CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 08, 2026

Iran Signed a Ceasefire — Its Hackers Didn't

Dark Reading Archived Jun 08, 2026 ✓ Full text saved

An extension of the Geneva Conventions could impose restrictions on cyberwarfare under ceasefire conditions and close a major loophole in international conflict.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE COMMENTARY Iran Signed a Ceasefire — Its Hackers Didn't An extension of the Geneva Conventions could impose restrictions on cyberwarfare under ceasefire conditions and close a major loophole in international conflict. Emil Sayegh,CEO and President, Ntirety June 8, 2026 5 Min Read SOURCE: TRAFFIC_ANALYZER VIA GETTY IMAGES OPINION The United States and Iran have extended what began as a two-week ceasefire. The pause applies only to kinetic warfare, and even that didn't fully stop the shooting. The cyber front has no signs of a truce. The day before that ceasefire took effect, six federal agencies — the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force — issued a joint advisory warning that Iranian-affiliated actors had been manipulating programmable logic controllers inside U.S. critical infrastructure since at least March. Victim organizations across water, energy, and government services confirmed operational disruptions and financial losses. Hours after the ceasefire took effect, one IRGC-linked group announced it was pausing attacks on the U.S., for now, while vowing to revive them "when the time is right." Another pledged operations against Israel would continue “at full force.” Related:Exposed Fuel Tank Gauges Under Attack in the US This is the problem with modern ceasefires. They cover missiles and drones, but say nothing about the digital soldiers already sitting inside power grids, water treatment plants, and defense contractors' networks, collecting intelligence and waiting. Kinetic warfare has rules. Cyberwarfare does not. The Geneva Conventions, drafted in 1949 and refined over the decades that followed, tell us what combatants cannot do to civilians, hospitals, and prisoners of war. They tell us nothing about what a state-aligned hacking group can do to a regional water utility or a prime defense supplier. That gap has become the single most exploited loophole in international conflict. It needs to close. A cyber extension to the Geneva Conventions would do what every prior attempt at digital norms has failed to do: tie cyber restraint to the same framework that governs the rest of modern warfare, with real consequences for violations.  Ceasefires Should Cover Cyberspace Start with the obligation principle. Countries are already responsible for what launches from their physical territory. A fringe group in one country cannot cross the border and attack its neighbor without the host government bearing responsibility. The same rule should apply in cyberspace. If hackers are operating from one country's soil, or from infrastructure under its influence, there should be an obligation to act when notified, just as any country would send police after armed militants operating openly within its borders. The harder version of this problem is the arrangement. Countries routinely strike bargains with independent hacking groups, trading operational freedom for intelligence. A convention worth signing has to say that trade is over. Related:Rust-Written IronWorm Hits NPM Supply Chain The teeth already exist. Interpol coordinates cross-border law enforcement. The World Trade Organization, the United Nations, and the G20 all have mechanisms for suspending or downgrading members who refuse to meet their obligations. Russia lost its seat on the UN Human Rights Council in 2022 after invading Ukraine. The G7 used to be the G8 until Russia annexed Crimea in 2014. These are precedents for consequences, not just condemnation. Where to begin? The 16 critical infrastructure sectors CISA defines are the right starting point. Imagine how catastrophic it could be to have an adversary in control of water, energy, health care, financial services, and the defense industrial base. Treat those as off-limits first. Draw concentric circles outward from there. Some sectors are more critical than others. The model does not need to solve every problem at once.  Skeptics will say this has been tried. Microsoft first proposed a "Digital Geneva Convention" in 2017. Academic and policy circles have debated cyber norms through the UN Group of Governmental Experts for more than a decade. The criticism has always been the same: Attribution is too hard, enforcement is too weak, and the worst actors would never sign. Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT Those are real concerns, but shouldn't serve as reasons to stop trying. Attribution has improved dramatically; the Treasury Department was confident enough to sanction six named IRGC officials for the 2023 Unitronics attack. And the fact that bad actors might not sign is precisely the point. The value of the Geneva Conventions has never been that war criminals respect them. It's that everyone else agrees on what a war criminal is. None of this happens overnight. A cyber extension to the Geneva Conventions is a multilateral project that would take years of negotiation and dozens of signatories. But major international frameworks rarely start with everyone at the table. The Nuclear Non-Proliferation Treaty was built on the back of bilateral arms control agreements between the U.S. and the Soviet Union.  The next peace talks with Iran will cover important factors like Lebanon, the Strait of Hormuz, uranium, and sanctions. But they should also cover cyber. If a ceasefire does not address the hackers already inside American networks, it is just an intermission, not a real ceasefire.  We know what the next round looks like because the last one never ended. Trellix has identified Iranian-affiliated groups conducting multiyear espionage campaigns against Western aerospace, defense, and telecommunications companies. A group calling itself APT Iran reportedly claimed to be selling exfiltrated Lockheed Martin data, including purported F-35 blueprints, for more than $598 million. Whether that specific claim holds up or not, the pattern is unmistakable. State-aligned actors don't breach networks for ransom. They breach networks to stay. The quiet stretches aren't evidence that nothing is happening; they're evidence the operation is working.  The world gained something by keeping kinetic conflict inside agreed-upon rules. It has gained nothing by leaving cyberwarfare outside them. Extending the Geneva Conventions to cyberspace is how we start closing the gap between the wars we've learned to contain and the one we haven't. Read more about: Opinion About the Author Emil Sayegh CEO and President, Ntirety Emil Sayegh, President and CEO of Ntirety, is an early pioneer of Cloud Computing, recognized as one of the industry's cloud visionaries and "fathers of OpenStack," having launched and led successful cloud computing and hosting businesses for HP and Rackspace. Emil Sayegh built Rackspace's cloud business while serving as the company's GM of the Cloud Computing Division and, earlier at Rackspace, served as VP of the Product Group and launched the company's private cloud and hosted exchange services. He later moved on to HP where he served as VP of Cloud Service and initiated the company's public cloud services. In addition to his leadership roles, Emil spent more than 15 years in the IT industry developing, marketing, and managing products for Dell, RLX Technologies, and Compaq. He holds nine patents. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 08, 2026
    Archived
    Jun 08, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗