The Geneva Conventions of Cyber Warfare: Do We Need a New Set of Rules?

SWARNALI GHOSH | DATE: JUNE 20, 2025

Introduction

As the digital battlefield becomes the new theatre of war, legal scholars, governments, tech giants, and humanitarian organizations are asking: where do we draw the line? The existing Geneva Conventions, forged in an era of trenches and tanks, were never designed to apply to cyber operations. But with everything from power grids and hospitals to financial markets now targetable by code, the question of whether we need a “cyber Geneva Convention” is not just rhetorical—it’s urgent. Cyber warfare is no longer hypothetical. From Russia’s disruptive attacks on Ukraine’s infrastructure to China’s alleged espionage campaigns against U.S. critical systems, digital assaults are reshaping modern conflict 8. Unlike traditional warfare, cyber operations blur the lines between combatants and civilians, often causing collateral damage that spills across borders.

The Technology‑Neutral Foundation: Can Old Rules Fit New Means?

International humanitarian law (IHL), grounded in principles like distinction, proportionality, necessity, and humanity, is theoretically technology-neutral. The International Court of Justice affirmed in 1996 that IHL applies to all weapons, “including those of the future,” covering cyber operations during armed conflict. The ICRC supports this view, saying cyber operations in an armed conflict must obey IHL just like kinetic actions.

The Tallinn Manual: Non-Binding, Yet Influential

In response to growing legal uncertainty, the CCD COE and a group of experts published the Tallinn Manual in 2013 to clarify how IHL applies to cyber operations. Following its success, Tallinn Manual 2.0 expanded its coverage in 2017, and Tallinn Manual 3.0 was launched in 2021 to address new technologies. These manuals restate IHL obligations (“black‑letter rules”) and offer commentary, yet remain purely academic and lack formal legal binding.

Real‑World Challenges: Attribution & Enforcement

Attribution Problem: Cyberattacks are often anonymous and routed through third countries, making it difficult to identify perpetrators.

Legal Reviews (Art. 36 AP I): States must review new weapons—including cyber tools—to determine legality under IHL.

Evidence & Impact: Pinning responsibility on individuals or commanders remains tough. Also, assessing “seriousness” (whether an attack qualifies as a war crime) is complicated in the digital space.

Emerging Norms & Accountability Mechanisms

International Criminal Court (ICC): In September 2023, ICC lead prosecutor Karim Khan declared intent to investigate cyber attacks as war crimes, especially when civilian infrastructure is targeted.

ICRC Voluntary ‘Hacker Code’: In October 2023, the ICRC issued eight voluntary rules for civilian hackers in armed conflicts—akin to a “Geneva Code of cyber-war”—emphasizing protection of civilian objects and caution against indiscriminate malware.

Microsoft’s “Digital Geneva Convention” Proposal: A concept championed since 2017 by Microsoft, advocating three pillars: state restraint in cyberattacks, industry-led defense accords, and an independent investigative body.

National Legal Reviews & Doctrines: Several countries (Canada, Costa Rica, Czechia, Germany, Switzerland, U.S.) have enacted national laws requiring legal reviews of cyber weapons under IHL.

Schmitt Analysis: Developed by Tallinn Manual’s lead author, Michael Schmitt, this framework helps determine when cyber operations constitute “use of force” under the UN Charter.

The Case for a "Digital Geneva Convention"

Given these ambiguities, calls for a new cyber-specific treaty have grown louder. In 2017, Microsoft President Brad Smith put forward the idea of a 'Digital Geneva Convention,' calling on governments to:

Safeguarding Civilians from State-Sponsored Cyber Operations: Developing international norms to shield civilian populations from cyberattacks during conflicts. Protecting digital rights must mirror protections granted in kinetic warfare.

Prohibiting Cyberattacks on Essential Civilian Infrastructure: Ban cyber operations targeting critical services like hospitals, water systems, and power grids. Disruption of such infrastructure can have severe humanitarian consequences.

Creating Cyber Accountability Mechanisms in Armed Conflicts: Establish independent bodies, similar to the Red Cross, to monitor and report cyber conduct during warfare. These institutions can promote transparency and uphold humanitarian law.

Why a New Treaty?

Critical Infrastructure Is Vulnerable: Over 100 countries are developing offensive cyber capabilities, yet few have laws shielding civilian systems.

Private Sector’s Role: Tech firms like Microsoft often defend nations from cyberattacks— they should be bound by new norms.

Global Harm: Cyber weapons don’t respect borders. A single attack can ripple worldwide (e.g., NotPetya).

Proponents argue a treaty could codify peacetime cyber norms, such as bans on attacking hospitals or water supplies, and mandate cooperation during crises.

The Case For—and Against—A New Cyber Geneva Convention

Arguments in Favor:

Closing grey zones: A specific convention could clarify key definitions: what constitutes an “attack,” what qualifies for civilian immunity, and what triggers proportional response.

Establishing norms: State and non-state actors would get clear, binding limits on cyber conduct.

Enhanced enforcement: Treaties could include verification, shared monitoring, and sanctions for violations.

Arguments Against:

Attribution complexities: Without clarity on perpetrators, enforcement remains elusive.

Political fragmentation: Rising nationalism, declining multilateralism, and techno-strategic rivalries make global consensus unlikely.

Adaptability concerns: Old-fashioned treaties are slow to negotiate and evolve—WHO hasn't updated its core Geneva law since 1977—whereas cyber evolves continuously.

What’s Next in the Cyber‑Legal Landscape?

The current landscape suggests a hybrid approach:

Clarifying International Humanitarian Law (IHL) through Expert Analysis: Support ongoing initiatives like the Tallinn Manuals to interpret how IHL applies in cyber warfare.

These expert-driven frameworks can guide lawful conduct and reduce ambiguity.

Encouraging Voluntary Norms among Cyber Stakeholders: Foster ethical behaviour by promoting voluntary codes of conduct for tech firms, states, and non-state actors. Such norms can fill legal gaps and build trust in cyberspace.

Incorporating Cybercrimes into International Criminal Court (ICC) Practice: Expand ICC jurisdiction to address cyber-enabled war crimes and crimes against humanity. Setting legal precedents will deter malicious actors and promote accountability.

Strengthening National Cyber Weapons Reviews with Transparency: Mandate rigorous state-level reviews of cyber tools to ensure IHL compliance. Transparency and public reporting can build confidence and reduce arms race dynamics.

Expanding UN Talks to Regulate Cyber Autonomy in Warfare: Use existing UN frameworks like the Convention on Certain Conventional Weapons (CCW) to discuss limits on autonomous cyber capabilities. This reflects similar international initiatives focused on regulating autonomous lethal weapon systems.

The Opposition: Why a New Treaty Might Fail

Sceptics, including NATO-affiliated experts, argue that a Digital Geneva Convention is unnecessary—or even dangerous. Their concerns:

Existing Laws Suffice: IHL already covers cyber operations during war. New treaties risk redundancy or loopholes.

Enforcement Is Impossible: Unlike missiles, cyber weapons are hard to trace.

State Resistance: Major powers (e.g., U.S., China, Russia) won’t relinquish cyber advantages to unenforceable rules.

Private Sector Dilemma: Companies like Google should be treated as combatants. Legal definitions are murky.

Instead, critics advocate strengthening state practice under current laws, as seen in the UN’s OEWG process on cyber norms.

The Middle Ground: Evolving Norms, Not Revolution

While a full-blown treaty seems unlikely soon, gradual progress is possible:

Sector-Specific Agreements: Treaties protecting medical and energy systems could gain traction.

Civilian Hacker Rules: The ICRC’s 8 Rules for Hacktivists (e.g., don’t target hospitals) offer a starting point.

Public-Private Partnerships: Tech giants and governments could collaborate on cyber defense, as seen in Ukraine.

Conclusion: A Call for Coherence

The debate isn’t about whether cyber war needs rules—the question is whether we need new treaties or can retrofit existing ones. IHL offers a sturdy legal foundation, but the cyber-rooted ambiguities—attribution, civilian vs. military targets, scalable enforcement—call for creative, faster, and flexible mechanisms. Whether that emerges through binding treaties, hybrid frameworks, or voluntary accords, one thing is clear: in the digital age, warfare’s rules of engagement must evolve—or risk being outdated on the battlefield. While the Geneva Conventions provide a foundation, their analogue-era rules strain under digital warfare’s complexities. A Digital Geneva Convention remains a visionary but contentious solution, one hindered by geopolitics and enforcement hurdles. For now, the world must navigate a precarious balance: adapting old laws to new threats while avoiding a cyber "Wild West" where civilians pay the price. The stakes couldn’t be higher—because in cyberspace, the next attack could shut off a city’s lights, freeze its banks, or worse.

Citations/References

1. Tworek, H. (2017, May 9). Microsoft is right: we need a digital Geneva convention. WIRED. https://www.wired.com/2017/05/microsoft-right-need-digital-geneva-convention/

2. Wikipedia contributors. (2024, July 13). International Committee of the Red Cross rules of engagement for civilian hackers. Wikipedia.https://en.wikipedia.org/wiki/International_Committee_of_the_Red_Cross_rules_of_engagement_for_civilian_hackers

3. Greenberg, A. (2023, September 7). The International Criminal Court will now prosecute cyberwar crimes. WIRED. https://www.wired.com/story/icc-cyberwar-crimes/

4. Cyberattacks as war crimes. (n.d.). https://www.ibanet.org/Cyberattacks-as-war-crimes

5. Cyber Warfare: does International Humanitarian Law apply? (2025, April 1). International Committee of the Red Cross. https://www.icrc.org/en/document/cyber-warfare-and-international-humanitarian-law

6. Unhcr_Admin. (2017, August 2). What the Digital Geneva Convention means for the future of humanitarian action. UNHCR Innovation. https://www.unhcr.org/innovation/digital-geneva-convention-mean-future-humanitarian-action/

7. CCDCOE. (n.d.). https://ccdcoe.org/news/2017/geneva-conventions-apply-to-cyberspace-no-need-for-a-digital-geneva-convention/

8. Vasundhara, & Vasundhara. (2011, April 7). Cyber warfare – Do we need a new Geneva convention? Army Technology. https://www.army-technology.com/features/feature115500/

Image Citations     

1. Gowda, N. (2023, April 16). International Law and Cyber Warfare. RostrumLegal. https://www.rostrumlegal.com/international-law-and-cyber-warfare/

2. Tb_Admin. (2025, January 21). Risks and consequences of neglecting cybersecurity. Terrabytegroup. https://www.terrabytegroup.com/risks-and-consequences-of-neglecting-cybersecurity-against-cyber-attacks/

3. (23) Securing Cyber Peace: Navigating Digital Warfare and International Law | LinkedIn. (2023, December 10). https://www.linkedin.com/pulse/securing-cyber-peace-navigating-digital-warfare-law-hagen-sjolf/

4. Saini, K. (2025, June 19). Top cybersecurity applications and use cases. Simplilearn.com. https://www.simplilearn.com/cyber-security-applications-article

5. Saxena, A. (2025, January 8). The near future of international law in cyberspace: Contentions and realities. orfonline.org. https://www.orfonline.org/expert-speak/the-near-future-of-international-law-in-cyberspace-contentions-and-realities