Wanted: global rules on cyberwarfare

A report on cyberattacks and computer hacking originating with China's military highlights the need for international norms in cyberwarfare. Other new types of weapons led to new rules of war. Why not in cyberspace, too?

The building housing "Unit 61398” of China's People’s Liberation Army is seen in the outskirts of Shanghai. Cyberattacks that stole information from 141 targets in the US and other countries have been traced to the Chinese military unit in the building, according to a report by the Virginia-based Mandiant Corp.

AP Photo

February 19, 2013

A stunning report by a US digital-security company accuses China’s military of conducting more than 100 cyberattacks on American corporate and government computers. If accurate, the report by the firm Mandiant only adds to the urgency to develop international norms in cyberwar and cyberespionage.

Each new tool of aggression requires its own rules of war. Cyberwarfare should be no different. Without a code of ethics for conflict in the digital universe, nations could eventually bring down each other’s water supplies, electric grids, military defenses, and vital institutions. And key values, such as privacy and a right to intellectual property, could also be lost.

Global rules now restrict the use of nuclear, chemical, and biological weapons. They also help safeguard civilians and prisoners of war. What the Mandiant report shows is that the world may be losing the struggle to come up with rules for cyberspace behavior.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

The scale of the Chinese cyberthreat is now so massive that it might lead to a rush to imitate rather than a campaign to prevent a cyber blow-for-blow. One of the unusual aspects of cyberweapons is that once they are used, they can be easily replicated for a return attack.

Coming up with such rules will not be easy. For starters, simply defining what is a cyberweapon or a cyberattack could be a problem. Even if that issue is settled, how can an attack’s originator be correctly identified? And given the speed of digital technology, the distinction between defensive and offensive capabilities can be easily blurred.

“You have to have an offensive mind-set to better focus on defense,” said retired Marine Corps Gen. James Cartwright recently in a discussion on cyberwarfare at the US Naval Institute.

Current rules of war under the Geneva Conventions and the International Committee of the Red Cross may cover some aspects of cyberwar, but not all. The United Nations and other global bodies need to make such rules clear.

Even within the United States, Congress and President Obama cannot agree on rules for national defense against cyberattacks. An attempt to pass a law last year that would have required companies to cooperate with the government in cybersecurity ran into concerns over civil liberties.

Why Florida and almost half of US states are enshrining a right to hunt and fish

As a result, Mr. Obama issued an executive order last week offering incentives for companies to improve data sharing with the government. The aim is to protect vital infrastructure now run by private firms.

Like the current US policy on clandestine drone strikes against terrorists, Obama is moving toward a legal presumption of executive authority in being able to launch cyberattacks without approval by Congress or legal oversight by a court. If he does assume such powers, it raises a difficult constitutional issue that needs public debate.

Nations have a strong record of creating norms that restrain types of warfare. Before more reports of cyberattacks emerge, the world must see a common interest in rules to prevent cyberwar.