Rules of engagement for cyberwar: Reasonable or unrealistic?

A reader disagreed with my view that Iran deserves to get hit with malware because of its nuclear program. But he makes some interesting points about the rules of engagement that are worth sharing.

The reaction is to a post I wrote Friday in which I said Iran was asking for cyber attacks and that it beats people getting shot to hell on a physical battlefield. I also acknowledged that there's a dark side to malware attacks as a deterrent. To that, I got the following response from Jurgen van der Vlugt:

"You all can think about it (and I am in the 'you all' on this one!) but you can't just act like that. This type of action by one government against another constitutes an act of war.  Which means that we will have to move quickly and discuss what and how international treaties and organizations will have to do or look like to govern this kind of cyber warfare. It seems ill-covered by Geneva conventions et.etc. Lot of legal stuff to be sorted out, I'd say. Think of the Golden Rule: How would the US react if China were to unleash a cyberattack just like that, or just because they consider the US nuclear arsenal a threat?

"You stated that "if we can weaken the enemy (for future generations) in the meantime, making their job easier later on, I'm all for it." That's a non-sequitur and a legitimization of all sorts of terrorist attacks anywhere and as such, unadvisable."

Another reader, John Walsh, expanded on that last point, writing:

The problem with attacking a country using techniques for which they do not have the capability to respond in kind is that they may respond with techniques they are really good at -- physical terror attacks.  Iran has used surrogates in the past -- Hezbollah, et al -- and could use them or others to strike at US interests. While they do have very smart techies, to send a message, especially in light of Operation Olympic Games, I would not be surprised to see both cyber and physical attacks in the future.  We will need to be on guard for quite some time.  After all, revenge is best served cold.

Walsh's examples were among the threats I was thinking of when I wrote of potential consequences in that post.

All this feedback brings me to a question I'd like to throw out to all of you: Is it time to start thinking about creating modern rules of engagement for cyber warfare?

My opinion: It wouldn't do any good. When you look at how good attackers are at covering their tracks, I don't see how any global law could be enforced. You might be able to apply the punishment to a few who get sloppy and therefore caught. But government-supported attacks against another country is a beast that's hard to compare with the more garden-variety attacks people are busted for all the time. Even in the garden-variety cases, most attackers escape with their true identities and whereabouts hidden from the sights of investigators.

But since this is a new landscape we're dealing with and I admittedly don't have a lot of the answers, my mind could change along the way.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web