The news wire seems to be constantly filled with stories of security breaches and data exposure. Most major companies have either been hacked or just haven't admitted it yet. Fingers are being pointed everywhere. The Chinese have even come out in support of new rules and cooperation on issues relating to international cyberespionage. That got me thinking about what we're seeing today.
As state-sponsored cyberwar escalates, it's only a matter of time before the collateral damage starts mounting. We've all heard about Stuxnet and it's specific focus on power plants. We've also seen teams of hackers starting to breach more and more sensitive areas of our daily lives in an effort to uncover credit card numbers, account information, and even social security numbers. The brazen attacks have so far been contained to databases, although the use of distributed denial of service (DDoS) attacks as a cover for espionage seems to be on the rise. What happens when a hacking collective decides to expose a hospital (for instance) and make off with some electronic medical records (EMR)? Say that in the middle of their hack, they fire off some kind of worm or DDoS to cover their tracks. What if that diversion crashes the core of the hospital's network and causes the ICU monitors to go offline? What if the video system in an operating room shuts down due to overwhelming traffic? This "innocent" data theft has now placed human lives in danger.
Perhaps it is time that we adopt some form of Geneva Conventions for hacking. Specifically, I'm talking about Common Article 3. This is the provision that says that wars should only be fought against armies, not civilians. It also prevents the taking of hostages and ensures the wounded are treated fairly. This convention serves to make sure that total war isn't carried out against unarmed populaces. This contains the carnage to those places where it might be expect and shields the otherwise unprotected masses from danger.
In much the same way, I think we need to adopt some form of this protection for critical infrastructure targets that may be subject to hacking. Hospitals are a pretty safe start. They should be off-limits to any kind of attack, as the sick and infirm are at too much risk of danger in case of catastrophic failure. Likewise, while power plants may be an acceptable target, hydroelectric dams should be avoided by convention due to possibility of massive devastation in the event of a flood or other water-based calamity. There are many other areas that should also qualify as civilian-only targets that carry no strategic value in the hacking sense. Leaving them be only serves to prevent casualties in the event of disaster.
I can't say for certain that hackers would abide by these rules. Indeed, many of the non-state sponsored groups seem to like attacking these soft targets as a way of showing how vulnerable the system can be. However, just like in a war, there are some things that are too important to destroy or otherwise harm. In a cyberwar like the one being fought everyday in bits and bytes, there are targets of great importance that should be protected by convention. It's a first step in ensuring that people are more than just a database entry in a computer somewhere.