Look Toward Norms, Not Treaties, to Regulate Digital Weapons
By Łukasz Antoni Król
Traditional Arms Control Will Not Work
There is a temptation to limit the spread of digital weapons through arms control agreements akin to the Strategic Arms Limitation Talks and Strategic Arms Reduction Treaties that slowed nuclear proliferation. Unfortunately, this model could not be adapted to cyber warfare for several reasons. Establishing norms could be a much more effective strategy.
As scholars such as Valeriano and Maness [1] demonstrate, conventional and nuclear weapons deter when visible. An adversary will see another power’s nuclear potential and fear its retribution. Digital weapons only work when hidden. [2] If a state knew that its adversary discovered a software flaw that could be used to shut down critical infrastructure, then it would immediately patch such a flaw, rendering future attacks ineffective. Traditional arms control only works when weapons are visible and quantifiable, which is not the case with digital weapons. [3]
Traditional arms limitations treaties are upheld through a series of checks and inspections. It is possible to partially surveil a nuclear arsenal through tools such as satellite images. [4] Digital weapons are hidden in code and do not require industrial installations, making inspections nearly impossible.
A global agreement to share information about cyber vulnerabilities would not work either. Intelligence agencies stockpile such vulnerabilities, while some governments also cooperate with organized cyber crime groups. States have few incentives to inform others about software bugs. Not only this, but there is no unified definition of cyber crime and cyber warfare that all states have adopted. This, along with the jurisdictional issues that result from the cross-border nature of many digital attacks and states’ frequent unwillingness to investigate attacks that originate in their territory, makes it incredibly difficult to create any global regulatory system. [5]
Finally, while it is possible to attribute cyber attacks with some degree of accuracy, it is currently virtually impossible to prove their origin beyond reasonable doubt. [6] This means that international tribunals, and other bodies that traditionally uphold treaties and require a very high threshold of legal certainty, would rarely, if ever, be able to come to a definite decision on this matter. [7]
International Norms Might Help
While traditional arms control treaties would not limit the spread of cyber weapons, international norms could prove to be more successful. The current norms against the use of chemical weapons are so powerful that states frequently pursue kinetic action against an army that uses chemical weapons, [8] even if such action leads to few geopolitical gains. The Trump administration’s response to the chemical attack in Syria stands as a good example.
States could formulate a common international norm that would similarly condemn any cyber attack that leads to kinetic damage and civilian casualties, such as attacks that target a power grid or hospitals. [9]Such an attack could be classified as a war crime, and the international community would be warranted in responding to it with force. The attribution of a cyber attack might seem difficult, with its true origin potentially hidden behind many layers of virtual networks. States that carry out such attacks might blame criminal groups for them. Even so, advanced digital forensics, combined with international cooperation, allow intelligence agencies to attribute attacks with a fair, though not perfect, degree of accuracy. [10]
Any state that possesses internet addresses implicated in an attack and does not take responsibility for it should be forced to cooperate in an investigation to find the real culprits. Those that fail to do so would face global condemnation, just as a state that lost control of fissile material would be treated. Such a response would only follow serious attacks that lead to casualties, rather than small-scale skirmishes. Any state can have vandals that deface websites in its midst. Under these criteria, however, a state that has an uncontrolled cyber criminal group in its territory that is capable of killing civilians should be treated as a threat to global security and face the consequences—for example, condemnation or isolation. It could perhaps even be temporarily cut off from global internet connections. There is some precedent for this: states that refuse to cooperate with global norms are sometimes labeled as rogue or pariah states. The international community increasingly sees them as states with which they simply cannot do business, since they aim to disrupt, rather than uphold, the international system. [11] Those that fail to cooperate with investigations in digital weapons and attacks could be labeled in a similar manner.
Norms that worked in the past have created a strong taboo against the use of chemical weapons. [12] Norms against digital weapons could work because the long-term benefits of reliable online connectivity outshine the advantages of a successful cyber attack. Not only that, but cyber attacks, especially those that destroy online connectivity, are likely to disproportionately harm elites. As internet sociologist Zeynep Tufekci suggests, flying’s safety record can be partially attributed to first class passengers being exposed to the same risks as those who are less well off (in the case of a crash). [13] Something similar is likely to happen in terms of cyber attacks. Only around a third of Americans, mostly those who are wealthier and based in metropolitan areas, use ridesharing services such as Lyft and Uber; [14] Amazon Prime seems to target wealthier neighborhoods over poorer ones. [15] The work and lifestyles of many globalized professionals, including politicians, would similarly be rendered impossible without steady encryption and effective internet connections. As reporter Emily Badger argued, the United States is unlikely to restrict Uber’s operations, as it has far too many satisfied politicians and staffers among its customers. [16] A similar argument could be made for constant and regular internet connectivity—the most wired members of society would viscerally feel any disruptions. As such, there is a huge incentive to boost digital defense and negotiate appropriate international norms, as the risk of large-scale cyber attacks becomes increasingly real and perceptible.
A Way Forward?
Cyber attacks are difficult to attribute. Jurisdictional and definitional issues continue to be unresolved. Finally, unlike traditional arms, where deterrence mechanisms encourage all sides to show off their arsenals, digital weapons only work when hidden. All of these factors make standard regulation in the form of a treaty incredibly difficult. Still, almost every state has much more to lose than to gain from a world in which digital attacks are constant and rampant, especially for wired and globalized elites. This makes it likely that we will soon start to develop norms—ethical ideas much like as the chemical weapons taboo—rather than explicit treaties that regulate digital weapons. Norms are social constructs that are flexible and can adapt much more quickly to fast-changing technical realities than formal international laws do. After the Novichok chemical attacks on U.K. soil, some states took steps to treat Russia as a pariah state. Following the murder of journalist Jamal Khashoggi, international pressure forced Saudi Arabia to acknowledge the killing. In both cases, norms managed to effectively penalize the offender when laws were unable to do so. Something similar could happen if digital weapons ever cause large scale harm to civilians or critical infrastructure.
Disclaimer: After creating and sharing an initial draft of the article, the author was invited to two consultation sessions by Microsoft and the GMF related to the Digital Geneva Convention. The author received no remuneration, save for free food and drinks, for taking part in such consultations.
About the Author
Łukasz Antoni Król is a political scientist and independent researcher. A graduate of the Universities of St. Andrews and Cambridge, he now focuses on topics such as digital affairs, journalism, and European politics.
Endnotes
Brandon Valeriano and Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford University Press, 2015).
Ibid.
Ibid.
Cohen, Zachary. “Satellite Images Show North Korea Upgrading Nuclear Facility.” CNN. June 27, 2018. https://www.cnn.com/2018/06/27/politics/north-korea-infrastructure-improvements-nuclear-facility/index.html.
Kulesza, Joanna. 2008. “Internet Governance and the Jurisdiction of States: Justification of the Need for an International Regulation of Cyberspace”. Polish Yearbook of International Law 29, pp139-152. doi.org/10.2139/ssrn.1445452.
Brake, Benjamin. “Cyberspace’s Other Attribution Problem.” Council on Foreign Relations. August 5, 2015. https://www.cfr.org/blog/cyberspaces-other-attribution-problem.
Lawrence L. Muir Jr., “The Case Against an International Cyber Warfare Convention,” Washington & Lee University School of Law Scholarly Commons, December 2011.
U.S. News & World Report. “Full Text of Trump Statement on Syria Attack.” April 6, 2017. https://www.usnews.com/news/politics/articles/2017-04-06/full-text-of-donald-trumps-statement-after-attack-on-syria.
McCurry, Justin, Ewen MacAskill, and Alex Hern. “Facebook Action Hints at Western Retaliation over WannaCry Attack.” The Guardian. December 19, 2017. https://www.theguardian.com/technology/2017/dec/19/wannacry-cyberattack-us-says-it-has-evidence-north-korea-was-directly-responsible.
Newman, Lily Hay. “Hacker Lexicon: What Is the Attribution Problem?” Wired. December 24, 2016. https://www.wired.com/2016/12/hacker-lexicon-attribution-problem/.
Harald Müller, “Evilization in liberal discourse: From Kant’s ‘unjust enemy’ to today’s ‘rogue state’” International Politics 51, no. 4, July 2014, pp. 475-491.
Richard Price, “A Genealogy of the Chemical Weapons Taboo,” International Organization 49, no. 01, 1995, pp. 73-103.
Tufekci, Zeynep. “Tech Should Function like Aviation Safety: First Class May Have Some Extras but the Whole Plane Goes up and down Together. Result: Flying Is the Safest Way of Travel. Put Those Devices in Rich Schools and See How Far You Get. If It’s Not Okay for Them, Not Okay for Anyone Else.” Twitter. October 30, 2018. https://twitter.com/zeynep/status/1057265549300916224.
Marshall, Aarian. “A Third of Americans Use Ride-Hail. Uber and Lyft Need More.” Wired. January 08, 2019. https://www.wired.com/story/uber-lyft-ride-hail-stats-pew-research/.
Ingold, David, and Spencer Soper. “Amazon Doesn’t Consider the Race of Its Customers. Should It?” Bloomberg.com. April 21, 2016. https://www.bloomberg.com/graphics/2016-amazon-same-day/.
Badger, Emily. “Another Reason Why There’s No Stopping Uber: Politicians and Their Staffs Use It.” The Washington Post. November 11, 2014. https://www.washingtonpost.com/news/wonk/wp/2014/11/11/another-reason-why-theres-no-stopping-uber-politicians-and-their-staffs-use-it/.