By Michael Baldassaro, data scientist for the Carter Center’s peace programs.
Russia has long treated Ukraine as a proving ground for testing its novel and destructive cyberweapons.
In 2015, Russia launched a cyberattack on the power grid in Ukraine, plunging 230,000 civilians into darkness and cutting off power to homes, hospitals, and schools in the dead of winter. Repairs took months to complete. Two years later, Russia launched another attack that crippled government, financial, and energy institutions, shut down nuclear safety monitoring systems, and permanently erased public and private data. The attack spilled over Ukraine’s borders, disrupting private-sector entities such as Maersk, FedEx, and Merck and costing an estimated $10 billion.
Russia’s recent invasion of Ukraine raised concerns that it might also unleash a wave of devastating cyberattacks not just on Ukraine but also on its democratic allies — which NATO made clear could invoke Article 5 and trigger a collective response by member countries.
So far, Russia has yet to discharge anything from its cyber arsenal that could compromise critical public infrastructure or private sector services. Regardless, the looming specter of an attack means the world must remain vigilant.
As our public and private lives are increasingly intermediated by technology, just one person clicking a suspicious link in an email could spark a deadly cyberattack. While it is impossible to guard against every possible attack, there are concrete steps that individuals and companies can and should take:
—Individuals must practice good “digital hygiene”: Using complex passwords, keeping software updated, enabling multifactor authentication, avoiding suspicious links, communicating through encrypted channels, backing up data, etc. may seem simplistic, but they are critically important. Massive cyberattacks are often attributable to poor digital hygiene.
—Companies must implement cybersecurity defenses and protocols: Like individuals, private and public-sector institutions must ensure that their software is updated and their data backed up. Companies must also implement secure Wi-Fi, firewalls, restrictions on software installation, and strong data protection and security protocols to prevent sensitive information from being accessed and weaponized.
On a government and intergovernmental level, there is a need for norms regarding cyberweapons use. Unlike conventional warfare, there is no “Digital Geneva Convention” that establishes behavioral norms and constraints in cyberspace. There are no agreed-upon rules that preclude nation-state actors from launching or sponsoring cyberattacks that put noncombatants in the crosshairs — in times of war or peace. Without such rules, no cyberweapon is too powerful and everyone is a legitimate target.
In 2017, Microsoft President Brad Smith sketched the outline of a possible “Digital Geneva Convention” in a keynote address at a cybersecurity convention and in a subsequent policy paper. The components of such a convention build on U.N. and intergovernmental discussions and would commit states to, among other things:
—Refrain from attacking systems whose destruction would adversely impact the safety and security of private citizens (i.e., critical infrastructures, such as hospitals, electric companies).
—Refrain from attacking systems whose destruction could damage the global economy (e.g., integrity of financial transactions), or otherwise cause major global disruption (e.g., cloud-based services).
—Exercise restraint in developing cyberweapons and ensure that any that are developed are limited, precise, and not reusable. States should also ensure that they maintain control of their weapons in a secure environment.
—Agree to limit proliferation of cyber weapons. Governments should not distribute, or permit others to distribute, cyber weapons and should use intelligence, law enforcement, and financial sanctions tools against those who do.
—Assist private-sector efforts to detect, contain, respond, and recover in the face of cyberattacks.
Given the current situation, it would be a good time to revisit the idea of a Digital Geneva Convention.
To inform discussions about appropriate norms and constraints, there is a need for data and analysis that substantiates how cyberweapons have been used, who has used them, and the real-world impact. As the development and use of cyberweapons evolves, patterns as well as new types of attacks will manifest themselves in data. Such data would provide policymakers with a perspective on the capabilities, vectors, methods, and consequences that must be considered when defining and refining the rules of cyberwar.
Cyberwarfare may take place in the virtual world, but its impact has the potential to be every bit as destructive. It is past time that governments work together to establish clear “rules of cyberwar” that mitigate potential harm to citizens.
Related Resources
Story | Center Fights Digital Threats to Democracy, Human Rights »
Please sign up below for important news about the work of The Carter Center and special event invitations.