GCSC critical infrastructure protection questions: your input needed.

One of PCH’s long-term efforts has been to encourage governments to restrict their use of offensive cyber attacks against civilian networks. As you might imagine, this is a reasonably popular idea everywhere except the US, Russia, and China. We’ve successfully gotten that effort out of the U.N., where it was floundering, and into a well-supported stand-alone commission. It’s being taken very seriously by governments, and will be one of the most important topics under discussion at the Global Conference on Cyberspace in Delhi next week.

The work has been divided into two working-groups: one is addressing the question of what a norm should say (i.e. “Governments shouldn’t cyber-attack X”). The other is addressing the question of what infrastructures should be protected (i.e. what is the X that shouldn’t be attacked). I’m chairing that second working group. The main thing we’re delivering in Delhi is the result of a survey of what infrastructure people think should be protected. That survey is still open, and we’d like as many people to respond as possible. So, please consider doing so. It’ll only take a couple of minutes, and it’s a critical part of an admittedly very lengthy process to make your life easier.


Much appreciated,


Links in case you want to pursue further reading on the things I’ve mentioned above:






Hi Bill,

Aren't there already laws of war that forbid targeting civilians and
civilian infrastructure as well as laying out the combatants' duties to
mitigate collateral damage from strikes on government personnel and
facilities? Is there some reason these laws should not continue to apply
when the attacks are carried out with bits instead of bombs?

Bill Herrin

That's a good question.

Part of the problem is that the line between defense and offense, between intelligence gathering and attacking is more muddy than with "real weapons". Movies aside, you don't do intelligence gathering with guns in peacetime. Bringing guns makes it paramilitary operations and is or borders on an act of war, shots fired or not.

If we just define cyber operations as weapons then most of what gets done is on that border. Independent ops (criminal, commercial) from state A into state B can lead to claims of A harboring terrorists. If that keeps up, B may legitimately take offensive real world responses. Like droning a hacker house or hostile cyber intelligence company.

Actions like Microsoft disabling botnets remotely approach incidental acts of war worldwide.

Accidentally doing damage in the course of non offensive intelligence gathering becomes MUCH worse.

Government workers/ military who've been engaged in those activities may be seized as terrorists if they travel abroad.

Gets ugly fast. Not simple.


Because… cyber!

I mean, it would be really _nice_ if they thought the way you do, but they don’t. They figure the old rules don’t also apply in a new venue.

Also, the rules by which _war_ is conducted don’t apply when it’s not a _war_. And it’s essentially never a _war_ anymore.

Militaries are very clear that they won’t listen to anyone else about how they should conduct themselves when they’re at war. This is an effort to create a norm governing their behavior when they’re not at war, and have less excuse or leeway or whatever.