The world is at war. Some might quibble with the characterization of malicious hacking as warfare, preferring phrases such as “cyberespionage” or “cyberconflict.” But when governments, industry and individuals are under constant attack by antagonists from all corners of the globe—marauders who use the Internet to steal vital information, sabotage critical operations and recruit terrorists—this means war. It is high time for an internationally coordinated response.
The first skirmish arguably took place in 2007, when online attacks against the Baltic state of Estonia took down critical government, banking and media Web sites. Suspicion soon fell on state-sponsored Russian hackers retaliating against Estonia's removal of a Soviet-era war memorial from the center of the country's capital, Tallinn. The use of proxy servers and spoofed Internet addresses to route the attacks, however, made it very difficult to trace their source, and the Russian government has denied any involvement.
Subsequent international incidents have followed a similar attack-and-deny pattern. The Kremlin has never admitted to launching or sanctioning cyberattacks against Georgian media, communications and transportation companies in advance of Russia's 2008 ground war against that country. Nor has the U.S. officially taken responsibility for the Stuxnet or Duqu malware attacks on Iran from 2007 to 2011, which damaged centrifuges crucial to the country's nuclear program—despite reports that U.S. and Israeli programmers developed those cyberweapons.
Cyberattacks have only escalated since then. The obscure, hard-to-trace origins of these assaults not only protect the guilty party (or parties) from law-enforcement agencies or retaliation, they also create paranoia that puts a strain on international diplomatic relations.
It is difficult to penalize or hit back at an enemy when you aren't sure who it is. In 2015 China emerged as the most likely culprit after the U.S. Office of Personnel Management discovered the theft of more than 21.5 million data records from its computer systems. China's denials, however, set up a familiar stalemate—until the Obama administration last year threatened to levy economic sanctions against Chinese firms that benefited from the hacking of any U.S. entities.
This change of tactics—targeting the results of a cyberattack rather than the source—helped to bring U.S. and Chinese presidents Barack Obama and Xi Jinping to the bargaining table in late September. The two leaders promised, among other things, that neither the U.S. nor the Chinese government would target each other for economic espionage via the Internet and that their countries would cooperate during cybercrime investigations. U.S. and Chinese officials continue to work out the details. A key aspect, of course, is figuring out how this pact will be enforced.
Other countries and international entities are pushing similar agendas aimed at creating a cybertruce. The U.S., China, Russia and several other world powers pledged not to engage in cyberespionage for economic benefit following the Group of 20 conference last November. Members of the U.S. House Intelligence Committee have called on the country's intelligence community to help create international rules of online engagement, which they refer to as an “E-Neva Convention.” The United Nations and NATO have likewise weighed in with rules that would prohibit states from intentionally damaging one another's critical infrastructure and from interfering with national emergency response teams defending against cyberattacks.
It will take more than pledges and frameworks, however. These proposals must be legally binding treaties that include fines, penalties and other enforceable mechanisms. They need to actively discourage online aggression and hold nations responsible for misuse of the Internet infrastructure they provide or support. This last part is particularly important because so many cyberattacks against government computers come from shadowy groups acting independently of any nation or state.
A certain degree of cyberconflict is inevitable, but the establishment of international rules of online conduct and penalties for noncompliance is vital to suppress the worst of it.