�鶹��ý

The head of the United Nations’s cybercrime programme has warned the US and Iran not to engage in cyberattacks following the killing of the Iranian general Qassem Suleimani.

Neil Walsh, who leads the UN’s cybercrime initiative from Vienna, cautions that targeting computer systems can have as much impact as physical attacks – and that nation states should think twice before carrying them out.

“Taking an action can then get into an incredibly dangerous domino effect. The same thing goes in cyberspace as goes in real life,” he told �鶹��ý. “My message, and the clear message of the UN, is de-escalation, and I don’t see de-escalation happening through covert or overt cyberattacks from one country to another, irrespective of which countries those are.”

Despite this, Walsh fears that the US and Iran may supplement their real-life conflict with online skirmishes. (Walsh spoke to �鶹��ý before Iran targeted two US air bases in Iraq with missiles.)

Asked if he thought a cyberattack on the US was inevitable, Walsh replied: “I’m never really a fan of the word inevitable, but I would be enormously surprised if agencies or governments from different sides of this equation aren’t looking at each other.”

He urges all parties to “consider the impact of what they may or may not do to each other”.

Walsh will travel to the UN in New York next month to participate in long-planned negotiations on cybersecurity with UN member states.

“There is an ongoing cybersecurity diplomatic process, which is where countries sit together to discuss what they can and can’t do against each other in cyberspace, and try to agree norms,” he says.

Part of Walsh’s focus will be on raising awareness about the dangers of misattribution of cyberattacks. “If a country sends a missile up from one place to another, you see where it came from, you know where it went. In terms of attribution, that’s relatively easy to do,” he says.

But attributing cyberattacks can be much more difficult, increasing the risk of escalation. “That gap between is it an individual, is it a criminal, is it a terrorist, versus an intelligence agency, a military body or an advanced persistent threat group, is so grey now that for one to say it was a criminal or state-based activity might be incredibly difficult to do,” he says.