More

    Cyber Arms Control and Global Security

    Share

    Cyber Arms Control refers to international efforts to establish regulations and agreements that aim to prevent the escalation of cyber attacks and promote global security. It involves measures to limit:

    1. the development;
    2. deployment;
    3. and use of offensive cyber capabilities by nation-states and other actors.

    1.0. The Hauge Convention in 1899

    Arms control is a distinctive feature of modern geopolitics. The Hauge Convention in 1899, the 1922 Washington Treaty, to SALT I and II all are examples of this. Nations are wary of the destructive potential of new weapons, both in terms of physical destruction wrought by them and the financial destruction that comes with unimpeded stockpiling.

    In the modern era, nuclear arms control remains a topic of lively debate. Yet, one aspect of contemporary warfare still needs to be addressed in actions of arms control; cyberwarfare. Cyber arms control is an important issue, perhaps the most important one to tackle in a world increasingly reliant on electronics, networking, and artificial intelligence. 

    Cyber arms control faces many issues before the international community can implement it properly. This article briefly examines the phenomenon’s history and explains why arms control is necessary. It will finish with the issues presented with creating arms control in this domain. Finally, it will address a potential path forward.

    2.0. Cyberwarfare

    Cyberwarfare naturally grew out of the concept of Information Warfare (source). In the later years of the Cold War, as technological reliance increased, NATO and the Warsaw Pact concluded that disrupting this information chain was essential to victory in a Cold-War-gone-hot scenario (source).

    From very early on, it was clear that Information Warfare did not need to focus solely on military-centric activity. All manner of tools and targets could be used to

    “disrupt the ability of an adversary to purposefully pursue its goals in times of crisis or war” (source).

    2.0.1. Cyberwarfare as a Grey Zone Conflict

    Nations fight today’s conflicts in the space between war and peace, known as the grey zone (source). Cyber warfare is an aspect of grey zone conflict, economic coercion, information campaigns, and political action (source). The danger of grey zone warfare is that it has become a permanent fixture of great-power rivalry.

    In 2013, a United Nations Institute for Disarmament Research study found that 41 nations had built up offensive cyber capabilities (source). This number has doubtless increased substantially.

    Furthermore, because of the nature of the cyber domain, non-state actors are an increasing threat (source). Experts identify these as cyber mercenaries, hacktivists, or cybercrime syndicates (source). 

    2.1. Cyber Operations

    Because of their vast resources, national organisations are often at the cutting edge of cyber weapon development.

    • The American National Security Agency (NSA)
    • British General Communication Headquarters (GCHQ)
    • Israeli National Cyber Security Authority (NCSA)
    • Chinese Strategic Support Force (SSF)

    are just a few of the hundreds of organisations worldwide with the resources to construct cyber weapons (source). The world tacitly accepts the monopoly of violence held by states, which is why nuclear weapon ownership is permitted to states but denied to non-state actors.

    As such, cyber weapon ownership defaulting to state possession is logical. States also facilitate the most active in the cyber domain. Since 2005, the Council on Foreign Relations suspects 34 countries of sponsoring or conducting cyber operations. China, Iran, North Korea, and Russia account for 77 per cent of all operations (source). 

    However, as implied above and stated previously, states are not the only organisations able to conduct cyber attacks. Often, nations have contracted non-state entities to perform their dirty work and maintain plausible deniability. In the 2008 Russian invasion of Georgia, the Russian Business Network,

    “one of the most power cybercriminal organisations ever,”

    helped facilitate the invasion by targeting government sites, news organisations, and financial institutions (source)(source). 

    A column of Russian armoured vehicles move through North Ossetia towards the breakaway republic of South Ossetia's capital Tskhinvali. Cyberweapons were instrumental in Russia's victory during the conflict, and further the need for cyber arms control.
    A column of Russian armoured vehicles move through North Ossetia towards the breakaway republic of South Ossetia’s capital Tskhinvali. Cyberweapons were instrumental in Russia’s victory during the conflict. Original Source: https://osce.usmission.gov/twelve-years-since-the-full-scale-military-aggression-against-georgia-by-russia/

    2.2. Cyber Arms Proliferation

    The globally interconnected nature of the internet presents a host of challenges that make the proliferation of cyber weapons an almost guaranteed certainty.

    2.2.1: Stuxnet

    For example, in 2010, a virus sabotaged Iranian uranium enrichment centrifuges at the Natanz nuclear facility (source). Most experts attribute the attack to a joint effort by Israeli and American intelligence agencies (source). However, once released, the virus spread to other computers, where cybersecurity companies discovered it and named it “Stuxnet” (source). Researchers published detailed information on Stuxnet in scientific papers worldwide. Interested actors could dissect the inner workings of a highly sophisticated and dangerous cyber weapon (source).

    Centrifuge machines at the gas centrifuge enrichment plant in Piketon, Ohio. Similar machines were operated at Natanz, and require extensive maintenance, typically carried out by computers. The Stuxnet attack ruined dozens of centrifuges, costing Iran millions of dollars and years of progress towards a nuclear device. It also brought with it the concept of cyber arms control.
    Centrifuge machines at the gas centrifuge enrichment plant in Piketon, Ohio. Similar machines were operated at Natanz, and require extensive maintenance, typically carried out by computers. The Stuxnet attack ruined dozens of centrifuges, costing Iran millions of dollars and years of progress towards a nuclear device. Original Source: https://nsarchive.gwu.edu/briefing-book/nuclear-vault/2012-06-23/early-atomic-energy-commission-studies-show-concern-over-gas

    “first publicly known instance in which a cyber operation caused physical damage outside of a controlled testing environment […] demonstrated the potential effectiveness and value of a cyber weapon” (source).

    In demonstrating the weakness of computerised systems, Stuxnet “legitimised cyberweapons” as a tool of grey zone conflict (source). This has spurred an arms race similar to that which occurred following WWII (source). Cyber attacks have continued to grow at a precipitous rate since the deployment of Stuxnet. Additionally, attacks in 2015-2015 have used bugs derived from Stuxnet’s code (source).

    2.2.2. WannaCry

    Another example of this phenomenon is present in the 2017 WannaCry ransomware attacks (source). Lax security of the NSA’s cyber weapons vault resulted in the release of these devices to the general public (source). One of these, known as EternalBlue, infected over 200,000 computer systems in 150 countries (source).

    The Shadow Brokers, a non-state organisation, targeted the UK’s National Health Service, resulting in a loss of £5.9 million and the cancellation of 13,500 medical appointments (source). The WannaCry ransomware attack, named as such for the message displayed on affected computers, has been linked to the North Korean government (source). 

    A screengrab from a computer infected with the WannaCry virus. The destructive nature of the virus highlights the need for cyber arms control.
    A screengrab from a computer infected with the WannaCry virus. Original Source: https://www.youtube.com/watch?v=Zy4G30kSPnY

    3.0. Cyber Arms Control

    Cyber attacks certainly affect states and state institutions. However, the danger of cyber arms proliferation becomes apparent when one considers just how vital computer systems are to society. 

    3.1. Furthering the Case for Cyber Arms Control

    In 2021, hackers attacked Colonial Pipeline, a company “which provides about 45% of the U.S. East Coast’s fuel, [which] disrupted gas supplies for days” (source). Four US states declared a state of emergency (source). The average price of gasoline increasing nationwide by $3 per gallon (source). The group responsible, DarkSide, is believed to have the sanction of Russia, which tolerates their behaviour as long as they do not target Russian interests (source).

    Similarly, in 2017, Russian hackers working for the Russian government tried to destroy a Saudi petrochemical plant. They disabled safety features using Triton, “the world’s most murderous malware” (source). Researchers have documented Triton attacking North American industrial plants, including nuclear sites (source). A successful attack could lead to a mass casualty event, widespread disruption of essential services, or even nuclear contamination. 

    3.1.1. The Internet of Things

    The additional concern comes with the widespread incorporation of the internet in mundane objects, usually identified by a “smart” prefix (source). The so-called “Internet of Things” presents additional challenges; hacker groups could hijack a self-driving car and cause it to crash. It could short-circit a fridge and start a fire. Indeed, a refrigerator likely caused the electrical fire that killed 72 in Grenfell Tower (source). What are the security implications of connecting appliances to the internet? Experts are beginning to answer these questions, but governments have yet to follow.

    These events and considerations underline the need to establish some sort of cyber arms control in the near future before attacks get out of hand.

    3.2. Defining Cyber Arms Control

    The common framework most have when discussing arms control is nuclear weapon treaties. The US and Soviet Union instituted Nuclear arms control under the universal understanding that they must avoid nuclear war (source). It can include limiting or reducing the number of weapons in a given state’s inventory, disarming nations entirely, or banning the use of particular weapons (source). As Tomas Reinhold and Christian Reuter define it, arms control has three principal tasks;

    • To prevent or reduce the likelihood of conflict breaking out,
    • To limit the damage caused by these weapons in the case of conflict,
    • And to reduce the cost of producing weapons and free up these funds for other projects (source).

    Conventional and nuclear arms control has been successful in the past. Notable examples include:

    • The Strategic Arms Limitation Treaty (SALT) I and II, which limited the stockpiles of strategic missile defence interceptors (source).
    • The Hauge Convention, codified rules of warfare (source).
    • The Biological and Chemical Weapons Technology Agreement banned such weapons in war (source).
    President Gerald R. Ford and General Secretary Leonid Brezhnev at the Vladivostok Summit, signing SALT II on 24 November 1974. SALT II is an arms control framework with dubious lessons for cyber arms control.
    President Gerald R. Ford and General Secretary Leonid Brezhnev at the Vladivostok Summit, signing SALT II on 24 November 1974.

    3.3. The Issues in Applying Traditional Arms Control to the Cyber Domain

    Do previous examples of successful arms control treaties hold lessons for cyber arms control? Not quite. Arms control requires a mutual understanding of the environment, which is unlikely to occur for several reasons.

    3.3.1. What is a Weapon?

    The first issue encountered is the definition of a weapon. Is a wrench a weapon? It depends on the context. Cyber weapons fixate on one aspect of a network; Stuxnet had benign to non-existent effects beyond the computers at Natanz that controlled the centrifuges (source). Iran would undoubtedly define Stuxnet as a weapon. In contrast, the US and Israel would see it as a tool to prevent a conventional strike on the Natanz plant.

    3.3.2. Exponential Technological Advancement

    The second issue arises with the rapid evolution of the cyber domain. One of the reasons nuclear arms treaties were allowed to exist was because of “[t]he lag time in nuclear innovation giv[ing[ states breathing room to adjust arms control agreements or develop other means, such as tailored intelligence or their own complementary programs, to mitigate the fears posed by technological advances” (source). Cyberspace faces no such lag time in the near term. Additionally, it is nigh impossible to identify an adversary’s capabilities, stockpiles, and intent in the cyber domain (source). 

    A graph showing Moore's Law, which states the integrated circuits doubles every two years, leading to huge advances in computing.
    Max Roser, Hannah Ritchie, CC BY 4.0 https://creativecommons.org/licenses/by/4.0, via Wikimedia Commons

    3.3.3. Mechanisms of Enforcement

    Third, it is impossible to enforce the mandate of an arms control agreement regarding the use of cyber weapons. Whereas conventional weapons can be analysed using intelligence gathered from human sources, satellite imagery, and diplomatic traffic, cyber arms cannot be so easily monitored (source).

    Non-state actors can develop and export their weapons. Tracking cyber weapon use is very difficult compared to seismic tests, eyewitness testimony, and intelligence used to enforce other nuclear and conventional arms control agreements.

    3.4. The Future of Cyber Arms Control

    The issues described in the previous section do not precede the ultimate failure of cyber arms control. Indeed, experts assert that cyber arms control is both necessary and doable, but considerations must be taken (source)(source).

    3.4.1. Reaching a Consensus

    First, nations must reach a consensus on what constitutes a cyber weapon (source). With cyber capabilities increasingly becoming more dangerous, this is more likely as time goes on. Are disinformation campaigns, such as those used by Russia during its interference in the 2016 US elections (among many other examples), cyberweapons (source)? These are the essential questions that policymakers must answer to lay the foundation of a cyber arms control agreement.

    3.4.2. Instituting Export Controls

    Next, it is important to institute controls on the export of cyber weapons (source). How this will come into form depends on the outcome of the first step. However, ensuring that cyberweapons do not reach dangerous non-state actors or pariah states will be an inescapable part of any future cyber arms control agreement.

    3.4.3. Identifying Cyberweapon Capabilities

    Nations must codify their cyber weapons by capability and intended use before arms control regimes can be instituted (source). As implied above, traditional arms control requires understanding your rival’s potential for harm; this step ensures that the stakes are made clear. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an example of such a policy leading to more stable, long-term agreements (source).

    3.4.4. Additional Considerations

    Finally, it is important to understand that cyber arms control agreements will likely be on a case-by-case basis and enforced through formal and informal mechanisms (source). The unique nature of cyber weapons, being designed for hyper-specific tasks, means that a one-size-fits-all approach is unlikely to work, especially as capabilities continue to develop (source). States may choose to physically sign a document pledging not to use or limit the use of cyber weapons, or they may choose to strike an informal agreement to the same end. Red lines, or lines in the sand, are also fairly effective methods of instituting informal arms control (source).

    4.0. Summary

    Cyber arms control presents a unique situation for a multitude of reasons. There is a demonstrated need to limit the employment of these devices, given the potential for economic and physical damage they can inflict. At the same time, there are a multitude of issues that come with attempting to apply lessons from past arms control endeavours. Cyberspace is a fundamentally new environment. We can draw lessons from the past. However, they cannot be solely relied upon. The path ahead will be difficult, but it is necessary. 

    Maxwell Goldstein
    Maxwell Goldstein
    Maxwell is a Junior Intelligence Analyst and student pursuing an international master's degree through the Erasmus Mundus IMSISS programme. His areas of focus are aerospace, technology, and the Indo-Pacific.

    Table of contents

    Newsletter

    Get the weekly email from Grey Dynamics that makes reading intel articles and reports actually enjoyable. Join our mailing list to stay in the loop for free!

    Related contents

    Subscribe to our Newsletter!
    I agree to receive the latest emails
    and offers from Grey Dynamics.
    Intelligence
    not Information
    Subscribe Now
    Subscribe to our Newsletter!
    I agree to receive the latest emails
    and offers from Grey Dynamics.
    Intelligence
    not Information
    Subscribe Now
    Learn to create professional videos and have fun in the process of creating videos.
    Video Review And Collaboration.
    Get Started