Dark ReadingArchived Jun 08, 2026✓ Full text saved
An extension of the Geneva Conventions could impose restrictions on cyberwarfare under ceasefire conditions and close a major loophole in international conflict.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
THREAT INTELLIGENCE
COMMENTARY
Iran Signed a Ceasefire — Its Hackers Didn't
An extension of the Geneva Conventions could impose restrictions on cyberwarfare under ceasefire conditions and close a major loophole in international conflict.
Emil Sayegh,CEO and President, Ntirety
June 8, 2026
5 Min Read
SOURCE: TRAFFIC_ANALYZER VIA GETTY IMAGES
OPINION
The United States and Iran have extended what began as a two-week ceasefire. The pause applies only to kinetic warfare, and even that didn't fully stop the shooting. The cyber front has no signs of a truce.
The day before that ceasefire took effect, six federal agencies — the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force — issued a joint advisory warning that Iranian-affiliated actors had been manipulating programmable logic controllers inside U.S. critical infrastructure since at least March. Victim organizations across water, energy, and government services confirmed operational disruptions and financial losses. Hours after the ceasefire took effect, one IRGC-linked group announced it was pausing attacks on the U.S., for now, while vowing to revive them "when the time is right." Another pledged operations against Israel would continue “at full force.”
Related:Exposed Fuel Tank Gauges Under Attack in the US
This is the problem with modern ceasefires. They cover missiles and drones, but say nothing about the digital soldiers already sitting inside power grids, water treatment plants, and defense contractors' networks, collecting intelligence and waiting.
Kinetic warfare has rules. Cyberwarfare does not. The Geneva Conventions, drafted in 1949 and refined over the decades that followed, tell us what combatants cannot do to civilians, hospitals, and prisoners of war. They tell us nothing about what a state-aligned hacking group can do to a regional water utility or a prime defense supplier. That gap has become the single most exploited loophole in international conflict.
It needs to close.
A cyber extension to the Geneva Conventions would do what every prior attempt at digital norms has failed to do: tie cyber restraint to the same framework that governs the rest of modern warfare, with real consequences for violations.
Ceasefires Should Cover Cyberspace
Start with the obligation principle. Countries are already responsible for what launches from their physical territory. A fringe group in one country cannot cross the border and attack its neighbor without the host government bearing responsibility. The same rule should apply in cyberspace. If hackers are operating from one country's soil, or from infrastructure under its influence, there should be an obligation to act when notified, just as any country would send police after armed militants operating openly within its borders. The harder version of this problem is the arrangement. Countries routinely strike bargains with independent hacking groups, trading operational freedom for intelligence. A convention worth signing has to say that trade is over.
Related:Rust-Written IronWorm Hits NPM Supply Chain
The teeth already exist. Interpol coordinates cross-border law enforcement. The World Trade Organization, the United Nations, and the G20 all have mechanisms for suspending or downgrading members who refuse to meet their obligations. Russia lost its seat on the UN Human Rights Council in 2022 after invading Ukraine. The G7 used to be the G8 until Russia annexed Crimea in 2014. These are precedents for consequences, not just condemnation.
Where to begin? The 16 critical infrastructure sectors CISA defines are the right starting point. Imagine how catastrophic it could be to have an adversary in control of water, energy, health care, financial services, and the defense industrial base. Treat those as off-limits first. Draw concentric circles outward from there. Some sectors are more critical than others. The model does not need to solve every problem at once.
Skeptics will say this has been tried. Microsoft first proposed a "Digital Geneva Convention" in 2017. Academic and policy circles have debated cyber norms through the UN Group of Governmental Experts for more than a decade. The criticism has always been the same: Attribution is too hard, enforcement is too weak, and the worst actors would never sign.
Related:Pakistan Spies on Afghan Finance Ministry With Xeno RAT
Those are real concerns, but shouldn't serve as reasons to stop trying. Attribution has improved dramatically; the Treasury Department was confident enough to sanction six named IRGC officials for the 2023 Unitronics attack. And the fact that bad actors might not sign is precisely the point. The value of the Geneva Conventions has never been that war criminals respect them. It's that everyone else agrees on what a war criminal is.
None of this happens overnight. A cyber extension to the Geneva Conventions is a multilateral project that would take years of negotiation and dozens of signatories. But major international frameworks rarely start with everyone at the table. The Nuclear Non-Proliferation Treaty was built on the back of bilateral arms control agreements between the U.S. and the Soviet Union.
The next peace talks with Iran will cover important factors like Lebanon, the Strait of Hormuz, uranium, and sanctions. But they should also cover cyber. If a ceasefire does not address the hackers already inside American networks, it is just an intermission, not a real ceasefire.
We know what the next round looks like because the last one never ended. Trellix has identified Iranian-affiliated groups conducting multiyear espionage campaigns against Western aerospace, defense, and telecommunications companies. A group calling itself APT Iran reportedly claimed to be selling exfiltrated Lockheed Martin data, including purported F-35 blueprints, for more than $598 million. Whether that specific claim holds up or not, the pattern is unmistakable. State-aligned actors don't breach networks for ransom. They breach networks to stay. The quiet stretches aren't evidence that nothing is happening; they're evidence the operation is working.
The world gained something by keeping kinetic conflict inside agreed-upon rules. It has gained nothing by leaving cyberwarfare outside them. Extending the Geneva Conventions to cyberspace is how we start closing the gap between the wars we've learned to contain and the one we haven't.
Read more about:
Opinion
About the Author
Emil Sayegh
CEO and President, Ntirety
Emil Sayegh, President and CEO of Ntirety, is an early pioneer of Cloud Computing, recognized as one of the industry's cloud visionaries and "fathers of OpenStack," having launched and led successful cloud computing and hosting businesses for HP and Rackspace.
Emil Sayegh built Rackspace's cloud business while serving as the company's GM of the Cloud Computing Division and, earlier at Rackspace, served as VP of the Product Group and launched the company's private cloud and hosted exchange services. He later moved on to HP where he served as VP of Cloud Service and initiated the company's public cloud services.
In addition to his leadership roles, Emil spent more than 15 years in the IT industry developing, marketing, and managing products for Dell, RLX Technologies, and Compaq. He holds nine patents.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
More Webinars
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT