Cyber Arms Control refers to international efforts to establish regulations and agreements that aim to prevent the escalation of cyber attacks and promote global security in the digital age. It involves measures to limit the development, deployment, and use of offensive cyber capabilities by nation-states and other actors.
Arms control is a distinctive feature of modern geopolitics. The Hauge Convention in 1899, the 1922 Washington Treaty, to SALT I and II all are examples of this. Nations are wary of the destructive potential of new weapons, both in terms of physical destruction wrought by them and the financial destruction that comes with unimpeded stockpiling. In the modern era, nuclear arms control remains a topic of lively debate. Yet, one aspect of contemporary warfare still needs to be addressed in actions of arms control; cyberwarfare. Cyber arms control is an important issue, perhaps the most important one to tackle in a world increasingly reliant on electronics, networking, and artificial intelligence.
Cyber arms control faces many issues before the international community can implement it properly. This article briefly examines the phenomenon’s history and explains why arms control is necessary. It will finish with the issues presented with creating arms control in this domain. Finally, it will address a potential path forward.
Cyberwarfare naturally grew out of the concept of Information Warfare (source). In the later years of the Cold War, as technological reliance increased, NATO and the Warsaw Pact concluded that disrupting this information chain was essential to victory in a Cold-War-gone-hot scenario (source). From very early on, it was clear that Information Warfare did not need to focus solely on military-centric activity. All manner of tools and targets could be used to “disrupt the ability of an adversary to purposefully pursue its goals in times of crisis or war” (source).
1.0.1: Cyberwarfare as a Grey Zone Conflict
Nations fight today’s conflicts in the space between war and peace, known as the grey zone (source). Cyber warfare is an aspect of grey zone conflict, along with economic coercion, information campaigns, and political action (source). The danger of grey zone warfare is that it has become a permanent fixture of great-power rivalry. In 2013, a United Nations Institute for Disarmament Research study found that 41 nations had built up offensive cyber capabilities (source). This number has doubtless increased substantially. Furthermore, because of the nature of the cyber domain, non-state actors are an increasing threat (source). Experts identify these as cyber mercenaries, hacktivists, or cybercrime syndicates (source).
1.1: Cyber Operations
Because of their vast resources, national organisations are often at the cutting edge of cyber weapon development. The American National Security Agency (NSA), British General Communication Headquarters (GCHQ), Israeli National Cyber Security Authority (NCSA), and Chinese Strategic Support Force (SSF) are just a few of the hundreds of organisations worldwide with the resources to construct cyber weapons (source). The world tacitly accepts the monopoly of violence held by states, which is why nuclear weapon ownership is permitted to states but denied to non-state actors. As such, cyber weapon ownership defaulting to state possession is logical. States also facilitate the most active in the cyber domain. Since 2005, the Council on Foreign Relations suspects 34 countries of sponsoring or conducting cyber operations. China, Iran, North Korea, and Russia account for 77 per cent of all operations (source).
However, as implied above and stated previously, states are not the only organisations able to conduct cyber attacks. Often, nations have contracted non-state entities to perform their dirty work and maintain plausible deniability. In the 2008 Russian invasion of Georgia, the Russian Business Network, “one of the most power cybercriminal organisations ever,” helped facilitate the invasion by targeting government sites, news organisations, and financial institutions (source)(source).
1.2: Cyber Arms Proliferation
The globally interconnected nature of the internet presents a host of challenges that make the proliferation of cyber weapons an almost guaranteed certainty.
For example, in 2010, a virus sabotaged Iranian uranium enrichment centrifuges at the Natanz nuclear facility (source). Most experts attribute the attack to a joint effort by Israeli and American intelligence agencies (source). However, once released, the virus spread to other computers, where cybersecurity companies discovered it and named it “Stuxnet” (source). Researchers published detailed information on Stuxnet in scientific papers worldwide. Interested actors could dissect the inner workings of a highly sophisticated and dangerous cyber weapon (source).
Stuxnet, as the “first publicly known instance in which a cyber operation caused physical damage outside of a controlled testing environment […] demonstrated the potential effectiveness and value of a cyber weapon” (source). In demonstrating the weakness of computerised systems, Stuxnet “legitimised cyberweapons” as a tool of grey zone conflict (source). This has spurred an arms race similar to that which occurred following WWII (source). Cyber attacks have continued to grow at a precipitous rate since the deployment of Stuxnet. Additionally, attacks in 2015-2015 have used bugs derived from Stuxnet’s code (source).
Another example of this phenomenon is present in the 2017 WannaCry ransomware attacks (source). Lax security of the NSA’s cyber weapons vault resulted in releasing these devices to the general public (source). One of these, known as EternalBlue, infected over 200,000 computer systems in 150 countries (source). The Shadow Brokers, a non-state organisation, targeted the UK’s National Health Service, resulting in a loss of £5.9 million and the cancellation of 13,500 medical appointments (source). The WannaCry ransomware attack, named as such for the message displayed on affected computers, has been linked to the North Korean government (source).
2.0: Cyber Arms Control
Cyber attacks certainly affect states and state institutions. However, the danger of cyber arms proliferation becomes apparent when one considers just how vital computer systems are to society.
2.1: Furthering the Case for Cyber Arms Control
In 2021, hackers attacked Colonial Pipeline, a company “which provides about 45% of the U.S. East Coast’s fuel, [which] disrupted gas supplies for days” (source). Four US states declared a state of emergency (source). The average price of gasoline increasing nationwide by $3 per gallon (source). The group responsible, DarkSide, is believed to have the sanction of Russia, which tolerates their behaviour as long as they do not target Russian interests (source).
Similarly, in 2017, Russian hackers working for the Russian government tried to destroy a Saudi petrochemical plant. They disabled safety features using Triton, “the world’s most murderous malware” (source). Researchers have documented Triton attacking North American industrial plants, including nuclear sites (source). A successful attack could lead to a mass casualty event, widespread disruption of essential services, or even nuclear contamination.
2.1.1: The Internet of Things
The additional concern comes with the widespread incorporation of the internet in mundane objects, usually identified by a “smart” prefix (source). The so-called “Internet of Things” presents additional challenges; hacker groups could hijack a self-driving car and cause it to crash. It could short-circit a fridge and start a fire. Indeed, a refrigerator likely caused the electrical fire that killed 72 in Grenfell Tower (source). What are the security implications of connecting appliances to the internet? Experts are beginning to answer these questions, but governments have yet to follow.
These events and considerations underline the need to establish some sort of cyber arms control in the near future before attacks get out of hand.
2.2: Defining Cyber Arms Control
The common framework most have when discussing arms control is nuclear weapon treaties. The US and Soviet Union instituted Nuclear arms control under the universal understanding that they must avoid nuclear war (source). It can include limiting or reducing the number of weapons in a given state’s inventory, disarming nations entirely, or banning the use of particular weapons (source). As Tomas Reinhold and Christian Reuter define it, arms control has three principal tasks;
- To prevent or reduce the likelihood of conflict breaking out,
- To limit the damage caused by these weapons in the case of conflict,
- And to reduce the cost of producing weapons and free up these funds for other projects (source).
Conventional and nuclear arms control has been successful in the past. Notable examples include:
- The Strategic Arms Limitation Treaty (SALT) I and II, which limited the stockpiles of strategic missile defence interceptors (source).
- The Hauge Convention, which codified rules of warfare (source).
- The Biological and Chemical Weapons Technology Agreement, which banned the use of such weapons in war (source).
2.3: The Issues in Applying Traditional Arms Control to the Cyber Domain
Do previous examples of successful arms control treaties hold lessons for cyber arms control? Not quite. Arms control requires a mutual understanding of the environment, which is unlikely to occur for several reasons.
2.3.1: What is a Weapon?
The first issue encountered is the definition of a weapon. Is a wrench a weapon? It depends on the context. Cyber weapons fixate on one aspect of a network; Stuxnet had benign to non-existent effects beyond the computers at Natanz that controlled the centrifuges (source). Iran would undoubtedly define Stuxnet as a weapon. In contrast, the US and Israel would see it as a tool to prevent a conventional strike on the Natanz plant.
2.3.2: Exponential Technological Advancement
The second issue arises with the rapid evolution of the cyber domain. One of the reasons nuclear arms treaties were allowed to exist was because of “[t]he lag time in nuclear innovation giv[ing[ states breathing room to adjust arms control agreements or develop other means, such as tailored intelligence or their own complementary programs, to mitigate the fears posed by technological advances” (source). Cyberspace faces no such lag time in the near term. Additionally, it is nigh impossible to identify an adversary’s capabilities, stockpiles, and intent in the cyber domain (source).
2.3.3: Mechanisms of Enforcement
Third, it is impossible to enforce the mandate of an arms control agreement regarding the use of cyber weapons. Whereas conventional weapons can be analysed using intelligence gathered from human sources, satellite imagery, and diplomatic traffic, cyber arms cannot be so easily monitored (source). Non-state actors can develop and export their own weapons. Tracking cyber weapon use is very difficult compared to seismic tests, eyewitness testimony, and intelligence used to enforce other nuclear and conventional arms control agreements.
2.4: The Future of Cyber Arms Control
The issues described in the previous section do not precede the ultimate failure of cyber arms control. Indeed, experts assert that cyber arms control is both necessary and doable, but considerations must be taken (source)(source).
2.4.1: Reaching a Consensus
First, nations must reach a consensus on what constitutes a cyber weapon (source). With cyber capabilities increasingly becoming more dangerous, this is more likely as time goes on. Are disinformation campaigns, such as those used by Russia during its interference in the 2016 US elections (among many other examples), cyberweapons (source)? These are the essential questions that policy makers must answer in order to lay the foundation of a cyber arms control agreement.
2.4.2: Instituting Export Controls
Next, it is important to institute controls on the export of cyber weapons (source). How this will come into form depends on the outcome of the first step. However, ensuring that cyberweapons do not reach dangerous non-state actors or pariah states will be an inescapable part of any future cyber arms control agreement.
2.4.3: Identifying Cyberweapon Capabilities
Nations must codify their cyber weapons by capability and intended use before arms control regimes can be instituted (source). As implied above, traditional arms control requires understanding your rival’s potential for harm; this step ensures that the stakes are made clear. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is an example of such a policy leading to more stable, long-term agreements (source).
2.4.4: Additional Considerations
Finally, it is important to understand that cyber arms control agreements will likely be on a case-by-case basis and enforced through formal and informal mechanisms (source). The unique nature of cyber weapons, being designed for hyper-specific tasks, means that a one-size-fits-all approach is unlikely to work, especially as capabilities continue to develop (source). States may choose to physically sign a document pledging not to use or limit the use of cyber weapons, or they may choose to strike an informal agreement to the same end. Red lines, or lines in the sand, are also fairly effective methods of instituting informal arms control (source).
Cyber arms control presents a unique situation for a multitude of reasons. There is a demonstrated need to limit the employment of these devices, given the potential for economic and physical damage they can inflict. At the same time, there are a multitude of issues that come with attempting to apply lessons from past arms control endeavours. Cyberspace is a fundamentally new environment. We can draw lessons from the past. However, they cannot be solely relied upon. The path ahead will be difficult, but it is necessary.