International Cyberwar Treaty Would Quickly Be Hacked to Bits
Cyberespionage capabilities are evolving too fast for an unenforceable piece of paper to control them
June 8, 2012
Calls for international cyberwarfare treaties are certainly well-intentioned: The frightening prospect of widespread destruction of the computing networks that run the nation's power, water, transportation, and military command and control systems is something we would all like to avoid. However, the apocalyptic rhetoric of catastrophic cyberwar used to justify consideration of a cyberarms control treaty is overblown and misrepresents the actual threat. An international treaty is the wrong sort of solution to this problem and might even encourage the very activity it seeks to constrain.
A cyberweapon (like Stuxnet, which damaged Iranian uranium enrichment) is not like a nuclear bomb or a gun that can be used to damage many different types of targets all around the world. Traditional weapons can be tested on a range, stockpiled in an arsenal, and fired predictably at their targets in wartime. A cyberweapon, by contrast, must be carefully engineered against any particular target, and this requires a lot of intelligence, technical expertise, test infrastructure, and operational management. A cyberattack is less like a strategic bombing attack delivered by a formidable force of airplanes and missiles and more like a special operation staged by a daring band of commandos far behind enemy lines. A cyberweapon for espionage (like the spyware Duqu and Flame) likewise require lots of planning and expertise to control.
Covert operations are risky gambles (they might fail or be compromised if mistakes in planning or execution are made), and the damage they cause is far more unpredictable than that of traditional weapons. States resort to covert action options only when they don't have the will or ability (for either material or political reasons) to use overt force. When states act covertly, they break the domestic laws of other states (which is why spies can be caught and tried). Usually states moderate their ambitions for covert action because they don't want to trigger escalatory retaliation in the event the operation is compromised. Cyberoperations, like other types of intelligence and covert operations, take place in the shadows. An international treaty on cyberweapons would be like an international treaty against espionage and covert action. This is totally unenforceable, since such activity is designed to evade detection and attribution.
There will be no comprehensive cyberweapons treaty because it is, unfortunately, not in the interest of the (very few) states that have the capabilities to create such weapons to come to shared definitions, agreed monitoring, and enforcement mechanisms, and credible commitments to refrain from using them. Even if it were somehow possible to get agreement not to use cyberweapons of a particular type, this would only provide incentives for states to discover the loopholes and exceptions in the law. This is fundamentally what malicious hacking entails, after all: superficial obedience to the rules (in silicon or law) in order to evade defenses and make mischief. The Trojan Horse observed the norms of gift-giving in ancient Greece, and this hastened the downfall of Troy; similarly, malware can only exploit vulnerabilities because code in the target system allows it to do so. Moreover, the techniques for engineering complex cyberattack and exploitation will evolve far, far faster than international agreements, and states would be foolish to put their faith in protection of international law alone.
The rhetoric of cyberwar is frightening, but the reality is more complicated. A world without cyberweapons is probably more desirable, but an international treaty is not the way to get there. I am not a lawyer (I write as an international security scholar), but I suspect that existing international law of war and legal mechanisms for managing covert operations in this country are probably sufficient, or at most need just marginal adjustments, in order to deal with the problems posed by cyberweapons. Cyberwar is not a revolutionary development, but a complicating electronic elaboration on clandestine and covert operations, and states have been conducting these for centuries.