothing seems off limits” in cyberattacks these days.
“Now is the time for us to call on government to protect civilians on the Internet in times of peace,” he said. “We need a convention that will call on the world’s governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure whether it’s of the electrical or the economic or the political variety.”
Another idea is for tech companies to prevent their products from being weaponized. Last month, Peter Maurer, president of the International Committee of the Red Cross, which is guardian of the Geneva accords, visited companies including Facebook and Microsoft to ask that they alter their technologies to prevent them from being used as instruments of war.
Such ideas are grounded in a powerful concept well developed since the mid-19th century that even enemies must recognize the innocence of noncombatants. With each new type of weapon, the world must again find the means to protect the dignity of innocent lives.