Digital Geneva Convention: Why International Law Fails in Cyberspace

Hospitals, power grids, water supply – protected in physical war by the Geneva Conventions. In cyberspace: Fair game. While states massively expand their offensive cyber capabilities, there are no binding rules for the digital battlefield. Why this is more dangerous than most politicians understand.

TL;DR

• There is no binding international law for cyberspace – only non-binding UN norms and the controversial Tallinn Manual
• Over 40 states operate offensive cyber programs – including attacks on other countries’ civilian infrastructure
• The attribution problem makes classic deterrence impossible: Who attacked? Proof often comes months later
• The civilian population is not protected in cyberwar – hospitals and power plants are deliberately chosen as targets

The Gap in International Law

In 1949, the world’s states agreed on the Geneva Conventions: attacks on civilians, hospitals, and humanitarian facilities are prohibited. These rules apply in land war, naval war, air war. In cyberspace? Theoretically yes – practically no.

The problem is not that international law excludes cyberattacks. Most legal scholars argue that existing rules are applicable. The problem is: No one adheres to them, no one is punished, and the rules were written for a domain that did not exist in 1949.

When Russia’s Sandworm group shut down the Ukrainian power grid in 2015 – in the middle of winter, leaving 230,000 people without power – this was, by any reasonable standard, an attack on civilian infrastructure. The international response? Diplomats expressed “concern.” No sanctions. No consequences.

Why Classic Deterrence Fails

The Attribution Problem: In physical war, it is clear who sent the tank across the border. In cyberspace, attribution takes months, sometimes years. And even then, plausible deniability remains: “Those were patriotic hackers, not state employees.” Russia, China, Iran, and North Korea systematically exploit this gray area.

Asymmetry: A small, technically competent country can inflict disproportionate damage on a superpower in cyberspace. North Korea – an economically insignificant country – has amassed over $3 billion through cyberattacks. Classic power balances do not apply.

Escalation Risk: When does a cyberattack become an act of war? When a power grid fails? When a hospital is paralyzed? When people die? This threshold is not defined – and its ambiguity is dangerous because it enables accidental escalation.

The Tallinn Manual – Theory Without Practice

The NATO Cooperative Cyber Defence Centre in Estonia has made the most ambitious attempt to apply international law to cyberspace with the Tallinn Manual. The result: a 600-page academic work with 154 rules. Important for legal debate – irrelevant for operational reality.

No state has ratified the Tallinn Manual. No court applies it. No attacker feels bound by it. It is a brilliant thought experiment without practical effect.

What a Digital Geneva Convention Would Need

Red Lines: Attacks on healthcare infrastructure, drinking water supply, and energy grids must explicitly be considered war crimes – regardless of whether a formal state of war exists. With clear consequences: sanctions, prosecution, possibly kinetic responses.

Attribution Mechanism: An independent international body – similar to the OPCW for chemical weapons – that neutrally investigates and attributes cyberattacks. Without credible attribution, there is no deterrence.

Prohibited Weapons: Certain cyber tools – wiper malware against civilian infrastructure, attacks on medical devices, manipulation of dam controls – should be categorically banned, similar to chemical and biological weapons.

Conclusion: The World Needs Rules Before It’s Too Late

The Geneva Conventions emerged after the horrors of two world wars. The digital Geneva Convention must come earlier – before a cyberattack leads to mass casualties. The technological capabilities already exist. What is missing is the political will. And with each year without rules, the risk increases that the first cyber catastrophe will catch the world unprepared.

Key Facts

Offensive Cyber Programs: At least 40 states operate active offensive cyber capabilities – only 12 of them have publicly committed to norms for responsible behavior.

Cost of Inaction: Cyberattacks on critical infrastructures caused an estimated $45 billion in damage worldwide in 2024 – without a single international legal consequence.

Frequently Asked Questions

Doesn’t existing international law already apply in cyberspace?

Theoretically: Yes. Most states recognize that existing international law is applicable. Practically: The rules are too vague, enforcement is non-existent, and attribution is too uncertain for binding legal consequences.

Would Russia or China agree to a digital Geneva convention?

Short-term: Unlikely. Long-term: Even the Chemical Weapons Convention took decades. The process begins with “like-minded” states and moves towards global standards through norm-setting, economic pressure, and the experience of concrete incidents.

What can companies do while there are no rules?

Prepare for attacks on critical systems as if they are inevitable. OT segmentation, offline backups, tested incident response plans, and redundancy for life-critical systems. Those who wait for regulation wait too long.

Related Articles

• Cyber Warfare 2026: When States Upgrade Digitally
• OT Security 2026: Why Industry Must Act Now
• Hybrid Warfare and Disinformation

More from the MBF Media Network

• Geopolitics and Economics on mybusinessfuture.com
• Strategic Perspectives for Decision-Makers on digital-chiefs.de

Header Image Source: Pexels

About the author: Tobias Massow

More articles by Tobias Massow