Arms Control in Cyberspace Evokes Challenges of Nuclear Treaties

  • Difficulty illustrated by U.S., China summit on cybersecurity
  • Geneva Conventions seen as model for limiting cyberwar

Even after the world teetered on the brink of nuclear disaster, it took a decade for the U.S. and the Soviet Union to hammer out specific, verifiable limits on the world’s deadliest weapons.

Crafting a cybersecurity "arms treaty" actually might be harder.

"The challenge presented by cyber is totally different than anything we have faced before," said Fred Cate, professor and cybersecurity expert at Indiana University’s Maurer School of Law.

U.S. President Barack Obama and Chinese President Xi Jinping announced Friday an agreement on broad principles aimed at stopping the theft of corporate trade secrets and prosecuting cybercriminals. They pledged to establish a high-level working group of intelligence and law enforcement officials to cooperate on fighting cybercrime and to create a hotline to share information.

Obama wants to go further. “It’s going to be very important for the United States and China, working with other nations and the United Nations and the private sector, to start developing an architecture to govern activities in cyberspace,” Obama said at a joint press conference with Xi.

‘Held Accountable’

“It doesn’t mean that we’re going to prevent every cybercrime,” Obama said. “But it does start to serve as a template whereby countries know what the rules are, they’re held accountable and we’re able to jointly go after non-state actors in this area.”

Xi indicated a willingness to reach a broader agreement.

“China and the United States are two major cyber countries and we should strengthen dialogue and cooperation," he said at the press conference. “I think it’s fair to say we’ve reached a lot of consensus on cybersecurity.”

Hampering such efforts is the fact that hacking as an instrument of state power is relatively new: the 2010 sabotage of Iran’s nuclear program, widely believed to have been carried out by the U.S. and Israel, is considered the first major attack.

Online tools can be easily acquired by criminals, terrorists and others not bound by whatever rules governments come up with. Because hackers can cover their tracks, it’s never easy to discern whether the attack is coming from rogue players or government agents. That renders verification difficult.

Offensive, Defensive

"We don’t even have an agreed upon vocabulary," Cate, who is also a senior fellow at Indiana University’s Center for Applied Cybersecurity Research, said in an interview. "What is a cyber-attack? If you attack my network and I hack back is that offensive or defensive?"

Some of the thorniest issues that would need to be resolved in order to reach a cyber-arms treaty include what constitutes an attack and how to verify whether a country used a digital weapon, said Martin Libicki, senior management scientist for the research organization RAND Corp.

"You can’t take a picture of the thing," Libicki said in an interview. "I can literally put a cyberweapon on a fingernail."

U.S. national security officials have warned that hacking attacks are growing increasingly sophisticated and dangerous. Admiral Michael Rogers, the director of U.S. National Security Agency, warned lawmakers last November that he expects a major attack against the U.S. within the next decade.

Enforceability Questioned

Testifying before Congress on Thursday, Rogers said he doubted that an international arms treaty in cyberspace could be enforceable. He said it may be possible for the U.S. to reach agreement with some countries on what are acceptable norms of behavior in cyberspace, similar to how how ships from opposing navies come to an understanding in open water about how far they can push each other. That contrasts with a formal international treaty that has to be negotiated and signed by dozens of countries.

Countries should focus on regulating behavior in cyberspace, rather than trying to prevent the development of weapons like was done through the Treaty on the Non-Proliferation of Nuclear Weapons, said James Lewis, a senior fellow at the Center for Strategic and International Studies.

An international agreement could fall along the lines of the Geneva Conventions, which is a series of treaties first reached in 1864 establishing humanitarian standards during war, Lewis said in an interview.

Intelligence agencies, however, don’t want to have their hands tied when it comes to cybersecurity operations, as they use malicious software to penetrate the computers and infrastructure of adversaries, Libicki and Cate said.

"At the end of the day, most serious arms control agreements almost always involve somebody giving something up," Cate said.

Peacetime Progress

One promising development is an agreement by the U.S., China and other countries to not carry out digital attacks against vital computer networks during peacetime, Lewis said.

The agreement was reached in June through a working group at the United Nations. The deal, however, is limited. It doesn’t restrict cyber-espionage or digital crime and doesn’t include mechanisms to inspect or verify what countries are doing, Lewis said.

"There’s no stomach for an agreement on espionage," Lewis said. "We may have to find some way to address espionage in the context of cybersecurity."

Still, Lewis believes the agreement is significant. "When it comes to shutting down a big critical infrastructure target, right now there’s only a handful of states that could do that and people want to get ahead of that if they can," he said.

U.S. officials and cybersecurity researchers have warned that it’s only a matter of time before cyber-weapons are used to cause large-scale physical destruction and death.

"The moment there’s a serious disruptive cyber-attack where lives are lost, the time for negotiations is going to be over," Cate said. "That’s why doing this today, when we are in a time of peace, is unbelievably critical."

Before it's here, it's on the Bloomberg Terminal.