In a speech at a conference in San Francisco Last month, President of Microsoft Brad Smith called for the implementation of a ‘Digital Geneva Convention' to protect the public from nation state hacking during times of peace.
On the face of it, an international law to regulate an area which has the capacity to cause disruption and a significant death toll to the populations of entire cities is a good idea. Particularly, because of the increasingly computerised infrastructure of modern life, society is more vulnerable to a cyber-attack than ever before.
Recently, allegations that Russia interfered in the US Presidential elections have been prominent. The country is also believed to have targeted the Estonian Government in a series of attacks in 2007 after tensions arose between native Estonians and ethnic Russians living in Tallinn.
Additionally, the MoD has confirmed multiple attempts by the Chinese to access sensitive UK military plans, while several US Congress reports note Beijing is also responsible for similar attacks across the Atlantic.
Furthermore, there have seen several instances where strains of malware created by nation states –such as Stuxnet (believed to be a joint US-Israeli creation) and Plug X (thought to be of Chinese origin) – have found their way onto the private market.
Smith wants countries to pledge to steer clear of targeting the private sector and for them to promise not to attack any form of civilian infrastructure.
This argument is sound in principle and would certainly be a step forward for global security. Quite apart from the outcry the recent Russia claims have caused, think of the impact if hackers managed to infiltrate systems managing a city's water or electricity supply, or if the Thames Barrier was forced to open during a period of high tide and heavy rain.
The current convention, drawn up after the Second World War, has four strands which outline a set of rules states should abide by during armed conflict.
I think the creation of a fifth strand, when framed as an extension to the existing treaty rather than a new entity, would be a relatively (in the standards of International agreements) easy sell to the international community, the majority of which fear such attacks and spend vast amounts of money guarding against them. The guidelines of the Tallinn Manual 2 would provide a good basis to start.
Even those states with advanced capabilities in this area and a reputation for using them would not want to be seen to be seen as pro hacking and therefore would be unlikely to oppose it.
However, realistically, because of the anonymised nature of these attacks, such an agreement would be unlikely to be worth the paper it was written on.
As with cyber-attacks perpetrated by organised criminals, state sponsored variants use hijacked computers, sophisticated anonymising software and malware that often deletes all trace of itself after deployment.
It is almost impossible to confirm the origin of this sort of attack and until that changes, no matter what the international community comes up with, there is no incentive for these attacks to stop, because there is almost no prospect of getting caught.