Cyberattacks that rip across the internet at light speed, election meddling and disinformation that tears at the fabric of democracy, the brazen theft of personal data and trade secrets – it’s the Wild West out there in cyberspace. This week, French President Emmanuel Macron called for an international agreement to bring some order to the electronic frontier.
The initiative condemns malicious cyber activities in peacetime and calls for governments to protect the basic functioning of the internet and work with the private sector to improve cybersecurity. But while more than 50 countries and dozens of private sector players signed up, some of the world’s biggest hacking powers – Russia, China, the US, and Israel, are so far absent from the list of signatories.
Here are three of the biggest reasons why establishing rules of the road in cyberspace is so difficult:
Blurred lines: They’re everywhere in cyberspace. Figuring out who launched an attack is hard when hackers from one country can launch viruses from servers in another. The boundaries between state-sponsored cyber operatives and criminal hackers are often fuzzy, giving governments plausible deniability when using these tools. Even more basic than that, there are many ways that governments can seek advantages in cyberspace short of what’s traditionally considered an act of war. Blowing up a power plant would clearly cross a line, but other disruptive activities like election meddling fall into a grey area. Blurred lines like this create space for governments to engage in mischief and make it hard to establish clear boundaries of acceptable behavior.
Cyber superpowers aren’t ready to relinquish their advantages: Some governments don’t want to be constrained by international agreements in cyberspace. Countries with more advanced cyber capabilities may calculate that the benefits they get from going on cyber offense (or even just the ability to threaten cyberattacks) outweigh the benefits they would receive from signing up to a pact that ties their hands. A seven-year UN effort to establish clear cyber norms ended in deadlock in 2017 after a handful of countries, including China and Russia, balked at a US-led attempt to get countries to agree on how international law should apply to the online realm. The US, which has recently staked out a new, more aggressive cyber strategy under President Trump and his national security adviser, John Bolton, is also reluctant to accept curbs on its ability to use hacking as a tool in the national arsenal.
Cyber conflict isn’t (yet) terribly lethal. Around 20 million people died in the First World War before the armistice signed 100 years ago this week. Four times as many died during World War II. In the aftermath of that carnage, the world came together to establish the modern Geneva Conventions to protect civilians during armed conflict and prosecute war crimes. In the 30 years that malware has been around, it has yet to produce a single, verifiable fatality. That day may be coming – there’s little doubt that a cyberattack that knocked out a hospital, power plant, or a city’s water system could cause a potentially significant loss of life. But as long as the main costs of cyber conflict are counted in dollars, and not in blood, it’s going to be hard to generate a consensus on the need for change.