A Treaty Would Do Nothing to Prevent Cyberterrorist Groups

About Herbert Lin:

Herbert Lin is chief scientist of the Computer Science and Telecommunications Board of the National Research Council. More can be found in these 2009 and 2010 NRC reports

No, not yet. But possibly in the future.

Traditional arms control approaches do not work well in thinking about the world of cyberwar, and many obstacles stand in the way of such a treaty today. A treaty would not constrain the behavior of sub-national entities (e.g., terrorist groups, organized crime), which have some interest and capability to wage cyberwar. The instruments of cyberwarfare are technically hard to distinguish from those of cyberespionage, and the latter is not illegal under international law since all nations pursue it. Accountability would be difficult to enforce, given a lack of clarity about who might be responsible for a cyberattack that rises to the level of "warfare." Verification of a treaty that banned the instruments of cyberwarfare would be virtually impossible.

Before we are ready to begin negotiating any kind of treaty regarding cyberwarfare, a few preliminary steps are in order.

[Read: NSA Built Stuxnet, But Real Trick Is Building Crew of Hackers]

First, research is needed on whether some kind of arms control agreement in cyberspace, whose scope and nature are as yet unknown, could still be useful. The fact that traditional arms control doesn't extend well into cyberspace should not be taken to mean that no form of cyberarms control is feasible.

Second, nations concerned about cyberwarfare should seek common ground. "Common ground" might include developing a common language with which to describe the issues, such as understanding what activities constitute a significant cyberattack; how might damage or harm from a cyberattack be assessed; what activities might constitute evidence of hostile intent; how should cyberexploitation and intelligence-gathering be differentiated from cyberattacks; how, if at all, should exploitations for economic purposes be differentiated from exploitations for national security purposes; how, if at all, should military computer systems and networks be separated from those of the civilian population; how to determine the significance of nonstate parties that might launch cyberattacks; and how nations might respond to such attacks.

[Read the U.S. News debate: Should the Congress Pass CISPA?]

Third, it may be possible to reach agreement regarding certain topics in cyberspace outside the domain of national security. For example, many nations recognize fraud and child pornography as significant problems in cyberspace and have to some extent agreed on measures to deal with them. Protection of national infrastructures from third-party attacks may be another common interest.

If the steps above bear fruit, the resulting regime may go a long way toward laying the foundation for a more far-reaching treaty regarding cyberwarfare should that be deemed desirable.

• Join the debate on Facebook.
• Follow U.S. News Debate Club on Twitter.
• Check out U.S. News Weekly: an insider's guide to politics and policy.

Tags:

international treaties,

cybersecurity