By Christopher Neiweem |
Any ratified cyberwarfare treaty should be printed on the same stock of paper as the euro note to remind the signatories how ultimately without value some forms of international cooperation may sometimes be. Moreover, even if such a treaty would be promulgated, much like the League of Nations, it is not in the best interests of the United States to join. Each thought will be addressed in turn below.
A cyberwarfare treaty would be ineffective. First, there is no concrete definition of cyberwarfare. If the definition of the subject of the treaty cannot be agreed upon, the treaty negotiators cannot proceed further. Moreover, most cyberattacks have come from inconclusively determined origins, due to the abilities of attackers to disguise them. Given the difficulty of attribution, international negotiators will have to create a heightened bar to establish a signatory's responsibility. International legal standards disagree on two points: the level of control a state must have in order to be liable, and the burden of proof on that attribution. Nations that rely on non-state actors will have more incentive to continue using loosely controlled "hacktivists" to carry out attacks to slip under that standard, claiming both a lack of control and that an aggrieved party must prove that control beyond any doubt. Rather than "civilizing" cyberwarfare, any treaty would have the effect of unleashing computer partisan rangers against critical cyberinfrastructure, with potentially devastating consequences.
Moreover, there has been a lack of international appetite to support the aggrieved nation and respond in kind to the aggressor nation. In 2007, Estonia specifically requested the attacks it absorbed from Russia be treated as a cyberattack by NATO and its request was denied due, in large part, to the factual uncertainties behind attribution and the lack of desire to escalate tensions in response to computer hacking. If NATO's treaty failed to protect Estonia, why would a larger, vaguer treaty be more protective?
Finally, there is a strong reason not to curtail cyberattacks. The United States and Israel were able to nonviolently set back Iran's nuclear program through Stuxnet without a single casualty. Considering the alternative drone strike that would surely have brought about human loss, cyberwarfare, if correctly deployed, may turn out to be something the international community may wish to encourage rather than discourage. At the very least, the United States would be foolish to sign away a weapon it can so effectively and nonviolently deploy.
About Lawrence L. Muir Jr. Computer Crime Prosecutor
Jon Lindsay Research Fellow at the University of California Institute on Global Conflict and Cooperation at UC-San Diego.
Sean Lawson Assistant Professor at the University of Utah
Bruce Schneier Security Technologist and Author
Herbert Lin Chief Scientist of the Computer Science and Telecommunications Board of the National Research Council.
Martin Libicki Author of 'Cyberdeterrence and Cyberwar'