The world needs cyber war “Rules of Engagement” to cope with potentially devastating cyber weapons, Russian and US experts will tell world leaders at a security conference on Friday.
The cyber proposal, seen exclusively by Newsnight, comes from the influential EastWest Institute in New York.
It describes “rendering the Geneva and Hague conventions in cyberspace”.
Cyber security is on the agenda at the annual Munich Security Conference for the first time this year.
Those attending the conference include UK Prime Minister David Cameron, German Chancellor Angela Merkel, US Secretary of State Hillary Clinton and Russian Foreign Minister Sergei Lavrov.
The logic behind the move is that in the intermingled world of cyberspace, we may need to protect zones that run facilities such as hospitals or schools.
The draft document also calls for a fresh definition of “nation state”, with new “territories” and players in cyberspace beyond government – such as multinationals, NGOs and citizens.
The proposal also says that ambiguity about what constitutes cyber conflict is delaying international policy to deal with it, and that perhaps the idea of “peace” or “war” is too simple in the internet age when the world could find itself in a third, “other than war”, mode.
The US-Russian team point out that discriminating between military and civilian targets is more difficult in cyberspace, and may require protected, marked, domain names.
How strongly should a state respond to an attack when you do not know who did it, where they did it from or what the intention was? In conventional military terms these questions are easier to answer – not so in the cyber world
British government sources
They say cyber weapons have attributes not previously seen with traditional weapons, nor considered during the development of the current Laws of War: “Cyber weapons can deliver, in the blink of an eye, wild viral behaviours that are easily reproduced and transferred, while lacking target discrimination.”
Well-placed British government sources say they do not see a need for new international “treaties” for cyberspace, but do concede that there are areas that need discussion, especially on attribution.
The nature of cyber space, with its ease of anonymity and use of proxies, makes the attribution of any attack very difficult. This raises the question of proportionality:
“How strongly should a state respond to an attack when you do not know who did it, where they did it from or what the intention was? In conventional military terms these questions are easier to answer – not so in the cyber world,” these sources pointed out to Newsnight.
John Bumgarner, research director for security technology at the US Cyber Consequences Unit, spoke to Newsnight about the kind of threats which exist:
“There’s things out there that right now that exist that the general public really doesn’t know about – stealthy type technologies that can be embedded into systems that can run that you’ll never see. Those things already exist.”
He said that capabilities which currently exist include turning off power grids, disrupting water supplies and manufacturing systems.
Others, however, say that talk of all out cyber “war” is hype, though useful to defence companies looking for new ways to make money.
Bradwell nuclear power station
About 80% of UK critical national infrastructure is privately run
Nevertheless, there are almost daily reports now of cyber incidents, most recently that Stock Exchanges in Britain and the US were seeking help from the security services after discovering they were victims of attempted cyber attacks.
“There’s quite a lot in it, but they’re also extensively hyped,” according to Professor Peter Sommer of the London School of Economics, who wrote a recent Organisation for Economic Co-operation and Development (OECD) report on cyber security.
“In terms of the involvement of the big military companies, you have to realise that they are finding it extremely difficult to sell big, heavy equipment of the sort they are used to because the type of wars that we’re involved in tend to be against insurgents.
“And so they are desperately looking for new product areas – and the obvious product area, they think, is cyber warfare – I’m not so sure about that.”
And yet, “utterly dependent” is how one well-placed government source describes our relationship with cyberspace.
The message is blunt. Ensuring security in cyberspace is vital to our national security, our well being and our prosperity: “Without it we can’t have the economy we aspire to.”
And if that is not enough, the UK government also believes it is vital to maintaining our values as a democracy.
Real-time attack data
The government is therefore embarking on an ambitious project to forge what it calls a new “dialogue” between the state and commercial companies, for mutual benefit.
After all, some 80% of our critical national infrastructure is owned and run by the private sector, and that is before you take account of the tangle of undersea fibre-optic cables that carry over 90% of our internet traffic, with all the physical vulnerabilities to terrorist attack that implies.
At the new Cyber Security Operations Centre at GCHQ, the UK’s electronic intelligence agency in Cheltenham, the eventual aim is for real-time, open exchange of data from companies about how and when they are suffering attacks on their IT systems from cyberspace.
This should give the government early-warning of cyber attacks that could bring down critical national infrastructure. In return, the commercial sector can expect expertise on-tap.
This builds on existing trusted relationships with energy and water companies, but will extend to other sectors, such as food distribution, finance and transport.
The idea was mooted by Iain Lobban, director of GCHQ, in a rare speech at the International Institute for Strategic Studies (ISS) last October.
A substantial chunk of the £650m allocated to cyber security in the subsequent Strategic Defence and Security Review is now heading in that direction.