Cyberwarfare Treaty Would Be Premature, Unnecessary, and Ineffective
Even the most damaging cyberattack to date--Stuxnet--may not have been cyberwarfare
June 8, 2012
Whether or not there should be an international treaty on cyberwarfare depends, in part, on the content of such a treaty. Such a treaty would most likely attempt to ban cyberwarfare outright, ban or restrict certain techniques of cyberwarfare, ban or restrict particular "cyberweapons," or some combination of these. Attempts such as these are premature, unnecessary, and would likely be ineffective.
First, a treaty to ban or restrict cyberwarfare activities would be difficult at best because cyberwarfare remains an ambiguous concept. Activities that are colloquially included under the term range from acts best described as political protest all the way up to attacks on critical infrastructure and much more in between. Some activity that often gets lumped under the term "cyberwarfare," such as cyberespionage, would be impossible to ban or regulate, making such a treaty unenforceable and ineffective.
Second, such a treaty is unnecessary because cyberwarfare has not yet proved itself as dangerous to people and property as other types of warfare. The most damaging cyberattack to date that might be considered an instance of cyberwarfare is the Stuxnet attack on Iranian centrifuges. But even in this case, there is widespread disagreement about whether Stuxnet was an example of cyberwarfare. Whatever the case, the impacts of this now-infamous cyberattack fall far short of traditional, kinetic attacks. Though they might be possible in the future, we have yet to see cyberattacks with effects that even approach those of traditional, kinetic attacks.
Third, if and when we do see such cyberattacks, existing international law is sufficient to determine when they rise to the level of an "armed attack" that justifies a military response. Law of Armed Conflict Principles of necessity, distinction, and proportionality will still apply and provide a basis for evaluating the legitimacy of cyberwarfare techniques deployed during times of conflict.
Finally, some have proposed the equivalent of arms control treaties to ban or restrict certain types of cyberweapons. There are two problems with such proposals. First, much of what gets described as cyberweapons are not really weapons at all. Most cybertechnology is fundamentally "dual use." "Cyberweapon" is more metaphor than accurate description.
Second, because such technologies are fundamentally dual use, widely available, and easy to conceal, the inspection and verification necessary to ensure treaty compliance would be virtually impossible.
Certainly, there is a need for greater international dialogue and cooperation in the area of cyberspace governance. The growing problem of cybercrime is one area that could greatly benefit from such cooperation. But an international treaty on cyberwarfare focused on banning or restricting certain tactics and/or "weapons" is premature, unnecessary, and would likely be ineffective.