Skip to Content
Computing

We need a cyber arms control treaty to keep hospitals and power grids safe from hackers

A fresh diplomatic push could help put vital public services off limits to nation-state cyberattacks.
October 1, 2018
Nicholas Little

At the United Nations General Assembly meeting in New York last week, there was plenty of discussion of nuclear arms control. But there wasn’t enough talk of another kind of worrying threat: cyber weapons.

In 2013 a group of government experts at the UN decided that international law applied to cyberspace, too, and in 2015 the same group agreed to several voluntary norms to govern states’ behavior online in peacetime. These included stipulations that countries shouldn’t target each other’s critical infrastructure, and that they should be held responsible for any cyberattacks originating from their territory.

The UN initiative, however, hasn’t carried much weight. Revelations of Russian hacking of US power companies and the US electoral system, as well as Chinese efforts aimed at stealing intellectual property, are just some of the signs these norms haven’t had the desired effect.

Concerted action

Now the US and some other countries, like the UK, are preparing a more aggressive response to digital provocations.

The US recently unveiled a new national cyber strategy that makes it easier for its military to conduct offensive operations without lengthy approval processes, and the UK is planning to set up a 2,000-person team of tech experts to boost its ability to launch cyberattacks.

The new US strategy also envisages an international “cyber deterrence initiative” under which America and like-minded countries will coordinate their responses to particularly malicious cyberattacks. Those responses can range from economic sanctions to retaliation in cyberspace.

Supporters of this approach think it’s more likely to bring recalcitrant countries to the negotiating table. “When there’s a shared sense of vulnerability, that’s what drives arms control,” says James Lewis of the Center for Strategic and International Studies, a think tank.

But there’s also a risk it could trigger an escalation of cyber hostilities, at least in the short term. And that could lead to more aggressive attacks on key public services like electrical grids. So it’s essential that the US and other countries push harder than ever now for an international cyber arms control deal that reduces the risk of conflict.

Digital diplomacy

Brad Smith, Microsoft’s president and chief legal officer, has been lobbying for a “Digital Geneva Convention.” This would bring together tech companies and governments to create a wide-ranging deal that protects civilians using the internet in peacetime in the same way that successive Geneva Conventions have protected civilians during wars.

Smith’s advocacy has already helped create a coalition of like-minded tech companies that have pledged to do what they can to protect their customers from cyberattacks by criminals and nation-states. Microsoft has also just launched a new PR campaign to get people to urge political leaders to do more to secure cyberspace.

Still, getting a broad agreement on cyber norms will be a massive challenge. In the short term, it makes sense to aim for a relatively narrow formal deal that gets countries to recommit to stop targeting vital public services.

Attacks on things like power plants, hospitals, and transport systems could have devastating consequences, including loss of human life, and the dangers are growing as more devices are being hooked up to the internet (see “For safety’s sake, we must slow innovation in internet-connected things”).

Striking even a narrow diplomatic agreement will not be easy. And there will also be challenges with enforcing it, because attackers often try to cover their tracks. Nevertheless, the stakes are so frighteningly high that the effort is worth making.

At a recent press briefing on the US’s new cyber strategy, Jason Healey, a cybersecurity expert, warned of the dangers if a cyber firefight does engulf key infrastructure. “We are all standing knee deep in tinder,” he said, “and soaked in gasoline.”  

Deep Dive

Computing

Inside the hunt for new physics at the world’s largest particle collider

The Large Hadron Collider hasn’t seen any new particles since the discovery of the Higgs boson in 2012. Here’s what researchers are trying to do about it.

Why China is betting big on chiplets

By connecting several less-advanced chips into one, Chinese companies could circumvent the sanctions set by the US government.

How Wi-Fi sensing became usable tech

After a decade of obscurity, the technology is being used to track people’s movements.

VR headsets can be hacked with an Inception-style attack

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.