How will innocents be protected in an online conflict?

( On a physical battlefield, the rules of war – governed by the Geneva Conventions – prohibit certain actions, such as intentional targeting of civilians, hospitals, children and so on. But do those rules apply in a cyber conflict? And if so, how is it possible to protect the innocent in an online conflict that may involve targeting a power grid or a nation’s banking system?

Reports have noted that the U.S. and China are currently holding negotiations for what would become the first “cyber treaty” – that is, a framework for cyber conduct that includes a “no first use” of cyber weapons and no targeting of a nation’s critical infrastructure. Experts believe that other nations would likely sign onto such an effort as well; such an agreement might even be eventually codified in a United Nations agreement.

But such pacts would only apply to state actors; they wouldn’t cover non-state actors like “hactivist” groups and others who operate outside of established governments.

Still, such agreements would go a long way toward protecting some of the very same things that current physical war agreements like the Geneva Conventions protect. As noted by ZDNet, however, the problem is real – and complex:

Legal experts generally agree that the protection hospitals or medical convoys are accorded during standard warfare should also be respected on the digital battlefield, but there is no clear way of identifying which IT systems should be safeguarded.

Thankfully, there has been some progress made on this front. A paper published in early September in the RUSI Journal outlines a framework for how the non-targeting of innocents in any future cyber war might be handled.

Determining how to delineate information technology [IT] and communication systems of hospitals and other protected entities is much harder online than offline. Because of cloud computing, for instance, several different organizations may share the same IT infrastructure, so determining precisely which bits and bytes are being used by a medical clinic as opposed to the military is very difficult.

“There is a clear case for removing any large data sets from systems that may be regarded as military objectives, and – by storing data on different hardware and in different locations – for separating the systems used to support civilian activity and those underpinning military action,” the paper, titled (appropriately) “The Geneva Conventions and Cyber Warfare,” says.

There are other efforts underway to define the parameters of conduct during a cyber conflict. The Tallinn Manual on the International Law Applicable to Cyber Warfare, or simply the Tallinn Manual – named after the capital of Estonia, where it was devised – attempts to fill in gaps in international law as it applies, or could apply, to cyber attacks.

For more breaking news on cyber warfare, visit, powered by

Don’t forget to “like” on Facebook! Click here

While there is no international law that directly refers to the ultra-modern concept of cyber warfare, there is plenty that applies,” notes Tech Republic. “So CDCOE [Cooperative Cyber Defence Centre of Excellence] assembled a panel of international legal experts to go through this existing law and show how it applies to cyber warfare. This formed the basis of the Tallinn Manual and the 95 so-called ‘black letter rules’ it contains (so named because that’s how they appear in the text).”

Estonia was one of the first targets of Russian-originated cyber attacks; since then, the Baltic country of 1.3 million has become a hub of cyber security development for NATO and other institutions and nations.

The Geneva Conventions paper, meanwhile, suggests three main technical options for the inclusion of digital “markings” to demarcate non-military assets. Those markings could help protect non-combatant computer systems before a cyber attack, they could permit an attacker’s reconnaissance tools to automatically ID protected systems, or, in the case of autonomous cyber weapons, they could be configured in a way to avoid attacking protected systems.

Even with such protections in place, though, they aren’t likely to protect systems from attacks by hackers who simply ignore the cyber Geneva Conventions. Indeed, such identifying techniques could even mark them as soft targets to an attacker bent on doing as much damage as possible.

“Currently, the reality is that the majority of transnational cyber-attacks are carried out by non-state actors and are outside what is considered to be traditional interstate armed conflict,” the paper notes.

See also:




comments powered by Disqus