The rules of war on the internet

In late 2019, Canada’s largest medical laboratory company, ‘LifeLabs,’ revealed it had been the victim of a cyber intrusion that had compromised the personal records of 15 million Canadians. While this penetration was attributed to cyber criminals, foreign states have also repeatedly targeted Canada. In its second National Cyber Security Threat Assessment, released in May 2020, the government identified China, Russia, Iran and North Korea as posing “the greatest strategic threat to Canada.”

Cyber attacks are typically wrapped in secrecy. States rarely admit carrying them out. But we know cyberspace is increasingly militarized. Daniel Coates, the U.S. director of national intelligence, estimates over 30 nations possess offensive cyber capabilities. Not subject to any controls beyond national ones (and we don’t even know what these might consist of), the scope and sophistication of these states’ projection of cyber power beyond their borders have only grown in recent years.

The massive, mid-December “supply chain” cyber espionage attack that successfully penetrated a wide array of U.S. governmental and corporate entities has been attributed by the U.S. intelligence community to the SVR, Russia’s foreign intelligence agency and successor to the KGB. The intruders were on the penetrated computer systems for several months, and the amount of information taken may never be known. Even more damaging is the risk that the intruders have created “back doors” that would enable a persistent presence on the infected systems. In the months to come, cyber security teams will face a massive task in trying to rid their systems of these intruders. According to a Microsoft statement, Canada was not spared, although at present there is no account of the extent to which the country was impacted.

The detrimental implications of these state-run offensive cyber operations are exacerbated by the lack of control and discrimination regarding how they are carried out. The “Stuxnet” attack by Israel and the U.S. damaged Iranian nuclear facilities but also spread to other industrial control systems. The infamous 2017 “Not Petya” (Russia) and “Wanna Cry” (North Korea) cyber operations wreaked havoc on civilian installations from shipping companies to hospitals. States seem unable or unwilling to ensure their cyber operations conform to basic laws of armed conflict, which require distinction between combatants and non-combatants and proportionality in the use of force. Most owners and users of cyberspace are civilians. Is there any way to protect their interests from predatory state practices?

The “rules-based international system,” which the Canadian government never tires of affirming, is premised on respecting the UN Charter and its prohibition on the use of force and its requirement to settle disputes peacefully. The United Nations has been grappling with the security implications of the internet for decades. A 2015 report by a UN group of government experts outlined voluntary norms of conduct that included principles of restraint, such as not targeting civilian infrastructure. A subsequent General Assembly resolution, unanimously adopted, stipulated that states should be guided by these norms.

This agreement represented something of a high-water mark for international cooperation on cyber threats. Things have gone downhill since, largely because of enmity between the leading cyber powers of America, Russia and China. Despite this hostility, the UN has established a new, more inclusive “Open-ended Working Group,” which will consider a report at its final session this March.

The most promising proposal submitted to the group, endorsed by 47 states (including Canada), foresees the creation of a permanent UN forum to consider cyber security issues, with dedicated secretariat support and a provision for periodic review conferences. This would provide for the first time a dedicated forum at the UN where the cyber conduct of states can be regularly scrutinized and where cooperative measures might be negotiated — a vast improvement over the ad hoc and fragmented discussion that have been the norm until now.

Canada has played a constructive role in the group by suggesting ways for states to act on the agreed norms, rather than simply taking about lofty principles. It will need to build a coalition with like-minded “middle powers” to advance this agenda. In the absence of such restraints, civilians will continue to suffer as collateral damage in the world’s intensifying cyber wars.