Setting International Norms on Cyberwar Might Beat a Treaty
Restrictions on cyberweapons uneforceable, and could even harm cybersecurity
June 8, 2012
In 1975, NATO and the Warsaw Pact signed the Helsinki Accords, which among their many provisions pledged signatories to respect the freedom of speech. This provision was unenforceable, and the Warsaw Pact countries had no intention of honoring it. Yet the effort was not entirely wasted. Following the treaty's signing, citizens groups in several countries organized to insist that their governments follow what they signed—and their pressure hastened the end of communism in Eastern Europe.
The case for international norms, rather than enforceable treaties, draws on such history.
Norms would represent what countries say they want the global cyberspace environment to be. True, states may not necessarily themselves follow what they preach for others. But they have at least established to their own citizens, notably their own business community, some standards against which their conduct may be measured. The emphasis on the business community matters in light of U.S. complaints about the flagrant theft of intellectual property perpetrated in cyberspace by other states. The hope is that such norms may constitute standards of fair play which countries believe they must follow to gain global business confidence.
By contrast, an arms control treaty that bans or restricts the development of cyberweapons is simply unenforceable—and might even harm cybersecurity. It would be unenforceable because the production of cyberweapons is so hard to detect. It is an indoor activity that produces nothing that observers can monitor, particularly if the relevant test beds are isolated from the Internet (as common sense dictates they should be). Furthermore, given the difficulties of attribution—cyberattacks lack fingerprints and hackers lack powder residues—even those who test and wield such weapons on the outside have a good chance of avoiding being caught if they maintain their tradecraft. Furthermore, those developing such capabilities tend to work for state security agencies that take secrecy and operational security very seriously.
Indeed, restricting cyberweapon development could even be harmful inasmuch as its core activity is the discovery of vulnerabilities in software—the very activity also required to bulletproof software against attacks from criminal hackers.