A cybersecurity expert wants “rules of engagement” to keep countries from going too far.

For the nuclear arms race, school kids learned to “duck and cover.” Now, the weapons of potential international destruction are sitting right on top of their desks.

“Now we are entering the next arms race—the cyber arms race,” said Mikko Hypponen with cybersecurity company F-Secure, based in Finland. “It’s quite clear military agencies around the world are building both offense and defense.”

“And I believe we are only seeing the beginning. It will go on for decades,” he added.

Hypponen spoke at the Collision tech conference in New Orleans on Tuesday, explaining that cyber attacks could reach into factories and homes. 

“Every single factory is being run by computers, every single power plant,” he told the audience. “Eventually, everything will be online. Your toasters will be online, whether it makes any sense or not, which means they will be a vector for attackers.”

Cyber war could have a long reach.

“This is governmental!”

Hypponen has been “hunting the evil kind of hackers,” as he describes it, for decades, tracking those responsible for viruses, ransomware and more.

His first brush with international cyber conflict was in 2003, when he saw targeted attacks on defense contractors in Europe that turned out to be nation-state malware, he said in an interview with Archer News.

“’Oh, my God, this is governmental!’” he recalls thinking at the time. “’This isn’t for fun, this isn’t for money, this is espionage.’ Since then, it has only been accelerating.”

Cyber war?

But for Hypponen, cyber espionage is not cyber war.

“First, we need a war. There has to be a war to be ‘cyber war.’ Spying isn’t war, spying is spying, even when it is physical devices,” he said.

The world cyber arms race could go on for years without an actual cyber war, he explained.

“The U.S. isn’t destroying infrastructure in Russia or China,” he said, adding that China and the U.S. are big business partners. “They’re not interested in destroying your infrastructure, they’re interested in your money.”

Cyber war

However, cyber attacks and warfare have come together in one part of the world, according to Hypponen. Malicious hackers shut down power for more than 200,000 customers in Ukraine in December.

“This is important because Ukraine and Russia are at war,” he said in his talk. “Russians don’t call it a war, but Russia has annexed a part of Ukraine and joined it to its own country, with force. I call that a war.”

“When you have something like this happening between two countries that are at war, I think we really should be calling that ‘cyber war,’” he added.

Hackers and nukes

Some worry that the cyber arms race could also go nuclear.

Computers at a nuclear power plant in Germany became infected with malware, Reuters reported Tuesday. A plant spokesperson said the malware—possibly brought in by mistake on a USB stick—did not affect any critical systems, but the plant shut down as a precaution, according to The International Business Times

“From what we know, it was not a targeted attack on the power plant’s system; it was just a ‘regular’ infection, contracted most likely by someone connecting a storage device to the system. That’s what we hear from German media,” Eugene Kaspersky of Kaspersky Lab told Softpedia.

But there is concern that attackers will find ways to go beyond a “regular” infection, especially after the Belgium terror attacks and signs of a possible terrorist nuclear plot.

“With respect to nuclear facilities in the U.S., Belgium and elsewhere, the potential for cyber attacks is of increasing concern,” Dr. Page Stoutland of the Nuclear Threat Initiative told Archer News in a recent interview.

False flags

It can be hard to figure out exactly who is behind a cyber attack. For example, the Russians are masters at “false flags,” said Hypponen.

“They do attacks that really, really look like it’s the Chinese,” he said. “But it’s not the Chinese.”

They may set time zones for their files to Beijing time, or create their documents with Chinese characters, he said. Techniques like these can allow governments around the world to claim they had nothing to do with an attack, according to Hypponen.

“You can deny all the way to the end, and it can be very hard to prove otherwise,” Hypponen said. “And this is one reason will we be needing rules of engagement of cyber attacks.”

Cyber land mines

Just as the Geneva Convention banned the use of chemical weapons, rules of engagement in cyber war could lessen suffering and destruction.

“If you’re going to use cyber weapons, they must not continue forever,” Hypponen gave as an example. “They must stop operations after two years.”

“Like landmines after the war, we can make them self-destruct. We need guidelines and rules about that,” he said.

In addition, he suggested rules about attribution—in other words, who is behind a particular attack. He said soldiers in traditional war wear uniforms that identify their loyalty.

“You’re not supposed to dress up as the enemy for example. We should have something like that in the cyber world as well. That could be used, maybe not during the conflict, but after the conflict,” he said.

Rules of engagement

Some groups are already proposing Geneva-Convention-like protections in cyber space.

International legal experts created the Tallinn Manual, an advisory document from the NATO Cooperative Cyber Defence Centre of Excellence, that shows how international laws on war can be adapted to cyber conflict.

The rules include warnings about doing damage to hospitals and medical centers, as well as critical infrastructure.

“In order to avoid the release of dangerous forces and consequent severe losses among the civilian population, particular care must be taken during cyber-attacks against works an installations containing dangerous forces, namely dams, dykes and nuclear electrical generating stations, as well as installations located in their vicinity,” the manual says, according to The Guardian.

The Tallinn Manual also allows “states to respond with conventional force if aggression through hacking into computer networks by another state results in death or significant damage to property,” The Guardian reported.

However, the document is not legally binding.

Rules 2.0

There is already progress on a Tallinn Manual 2.0, due out at the end of this year. Still, it may take ten or twenty years for these kinds of rules of engagement to come together under international agreement, according to Hypponen.

“I do believe we are at the very first steps of this arms race,” he said.

Currently, countries may be too afraid of the consequences to carry out a destructive cyber attack on another nation-state, Hypponen said. They may ultimately agree on a set of international cyber attack protocols and limitations.

“They agreed to Geneva Convention, which objectively limits the things we can do,” said Hypponen. “We as human beings decided it’s a good idea to have some rules.”