Most of the public discussion regarding cyber arms control is pessimistic. The general view is that it is impossible. Why? Because cyber is so very different from conventional or nuclear arms. And there are several key problems often mentioned:
Attribution. There is a continual problem is learning the origin of a cyber attack. Code can be changed so that the origin is spoofed, or blamed on an innocent party. Encryption and other tools on the Dark Web make attribution even more difficult. Without being sure of the origin of a cyber disturbance, nations are unable to know where to direct their response. The concept of "Cyber Self Defense" becomes meaningless if it is impossible to determine with whom you are in conflict with. In addition, in the formulation of any nation state response to a cyber attack, it is crucial to know if the attacker is another nation state or a non-state actor. Finally, a pattern is emerging whereby nation states enlist mercenaries to do their work. In this way, the actions are deniable by the nation state.
Quantification. In the case of nuclear weapons, or strategic bombers, or battleships, it is possible to count the number of weapons. Because of this, arms control agreements in the past have relied on quantitative measures or ratios of quantities in order to establish the parameters of the agreement. But cyber weapons are unique in that they may not be counted. It would be like counting the number of instances of a computer program. There is one instance of the program, but it can be duplicated and distributed easily. To make another nuclear weapon, a complex manufacturing operation involving the nuclear fuel cycle must be mobilized. To make another cyber weapon, it is merely a matter of using cut and paste. So quantification is impossible with cyber weapons. The only conclusion we can draw is that any possible solution to the cyber weapons arms race is that any agreement must not rely upon quantitative measures as in the past.
What are others saying?
The Carnegie Endowment for International Peace has long worked on the control of nuclear weapons, and still is doing significant work in that area. It also has a Cyberspace Program. It is operated by Jon Bateman and Katherine Charlet. Much of the current work appears to be on the issue of encryption. The group also has published research on how the financial system is vulnerable to cyber attacks. See The Cyber Threat Landscape: Confronting Challenges to the Financial System by Adrian Nish, Head of Threat Intelligence at BAE Systems and Saher Naumaan. There also is coverage of issues such as Cyber Espionage by Iran, and the use by nation states of cyber mercenaries. We did not see any work specifically on control of the cyber arms race. Like many think tanks, Carnegie is focused on the problem of cyber conflict and the complex public policy issues involved, not specifically on the cyber arms race.
Dorothy E. Denning, Emeritus Distinguished Professor, Department of Defense Analysis
Naval Postgraduate School, presented a paper in 2001 entitled "Obstacles and Options for Cyber Arms Controls". In the paper, she recommends that no controls should be placed on the proliferation of cyber weapons, except for non-state actors such as criminals. In that connection, coordination across the world's international legal system, as it applies to criminals, should be the primary focus on control over cyberspace.
The Hoover Institution has published work by Professor Joseph Nye on Protecting Democracy in an Era of Cyber Information War. The professor argues that the authoritarian approach to governance and the use of information warfare conducted primarily through the Internet must generate a response from Western liberal democracies. He also discusses deterrence in cyberspace. "Deterrence by threat of retaliation remains a crucial but underutilized aspect of deterrence of cyber attack." As regards cyber arms control, the Professor concludes that "it would be difficult to reliably prohibit possession of the whole category of cyber weapons". He does agree that the development of norms of behavior may help to alleviate the harmful threat of cyber weapons. The Hoover Institution does have a number of research activities on cybersecurity. There is important work on election security, and the threat of cyber espionage, including the current debate over Huawei. Nothing significant on cyber arms control is published, but there is much coverage of the cyber issue and its effect on national security.
There is a European network of independent non-proliferation think tanks working against the Proliferation of Weapons of Mass Destruction. It was established by the European Council in 2010. However, there appears to be little work on control of the cyber arms race. There is a very great amount of research on nuclear weapons. This is based on a recommendation by the European Parliament. (Document P8_TA(2016)0424 Nuclear security and non-proliferation.)
At the Center for Strategic & International Studies, Professor James A. Lewis has published a vast amount of cybersecurity issues, including cyber conflict, cybercrime, and efforts in the United Nations. Like the work in most think tanks, CSIS is focused on cyber conflict. There is little or nothing written on cyber arms control.
We will continue coverage of other think tanks in future blogs.
For the time being, cyber arms control is not on very many radar screens.