Cybercrime and hacking by hostile states demands a 'Digital Geneva Convention' – Stewart McDonald MP and Alyn Smith MP
At that time, the internet was little more than a collection of blogs and chatrooms and the word ‘ransomware’ was unheard of by all but a small handful of people.
In the few short years since then, human society has undergone one of the most profound and rapid transformations in its history.
Our social existence – from working, shopping and socialising to dating and learning – has increasingly moved online, with each activity leaving a Hansel and Gretel-style trail of data in its wake.
News headlines today feature stories about ‘hack and leak’ operations or ransomware attacks, where hackers paralyse a computer system and hold its information at ransom.
Despite the ubiquity of this digital technology – the sheer volume of the data that we unthinkingly, and often unknowingly, share online and the speed at which it has become ingrained in every aspect of our daily lives, from arranging for food deliveries to organising patient records – international rules and norms governing cyberspace remain too patchy, to the point of rendering them effectively non-existent.
While the anarchy of the early internet was a large part of its appeal, today it represents a significant threat to our security and the global economy.
Indeed, just as we have moved our activities online, so too have hostile states and other malicious actors. Journalists and human rights activists can now be tracked without the need for someone sitting outside their home for hours on end and critical national infrastructure can be brought to its knees without the need for bombs or missiles.
This month alone has seen the news dominated by cybercrime – attacks on Microsoft orchestrated by the Chinese state; the hacking and surveillance of the mobile phones of journalists, human rights activists and world leaders; and a series of ransomware attacks targeting businesses and institutions around the world, from Swedish supermarkets to New Zealand high schools.
Scotland is not immune from these attacks. Just last year, on Christmas Eve, the Scottish Environmental Protection Agency (Sepa) was targeted in a ransomware operation by a group operating from St Petersburg which is believed to be linked to the Russian state.
Despite refusing to pay the ransom, Sepa spent at least £790,000 in its initial response to the attack and, because the agency refused to pay the ransom, it saw 4,000 of its digital files leaked online in reprisal.
As suspected in the attack on Sepa, hackers may be discreetly encouraged – with or without financial support – or they may simply enjoy a state of benign neglect, where their country’s government pretends not to be aware of the hackers’ activities. Cyberspace has become a key battleground of modern conflict and one where states can much more easily deny their involvement.
While cybercrime is estimated to cost the UK £27 billion per year, the NSO scandal around the targeting of human rights defenders and activists by governments around the world using the Israeli surveillance firm’s spyware shows that the risks to our human rights are just as stark, with private citizens and businesses just as vulnerable to attack as public figures and public institutions.
As we move more of our lives online, and as technology grows increasingly more sophisticated, these attacks are only going to increase. However, despite states conceding that international law also applies to cyberspace, there are no agreed international norms governing behaviour in cyberspace; many targets of cyber attacks are also on private property which has meant that responsibility for digital protection has fallen to private companies.
When these hackers are backed by the resources of a state like China, it beggars belief that we continue to outsource our national security to private companies. We would not expect fishermen to defend our seas against aircraft carriers. Why then do we rely on private companies like Microsoft to defend citizens and their data in cyberspace?
In 2017, Microsoft released a statement highlighting this problem, calling for a Digital Geneva Convention which would commit governments to protecting civilians from state-backed attacks in times of peace.
Governments of the world, they argued, needed to do more to come together and affirm international cybersecurity norms that have emerged in recent years while adopting and implementing new and binding rules. The series of attacks which dominated the headlines this month show that this proposal can no longer be ignored.
A Digital Geneva Convention would update the Geneva Convention to protect civilians from cyber attacks in peacetime. States would be obliged to proactively defend cyberspace from malicious actors as well as assisting individuals and businesses to recover from attacks.
Such an international agreement, and the subsequent creation of an international organisation dedicated to tackling cyber threats, would provide a forum for states to hold each other – and other actors – to account for their actions in cyberspace.
A Digital Geneva Convention, backed by tech giants like Facebook and Microsoft, is needed now more than ever.
The information revolution has brought the world closer together and transformed our societies but if we wish to continue enjoying its benefits, then action must be taken. If the price of safety is eternal vigilance, governments can no longer continue to close their eyes to the anarchy of the digital world before them.
Stewart McDonald is the SNP MP for Glasgow South and is his party’s spokesperson for defence. Alyn Smith is SNP MP for Stirling and is the spokesperson for foreign affairs
A message from the Editor:
Thank you for reading this article. We're more reliant on your support than ever as the shift in consumer habits brought about by coronavirus impacts our advertisers.
If you haven't already, please consider supporting our trusted, fact-checked journalism by taking out a digital subscription.
Want to join the conversation? Please or to comment on this article.