Cyber Arms Control: Trust, but Don’t Verify?
In the twenty-first century, attacks against computer systems and networks emerged as powerful tools of warfare.
During the 2008 invasion of the Republic of Georgia, Georgian computer systems suffered attacks in parallel to Russia’s conventional offensive. In 2010, the Stuxnet computer worm damaged the Iranian nuclear facilities at Bushehr and Natanz. Recognizing the threat posed by state sponsored cyber attacks, the Pentagon recently accused the Chinese military of attacking U.S. systems.
Interest in a cyber arms control regime has developed as cases of state sponsored cyber war increase. Yet due to the anonymity of cyberspace, treaties seeking to limit cyber weapons will lack the crucial verification component.
Two major challenges prevent the replication of traditional arms control agreements in cyberspace:
- Verification: Arms control treaties require verification mechanisms and reliance on a “trust, but verify” model. Yet current technologies cannot verify compliance with any ban on cyber weapons or cyber war tactics
- Attribution: Cyber weapons are not solely under the control of state actors, and tracking the source of a cyber attack presents unique challenges with no equivalent in traditional arms control. Even if the origination of an attack is tracked to within a state’s borders, unequivocally distinguishing between a state sponsored cyber attack and one led by a private citizen remains impossible
While a verifiable arms control treaty remains out of reach given the limitations of current technologies, strategies for mitigating a cyber arms race could include:
- Forging agreements to foster transnational cooperation in cyber forensics to identify the perpetrator of attacks, thereby developing trust and conceivably creating a deterrent
- Establishing peacetime norms of behavior in cyberspace that reflect the structure for acceptable cyber activities, similar to the arms control norms currently affecting state actions in the domain of space
A verifiable cyber arms control treaty remains a nonstarter. Yet the international community should act to form cooperative agreements and shape new international norms that promote restraint in cyberspace.