A Treaty Would Do Nothing to Prevent Cyberterrorist Groups
World must first find common ground on how and when to seek what regulation of cyberwar is possible
June 8, 2012
No, not yet. But possibly in the future.
Traditional arms control approaches do not work well in thinking about the world of cyberwar, and many obstacles stand in the way of such a treaty today. A treaty would not constrain the behavior of sub-national entities (e.g., terrorist groups, organized crime), which have some interest and capability to wage cyberwar. The instruments of cyberwarfare are technically hard to distinguish from those of cyberespionage, and the latter is not illegal under international law since all nations pursue it. Accountability would be difficult to enforce, given a lack of clarity about who might be responsible for a cyberattack that rises to the level of "warfare." Verification of a treaty that banned the instruments of cyberwarfare would be virtually impossible.
Before we are ready to begin negotiating any kind of treaty regarding cyberwarfare, a few preliminary steps are in order.
First, research is needed on whether some kind of arms control agreement in cyberspace, whose scope and nature are as yet unknown, could still be useful. The fact that traditional arms control doesn't extend well into cyberspace should not be taken to mean that no form of cyberarms control is feasible.
Second, nations concerned about cyberwarfare should seek common ground. "Common ground" might include developing a common language with which to describe the issues, such as understanding what activities constitute a significant cyberattack; how might damage or harm from a cyberattack be assessed; what activities might constitute evidence of hostile intent; how should cyberexploitation and intelligence-gathering be differentiated from cyberattacks; how, if at all, should exploitations for economic purposes be differentiated from exploitations for national security purposes; how, if at all, should military computer systems and networks be separated from those of the civilian population; how to determine the significance of nonstate parties that might launch cyberattacks; and how nations might respond to such attacks.
Third, it may be possible to reach agreement regarding certain topics in cyberspace outside the domain of national security. For example, many nations recognize fraud and child pornography as significant problems in cyberspace and have to some extent agreed on measures to deal with them. Protection of national infrastructures from third-party attacks may be another common interest.
If the steps above bear fruit, the resulting regime may go a long way toward laying the foundation for a more far-reaching treaty regarding cyberwarfare should that be deemed desirable.