A Cybersecurity Treaty Is a Bad Idea
A cybersecurity treaty would be unworkable
June 8, 2012
With all the excitement over Flame, Stuxnet, and the rest, a spokesperson for the Russian government has called for a global cybersecurity treaty. It's a bad idea that dates back to the 1990s. Back then, American academics proposed a complex legal instrument for cybersecurity whose distant ancestor appeared to be to the Kellogg-Briand Pact of the 1920s, where nations renounced war as an instrument of policy. A cybertreaty made about as much sense. Russia also proposed a cybertreaty about the same time, and introduced a draft in the United Nations in what was to become a recurring annual exercise that could never quite achieve consensus.
A cybertreaty at first attracted support in the General Assembly, but there has been no progress because cybertreaties are unimplementable. How would any country address serious issues in treaty compliance and verification for cyber capabilities? A cybersecurity treaty would be unworkable if it went much beyond the existing constraints on the use of force found in international laws, if only because potential opponents are likely to cheat and it would be hard to detect this.
Important definitional issues have never been resolved, probably because they are unresolvable. A commitment to limit "information weapons" is not very useful if you cannot say what they are, and efforts to define these "weapons" quickly run afoul of the overwhelmingly commercial use and availability of information technologies. Is a teenager with a laptop a weapon? How about a newspaper or magazine? A few countries would say yes. The international community has always looked studiously away from any treaty trying to banning espionage—it's a nonstarter, and Russia is the leading opponent of any real agreement to cooperate in fighting cybercrime.
The idea of a treaty did not make sense in the 1990s and it does not make sense now. There are serious discussions underway on reducing the risk of cyberconflict, including bilateral talks between the United States and Russia, and the United States and China. The United Nation has a group of experts meeting later this summer. Many regional groups, like the Organization for Security and Co-operation in Europe or the Asian Regional Forum are talking about norms, confidence building measures and other kinds of agreement to limit cyber attack. Countries recognize that there is increasing risk that cyber incidents like Flame could lead to misperception or miscalculation that could escalate into more damaging conflict. But a treaty? Kellogg Briand is still in force and there has never been a war since, has there.