You too can have your company featured in this slot if you wish, call the office on 01922 415233 if you're interested in this.
Cyber
1
The world needs a Geneva Convention for cyberspace, says Simon Hodgkinson, strategic adviser, Semperis.
The original Geneva Conventions set international rules for what can and canโt be done at times of armed conflict. It once seemed laughable that such a framework should be applied to the cyber world. Yet cyber-attacks are increasingly used to support military operations. And in some cases, their impact on critical infrastructure (CNI) causes death and human suffering. Itโs no laughing matter.
Public opinion is already running ahead of government policy. A recent surveyย found that most citizens in five NATO countries believe cyber-attacks that shut down hospitals or power grids should be considered acts of war. If thatโs the case, we desperately need international rules to provide clarity. Without a Geneva Convention for cyberspace, the risk of escalation, and more destructive grey-zone attacks, will continue. CISOs, as always, will be caught in the middle.
The case for a convention
The case for an internationally agreed set of rules is growing stronger by the day. Cyber-warfare is set to increase in scale, frequency and sophistication over the coming years driven by intensifying geopolitical tensions, rapid technological advancement, and the growing strategic value of cyberspace. As traditional warfare becomes riskier and more expensive, cyber operations offer a low-cost, deniable, and asymmetric alternative for countries to project power and disrupt adversaries.
We see this every day. Russia has launchedย coordinated attacks against Ukrainian government websites, energy grids and communications infrastructure. Chinaโs intrusions are usually more covert. But it is a prolific espionage actor, and its pre-positioning in CNI networksย is designed to give it an advantage in the event of an armed conflict. North Korea has steered clear of CNI so far, but its persistent attacks on financial services and crypto firms are intended to fundย its nuclear and missile programmes.
Israel and Iran have traded blows for years. Iran has targeted Israeli water systemsย and transportation networks, while Israel has disrupted Iranian nuclearย and shipping infrastructure. So far, the impact has been limited to the Middle East.
Regional cyber conflicts can quickly escalate to global, causing collateral damage to multinationals and CNI, as per the notorious NotPetya malware campaignย back in 2017. That ended up costing a reported $10bn, although the real figure could be much higher. Whilst the Russian attack achieved the objective of significant disruption to Ukrainian CNI, given the global nature of business the malware spread rapidly through multinationals with Ukrainian operations.
CISOs caught in the crossfire
Cyber-campaigns donโt just support military operations. Sometimes they are used as retaliatory measures, especially against Western sanctions. At other times, hostile nations use attacks as strategic tools to assert influence, gather intelligence, and disrupt rivals. As long as they operate below a perceived threshold of declared conflict, they are tacitly accepted, even if Western governments have grown more vocal in calling out bad behaviour.
The impact of these operations can be far-reaching. Attacks on CNI can cause widespread disruption, even if they donโt involve kinetic violence. In rare cases, deaths have been confirmed.ย For CISOs, it can feel like an unwinnable war. Theyโre facing sophisticated and well-resourced nation states, or criminal gangs and hacktivists doing the work of the states that harbour them. The battle is never ending. Attackers only need to succeed once. Defenders must be right every single time. And TTPs are rapidly disseminated from the top down these days thanks to a thriving cybercrime economy. AI will continue to level the playing field, perhaps emboldening smaller nation states to do their worst.
A recent study revealed that the number of UK IT decision makers reporting state-sponsored attacks surged from 47 per cent to 54pc in a year. Some 80pc claim geopolitical tensions have increased the threat of cyber warfare – up from 74pc last year. Over three-quarters (76pc) believe state actors could cripple critical infrastructure worldwide.
A formal definition of cyber war could help
The big risk is that an excessive or miscalculated reaction triggers an escalation into broader conflict. Given the inherent ambiguity of cyber warfare, restraint and multilateral coordination are essential to maintain stability and uphold international norms.
Calls for a cyberโGeneva Convention arenโt new. Microsoft has been issuing themย for years. And in 2023, the International Committee of the Red Cross released new rulesย of engagement for hacktivists, following Russiaโs invasion of Ukraine. Yet governments are reluctant to take action, despite the hardening views of their citizens. Even NATO, which has acknowledged that a cyber-attack could trigger Article 5, has crucially not defined a consistent threshold.
Part of the reason for this reluctance is that a cyberwarfare convention wonโt be easy to hammer out. Cyber operations frequently fall below the threshold of armed conflict, making it unclear when international humanitarian law (IHL) protections apply. Attribution is notoriously difficult and perpetrators often operate through layers of obfuscation. State actors increasingly use criminal proxiesย to maintain plausible deniability. Proving responsibility is both technically and diplomatically complex.
What proportionate response should look like
But that doesnโt mean that we shouldnโt try. A convention would mandate that, once attribution is confirmed, the response to an attack should begin with diplomacy, as is the case with kinetic warfare. That means engaging international bodies such as the UN and NATO, potentially naming the responsible state, and pursuing indictments or sanctions against individuals or entities involved. Once attribution is established, targeted sanctions can be imposed on the nation-state itself.
If they choose to โhack backโ in retaliation, these actions would have to be proportionate and legally justified under international law. Whatever the response, proportionality is critical.
Many governments have forgotten โ or choose to forget โ the horrors that were unleashed across the globe over 80 years ago. But as nations increasingly come to rely on technology to run their critical infrastructure, the risk of a catastrophic cyber-incident grows. Letโs not make the same mistake as our predecessors and wait until itโs too late before agreeing on international rules of engagement.
Midnight in the War Room
Semperisโ feature length documentary, Midnight in the War Room is set to premiere at the Black Hat USA show for ethical hackers and info-security people on August 5, 2026. It chronicles the escalating cyber conflict among nation states, criminal groups, andthe defenders on the front lines and shines a light on the people whose expertise, vigilance, and refusal to back down underpin collective resilience. Through the voices of intelligence leaders, CISOs, journalists, victims, and reformed hackers, it shows whatโs really at stake – the human toll, the pressure, and the responsibility. Visit https://www.semperis.com/midnight-in-the-war-room/.
Previous post
Related News
-
Cybercriminals continuously refine their tactics to exploit weaknesses in enterprise defences. From impersonating legitimate users to bypassing detection systems with advanced techniques,…
-
PTSD Resolution and the Chartered Institute of Information Security (CIISec) have announced a partnership. It’s to address mental health challenges faced by…
-
Check Point Research, the threat intelligence arm of the vendor Check Point Software, has released its Global Threat Intelligence Report for September…





