Is a cyber arms control treaty out of reach?

Fundamental challenges

One of the biggest and most fundamental challenges that arms control advocates face will be to arrive at clear and uniform definitions of key terms – including the term cyber weapon – since the conventional definition of a weapon does not really capture what a cyber weapon is or does. Even if one could successfully bring the US, China and Russia around a negotiating table, if they cannot define what they want to control, the cyber talks will be over in minutes.

A second and related issue is referred to in the paper as the “dual-use-dilemma”. Simply put, a computer, USB stick or piece of software can be used for legitimate civilian purposes as well as military ones, which makes it very hard to draw a line between what constitutes these scenarios and as such renders it virtually impossible to ban the tools themselves. Or as Pleil et al put it, you can easily ban nuclear weapons because civilians don’t walk around with ICBMs in their pockets, but they do carry laptops and smartphones.

The role played by the technology industry will also need to be considered in this context. States do not have sole control over cyber tools that may be used as weapons – they are developed by security companies and sold in the private sector, where organisations have ownership and operational rights. The private sector will need to be involved and committed for cyber arms control to be effective, and as the actions of mercenary spyware companies have shown, this is a big ask – the existence of rogue actors such as the disgraced Israeli firm NSO Group is a case in point.

The third challenge again follows on from the first two in some regards. According to the researchers, finding suitable verification mechanisms to establish arms control in cyber space is very hard indeed.

By and large, we know who the nuclear-armed powers are and what capabilities they have, so as the US and the USSR showed via the Salt and Start agreements of the 1960s, ‘70s and 80s limits can be put on their stockpiles and successful de-escalation achieved. This is not really possible when it comes to cyber weapons, unless Washington and Moscow can be persuaded to cap the number of hackers going to work for their intelligence agencies.

Then, we must consider how quickly technology is progressing, even as predictions of the demise of Moore’s Law continue to be regularly made. The tools and technology used in cyber attacks are changing rapidly, and so do the tactics, techniques and procedures (TTPs) deployed by state-run hackers in both the US and the Western powers, and China, Russia and others. Simply put, the development of new weapons will continue to outpace regulatory efforts – by the time a regulation is even discussed, the technology will have advanced.

Finally, said Pleil, there is currently a lack of political will to establish cyber arms control measures. Countries are only now discovering the strategic value of cyber tools and as the current geopolitical situation shows, their interests are divergent. Complying with a hypothetical treaty on the use of cyber tools could risk a government missing out on potential advantages.

This final challenge is perhaps the most chilling – looking to history, the Geneva Conventions were first proposed by a Swiss businessmen moved by what he saw after the 1859 Battle of Solferino between a Franco-Italian alliance and the Austrian Empire. Subsequent refinements to the Geneva Conventions were made in response to the horrors of trench warfare during World War I, and Nazi atrocities in World War II. The fear must be that it may take a devastating cyber incident that costs hundreds of thousands of lives to force governments to talk.

The full research was published in the Zeitschrift für Außen- und Sicherheitspolitik (Journal for Foreign and Security Policy).