Cyberwarfare is one of the major issues threatening world peace. Whilst we often think about warfare in terms of on the ground fighting capabilities, cyberwarfare also has real-world consequences and can directly affect civilians in their day-to-day lives. Cyberwarfare is defined by RAND (a technology research organization) as involving “the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks.” Cyberwarfare has caused entire power grids to go down, influenced election outcomes, generated the propagation of fake news and released confidential information, threatening people’s safety. In response to these violations, technology companies and governments have tried to implement policies in recent times and called for international action to combat cyberwarfare.
Russia has been one of the more prominent countries implementing cyberwarfare strategies. Most recently, the Ukraine accused Russia of targeting its power grid, financial system and infrastructure, resulting in chaos. If the Ukraine can confirm that Russia caused the cyberattack, it could further the case for the United States to help in the coordination of an effort to counter the threat of Russian cyber warfare. Brad Smith, Microsoft’s chief legal officer, explained at a recent RSA (information security) conference in San Francisco that cyberattacks are becoming increasingly common and unrestrained. He said that civilians need to be protected by an internet version of the ‘Geneva Convention’ that would make governments agree to deter any cyberattacks involving attacking critical infrastructure, hacking and stealing intellectual property to devastate economies. In light of these issues, to establish global peace we must focus on how cyberwarfare threatens the stability of people’s day-to-day lives and create policies to resolve these conflicts.
The existence of cyberwarfare is still debatable in some policy and academic circles, thus contributing to the complexity of the problem. Dr. Thomas Rid, an academic in War Studies at King’s College London defines the difference between a cyber and a conventional attack in the context that “offensive capabilities don’t necessarily translate into defensive capabilities.” Although someone could ‘hack’ into a system, it does not mean that they could or would want to fight back. This leads to another key factor of cyberattacks – anonymity. As Dr. Rid infers, if someone acts anonymously without a motive they are not fighting in a war, as they are not partaking in a direct act of revenge that defines conventional wars. However, the question of a soldier’s versus hacker’s ‘motive’ to cause conflict is not as clear-cut as it seems.
One of the most significant cyberattacks directed towards a single country, was the 2007 cyberattack on Estonia. Apparently this cyberattack was launched as a protest to the Estonian government’s removal of the Bronze Solider monument in Tallinn, erected during Soviet times in 1947 and a symbol of Russian patriotism. These cyberattacks targeted the websites of governments, banks, universities and newspapers over a three-week period. The Estonian government had to block all international web traffic, which was major issue for a country known as the ‘most wired in Europe’, due to its implementation of electronic voting and 97 percent of its banking transactions occurring online. In fact, when the cyberattacks severed the connection to the Hansabank (Estonia’s main bank), Estonians could not use any debit cards outside the country or any ATMs within Estonia.
Eventually, the Estonian government traced one of the attacks back to an IP address owned by a member of the Russian government. However, the Russian government denied involvement. To date, the exact involvement of the Russian government remains questionable. The only arrest was of an ethnic Russian student living in Estonia, Dmitri Galushkevich, whose ‘denial-of-service’ attacks targeted the Estonian government’s Reform Party website. No other hackers have been traced or arrested, despite multiple attacks having been made over that three-week period.
The Estonian cyberattacks can teach us a lot about the consequences of cyberwarfare. The ‘zombie computers’ that were used in the Estonian attacks were based in 50 different countries; each of these countries, in turn have specific laws regarding the nature of hacking and cyberwar. This is why countries, as well as private and public technology sectors must unite to establish a global convention to prevent cyberwarfare.
In 2015, a group of government policy analysts from China, Russia and the U.S. at the United Nations, published a report arguing for peaceful resolutions regarding cyberwarfare. The report included the notion that states should not intentionally damage critical infrastructure or interfere with a country’s cyber emergency responders. These types of policies are crucial to forming a global consensus on how to prevent or stop a cyberwar from occurring. Nonetheless, often countries will not take responsibility for their citizens if they are accused of ‘cyberwarfare’ or ‘hacking’ as seen with the example of the Russian government. Thus, many experts have considered making countries directly accountable if a cyberattack has been made by their citizens, even if the attacker’s identity cannot be known.
Greg Rattray, a former director of cybersecurity at the National Security Council has suggested that governments need to cooperate with the private sector to rid computers of viruses and malicious software developed by ‘cybergangs.’ Building secure infrastructure that can resist cyberattacks is also key to preventing these sorts of attacks. Along with nuclear weapons and biological attacks, cyberwarfare is one of the major threats of the 21st century.
Therefore, in order for cyberwarfare to be mitigated, a compromise needs to be made with global diplomatic talks and constructing technologies that will prevent or deter any potential cyberattacks. At the moment, it does not seem like one solution would work better than the other. Rather, both strategies need to be put into effect. This also leads to the argument about whether governments or the private technology sector are the best to control cyberwarfare. Can governments be trusted to negotiate their own cyber-laws? Microsoft’s Brad Smith has suggested that: “Cyberspace is owned and operated by the private sector… it is private property, whether it is submarine cables or data centers or servers or laptops or smart phones.” Smith explained that the private sector is therefore the first to respond to cyberattacks, with Microsoft itself spending billions of dollars on cybersecurity. Technology companies need to act like a ‘Digital Red Cross’ and offer technical assistance to one another once a ‘Digital Geneva Convention’ has been established.
Nonetheless, Smith still points out that governments need to take the initiative to establishing cybersecurity laws. Smith said, “But consider this: For over two thirds of a century, the world’s governments have been committed to protecting civilians in times of war. But when it comes to cyberattacks, nation-state hacking has evolved into attacks on civilians in times of peace.”
In a world that relies on crucial technologies and infrastructure at various political, societal and economic levels, cyberwarfare is a real threat. The cyberwarfare of the future can extend to advanced weaponry and scenarios that would not distinguish between civilians and the military, such as power grid outages and drone-led cyberattacks. Governments need to establish international treaties and work alongside technology companies to establish secure infrastructure and software, and protect civilians.