At the RSA conference in February, Microsoft's Chief Legal Officer called for a "digital Geneva Convention" to help provide parameters on offensive cyber operations and address a rapidly growing area of concern for many organizations. This followed on the heels of the release of the second iteration of the Tallinn Manual, an attempt at shaping international laws on cyber warfare.
Concurrent to these conversations, there is an emerging discussion over the utility of "loud" cyber weapons. Theoretically, these cyber weapons could be linked and attributed to the originating actors, potentially valuable for some military applications where after-the-fact attribution may be desired. In other words, for some applications – particularly in the case of military operations – baked-in attribution would be desirable to alleviate confusion and to separate such nation-state activity from clandestine or covert intelligence operations.
This is important because the technical differences between intrusions for intelligence collection and intrusions in support of or to carry out cyber attacks may not be readily apparent. Distinguishing between the two could assist in deescalating potential conflict situations.
While a set of international agreements may be needed to help constrain future cyber threat activity amongst nations, there are also technical solutions that, given the nature of cyberspace, may provide a trust-building mechanism to support this.
One technical solution could involve leveraging an emerging technology known as blockchain. Essentially an open and distributed database or ledger, blockchain technologies are increasingly finding applications in everything from new forms of currency, such as Bitcoin, to a decentralized internet system, or even tracking land titles in the Republic of Georgia. At its core, properly implemented blockchain solutions can offer the capability to openly verify secure transactions of any kind.
How could such a technology be applied to bolster trust in cyberspace? A public blockchain could be developed under the auspices of an existing intergovernmental organization like the United Nations, involving input from governments and the private sector, or in conjunction with some new entity – such as a cyber version of the International Atomic Energy Agency (IAEA) – stood up to support a "digital Geneva Convention."
Participant nations would then be required to digitally sign certain types of cyberattacks with a private key that only they would possess, which would attribute malicious activity to them after the fact. This could then be publically viewed on the blockchain after an arbitrary time-limit built into a proof-of-work process, whereby part of the process of conducting the attack would involve automatically signing it. The delayed time limit would afford the attackers a level of tactical success on the part of the adversary, somewhat analogous to releasing a public statement claiming responsibility for an air strike following an operation without jeopardizing its success. For any such a system to be at all attractive to the participant nations, it would have to balance tactical stealth concerns with the broader strategic value in constraining certain types of state behavior.
The mechanism could either be a completely public blockchain, such as is the case with Bitcoin, where anyone can see activity on a public ledger, or a private blockchain that only participant nations have access to – similar to some of the blockchains being trialed by financial institutions for faster interbank settlements. Based on this decision, either anyone or those with appropriate access could then observe on the blockchain that the activity of Actor A targeting Entity B had taken place, and cryptographically verify through a public key that such activity was conducted by the appropriate nation, in this case Actor A.
At least initially, this sort of implementation would work best with disruptive cyberattacks, like distributed denial of service (DDoS), rather than intrusion activity leading to espionage or destructive cyber attacks. In fact, some researchers have already devised a concept for "DDoSCoin," a proof-of-work blockchain that would pay users in cryptocurrency for conducting DDoS attacks. Perhaps this concept could also be applied to other ways states might employ loud cyber weapons, such as ransomware, which typically gives notice to users once they have been infected.
Even highly cyber capable nations would see advantages to providing some boundaries on cyber threat activity, particularly as norms are still very nascent and more nation-state players are expected to emerge into this space. With an increasing number of nations publically claiming offensive cyber programs, current cyber powers cannot expect to always be in a class of few peers. Requiring a blockchain for certain types of cyber threat activity could ultimately provide a method for tracking compliance to agreed upon norms, and also a technological platform to increase transparency amongst all participant nations.
This transparency could also have a constraining affect on cyber conflict. If a nation state is seeking to engage in activity covered under the international agreement governing the blockchain, it would have to make a choice between cheating (by engaging in activity outside the international agreement) and risking being caught, or carrying out agreed upon activity and the other nations knowing for sure who was behind it. This would likely increase the geopolitical risk of carrying out the agreed upon activity, constraining how often and in what situations it is used.
Implementation of such a blockchain is certainly not without its challenges, both technical and organizational. How do you ensure that other actors can't successfully mimic another nation's signature? How do you address some of the more serious types of destructive cyber threat activity that rely on intrusion, such as the destructive Shamoon virus deployed against Saudi Aramco in 2012 or Stuxnet worm found sabotaging Iran’s nuclear facility in 2010? For this to work, it would require a system of verification that all participants can trust while also understanding its limits. It also rests on the assumption that nations could eventually and sufficiently attribute the threat activity this would address so that bad actors will be identified anyways – a deterrent to cheating.
Certainly, some actors may seek to cheat – as happens occasionally with nuclear weapons programs – and admittedly this solution would not cover all types of cyber threat activity. Yet it could serve as a useful first step in establishing more robust international norms and provide a verification system to track a subset of threat activity. Even if initially only a small percentage of threat activity can be monitored on a public blockchain, this could prove useful in fostering and supporting an emerging consensus on state behavior in cyberspace. Transparency in behavior, through blockchain technology, allows for verification that agreed upon norms are being followed.
Like international arms control law that theoretically constrains certain types of activity but still encounters signatories cheating at times, the same would likely occur with a digital Geneva convention. For any such solution to be successful, there needs to be a trust-building mechanism that helps reduce the inherent opacity in cyberspace. As long as there is an honest and frank discussion of such a system's capabilities and limitations, implementation of a blockchain to track certain cyber threat activity could be a step in the right direction.
