Cyber Weapons and Arms Control

It seems implausible – and impossible to implement. However, I think that some form of cyber arms control is in our future.

In 1997, the U.S. President’s Commission on Critical Infrastructure Protection issued perhaps the first major report to warn of a strategic cyber threat. It described critical infrastructure as the “life support system” of a nation, which benefits from modern information and communication technology, but had also grown dependent upon it. The Commission found a “widespread capability” to exploit infrastructure vulnerabilities “through information networks”, and “little defense” against it.

Shortly after taking office, President Obama took this logic a step further: because economic prosperity and national security depended on the integrity of the computer systems that managed critical infrastructure, they were classified as strategic national assets, and would be defended as such, including via traditional military deterrence.

In 2010, former D/CIA and DIRNSA Michael Hayden delivered an eye-opening Black Hat keynote address, in which he opined that cyberspace, as a military domain, was so friendly to the attacking side that deterrence would be hard to achieve; therefore, political agreements between (responsible) nations may be the only way to defend some highly sensitive computer networks, including those that manage power and finance.

Internationally, cyber security is also under review at the highest levels of government. In 2007, the U.S. acceded to the European (or Budapest) Convention on Cybercrime. In 2011, a United Nations (UN) paper declared that cyber warfare was “no longer science fiction”, and that UN cyber-related norms development – compared to typical international relations timelines – were occurring at an “astonishing” rate. And just this week, NATO is set to announce that a cyber attack on any of the Alliance’s 28 member nations may be considered – depending on its effects-based impact – an attack on all of them, similar to a ground invasion with tanks and infantry.

Given these high-profile perspectives, I think that world leaders will eventually sign some kind of cyber arms control treaty or non-aggression pact for cyberspace.

What would such a regime look like in practice? It is hard to say, but let’s consider one potential model – the 1997 Chemical Weapons Convention (CWC). At first glance, this is an awkward analogy, given that chemical warfare kills humans, while cyber warfare merely kills machines (or their functionality). But let's see where the comparison could be helpful, as well as how cyber weapons development may be ungovernable.

First of all, there will have to be sufficient political will to move forward. In response to the threat posed by chemical weapons, Bill Clinton and Boris Yeltsin announced in 1997 that they had decided to “banish poison gas from the Earth” – which was no mean feat, given that archeologists have found poison-covered arrowheads dating to 10,000 BC, and that chemical weapons may have caused over a million casualties in WWI. But there may have been a genuine abhorrence of chemical weapons, including a fear that terrorists would acquire them. Thus, CWC was born, and now encompasses 190 member states, or 98% of the global population and landmass, and 98% of the chemical industry worldwide.

If world leaders decide to create a Cyber Weapons Convention, I think the most helpful precedent from CWC might be the Organization for the Prohibition of Chemical Weapons (OPCW), the physical institution that helps member states fulfill CWC treaty requirements, and provides advocacy in the event a member is threatened by chemical weapons. The reason is that, in the cyber domain, hardware and software vulnerabilities are unlikely to go away anytime soon, and it is often difficult for many organizations to implement “best practices” in computer security. An internationally staffed institution could provide technical, legal, and policy guidance to members. One significant, but politically and technically difficult step, could be the joint observation (if not instrumentation) of Internet traffic flows.

At this point, however, the analogy between CWC and cyber arms control begins to break down. CWC demands a robust international regime based on the principles of prohibition and inspection – both of which are currently hard to imagine in the cyber domain.

Since 1997, CWC has overseen the physical destruction of vast chemical agent stockpiles and munitions. However, with computer code, it is difficult to imagine exactly what one would prohibit – a software tool designed for legitimate system administration can be used for good or for ill. Furthermore, computer code cannot be “destroyed” in the same way as traditional armaments and their production facilities.

Finally, prohibition is dependent on inspection. OPCW has scoured thousands of suspected chemical weapons sites in dozens of countries, but such numbers pale in comparison to the trillions of bits of information that can be stored on just one USB Flash drive. Some regular data inspection surely already occurs at Internet Service Providers (ISP) around the world, but in most cases, law enforcement and counterintelligence personnel are confronted with the same problem of overwhelming traffic volume.

It is hard to know whether computer scientists will be able to overcome the challenges of malware prohibition and inspection on a strategic scale – or to what degree, given the likely ramifications to privacy and human rights, we should wish them success. However, it is inevitable that national security planners will continue to look beyond reactive cyber defense tactics to proactive, cyber defense strategies – and those efforts are likely to include cyber arms control.

– Kenneth Geers