We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

  • Nicholas Little
  • Business Impact

    We need a cyber arms control treaty to keep hospitals and power grids safe from hackers

    A fresh diplomatic push could help put vital public services off limits to nation-state cyberattacks.

    At the United Nations General Assembly meeting in New York last week, there was plenty of discussion of nuclear arms control. But there wasn’t enough talk of another kind of worrying threat: cyber weapons.

    In 2013 a group of government experts at the UN decided that international law applied to cyberspace, too, and in 2015 the same group agreed to several voluntary norms to govern states’ behavior online in peacetime. These included stipulations that countries shouldn’t target each other’s critical infrastructure, and that they should be held responsible for any cyberattacks originating from their territory.

    The UN initiative, however, hasn’t carried much weight. Revelations of Russian hacking of US power companies and the US electoral system, as well as Chinese efforts aimed at stealing intellectual property, are just some of the signs these norms haven’t had the desired effect.

    Concerted action

    Now the US and some other countries, like the UK, are preparing a more aggressive response to digital provocations.

    The US recently unveiled a new national cyber strategy that makes it easier for its military to conduct offensive operations without lengthy approval processes, and the UK is planning to set up a 2,000-person team of tech experts to boost its ability to launch cyberattacks.

    The new US strategy also envisages an international “cyber deterrence initiative” under which America and like-minded countries will coordinate their responses to particularly malicious cyberattacks. Those responses can range from economic sanctions to retaliation in cyberspace.

    Supporters of this approach think it’s more likely to bring recalcitrant countries to the negotiating table. “When there’s a shared sense of vulnerability, that’s what drives arms control,” says James Lewis of the Center for Strategic and International Studies, a think tank.

    But there’s also a risk it could trigger an escalation of cyber hostilities, at least in the short term. And that could lead to more aggressive attacks on key public services like electrical grids. So it’s essential that the US and other countries push harder than ever now for an international cyber arms control deal that reduces the risk of conflict.

    Digital diplomacy

    Brad Smith, Microsoft’s president and chief legal officer, has been lobbying for a “Digital Geneva Convention.” This would bring together tech companies and governments to create a wide-ranging deal that protects civilians using the internet in peacetime in the same way that successive Geneva Conventions have protected civilians during wars.

    Smith’s advocacy has already helped create a coalition of like-minded tech companies that have pledged to do what they can to protect their customers from cyberattacks by criminals and nation-states. Microsoft has also just launched a new PR campaign to get people to urge political leaders to do more to secure cyberspace.

    Still, getting a broad agreement on cyber norms will be a massive challenge. In the short term, it makes sense to aim for a relatively narrow formal deal that gets countries to recommit to stop targeting vital public services.

    Attacks on things like power plants, hospitals, and transport systems could have devastating consequences, including loss of human life, and the dangers are growing as more devices are being hooked up to the internet (see “For safety’s sake, we must slow innovation in internet-connected things”).

    Striking even a narrow diplomatic agreement will not be easy. And there will also be challenges with enforcing it, because attackers often try to cover their tracks. Nevertheless, the stakes are so frighteningly high that the effort is worth making.

    At a recent press briefing on the US’s new cyber strategy, Jason Healey, a cybersecurity expert, warned of the dangers if a cyber firefight does engulf key infrastructure. “We are all standing knee deep in tinder,” he said, “and soaked in gasoline.”  

    Keep up with the latest in cybersecurity at EmTech Digital.

    The Countdown has begun.
    March 25-26, 2019
    San Francisco, CA

    Register now
    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe to Print + All Access Digital.
    • Print + All Access Digital {! insider.prices.print_digital !}*

      {! insider.display.menuOptionsLabel !}

      The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

      See details+

      12-month subscription

      Unlimited access to all our daily online news and feature stories

      6 bi-monthly issues of print + digital magazine

      10% discount to MIT Technology Review events

      Access to entire PDF magazine archive dating back to 1899

      Ad-free website experience

      The Download: newsletter delivery each weekday to your inbox

      The MIT Technology Review App

    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.