War has changed. We have come a long way, from basic hand weapons and stones, to nuclear bombs and armed drones; so too have the laws which govern our conduct during times of war and conflict. Many decades ago, first in the Hague and then in Geneva, states agreed how to behave when engaged in warfare against another state, and accepted the obligations of international treaties.
These rules were established to mitigate against and deter risk to civilians, to temper military urges and establish a moral obligation for states in how they conduct warfare. Those who violate the laws of war can expect to be held accountable, in their own jurisdictions or by international courts. War is hell, but civilians can expect protection from both sides.
We have all been directly concerned at the highest political level with the security of our states – Eastern European countries which have achieved or aspire to NATO membership – and we know at first hand the threats we face in the new era of warfare. We have seen conflict move online. This week’s ransomware attack hit companies and government systems all over Eastern Europe and elsewhere. In the last few years, we have witnessed cyberattacks take out national electricity grids, health services and nuclear plants, not to mention the sophisticated hacks which have attempted to influence key elections or embarrass multinational companies. Countries of all sizes and allegiances have been both victims and alleged perpetrators of such attacks. No state is safe or immune from a cyberattack.
More and more vital public services and organisations, along with the livelihoods of private citizens, have become reliant on the connected world to function. Yet there are few respected international rules or norms, which regulate what states can and cannot do to each other and to each other’s people online.
It has become increasingly clear that this new space for conflict requires a response similar to that of traditional means of warfare. We are at the stage now where technology has become potentially as damaging as those conventional weapons which are regulated by international agreements. We are seeing increasingly bold and brazen cyberattacks, often with the guidance or tacit approval of states themselves. These incursions into cyberspace have the ability to fundamentally damage our economies and societies.
To protect citizens around the world, cyberspace requires a genuine and respected set of international rules agreed between governments to curb online aggression and guard against future devastation by cyberattack.
The power to act rests with states themselves. To start, the global community must agree that offensive weapons – both conventional and cyber – should be avoided at all costs. The stability of human civilization in the 21st century is at risk if action is blocked or delayed.
A slow and incremental process has begun, through the UN Group of Governmental Experts (GGE), building universally agreed norms for states’ behaviour online. Unfortunately this has not as yet delivered as much as it might have. This diplomatic process must be taken more seriously with a more concentrated effort to bring all UN members to coalesce around a set of common norms.
Beyond a struggling UN process, we are also very encouraged to see renewed discussion amongst a wider international group beyond state actors – including the tech sector and civil society – recognising how crucial action is to prevent serious harm to civilians.
It is time for political leaders to rise above a narrowly defined sense of their “national interest” to see the global and ethical imperative to act. Governments around the world should come to the realisation that pursuing universal norms for states’ behaviour online makes everyone, including their own citizens, much safer.
Otherwise, it begs asking the question: do we want cyberspace to be somewhere which applies the rule of law or will it continue to be dominated by the rule of war?