The Complex Landscape of Cyber Arms Control

As our reliance on cyberspace grows, so do the accompanying challenges and risks, particularly in the military domain. The advent of increased cybersecurity measures and the emergence of cyber diplomacy have become essential in navigating this intricate terrain. The discussion surrounding the militarization of cyberspace has gained prominence, particularly in light of modern conflicts where cyber operations play a pivotal role. A striking example of this is the ongoing war in Ukraine, which exemplifies how military conflicts now extend into the digital realm.

Historically, arms control has been critical in mitigating military escalation, but the unique characteristics of cyberspace present significant hurdles in establishing effective and verifiable measures for cyber arms control. A recent analysis conducted in collaboration with colleagues from the Technical University of Darmstadt sheds light on several key obstacles that hinder progress in this area.

Defining the Cyberweapon Dilemma

One of the foremost challenges in establishing arms control in cyberspace is the absence of precise and uniform definitions for key concepts. This issue is particularly pertinent when considering what constitutes a ‘cyberweapon.’ Traditional definitions of weapons do not adequately apply to the nuances of cyberattacks, which serve as the essence of what many consider a cyberweapon. Cyberweapons typically manifest as data and knowledge designed to compromise the integrity, availability, or confidentiality of an IT system without the consent of its owner. Some experts argue that the notion of a cyberweapon is inherently flawed, as the term ‘weapon’ implies a kinetic or physical use. While cyberattacks can exploit technological vulnerabilities and result in tangible consequences, this ambiguity complicates the establishment of a clear framework for a cyber arms treaty.

Furthermore, the tools and technologies associated with cyberattacks evolve at an astonishing pace. By the time regulations are drafted and agreed upon, the technology may advance beyond the scope of those regulations. For instance, many commonly used devices, such as computers and USB drives, serve both civilian and military purposes, making it impossible to delineate a definitive boundary between these use scenarios. Unlike traditional arms, which can be outright banned—such as landmines or nuclear weapons—there is no feasible way to impose broad bans on ubiquitous technologies like USB sticks or computers.

Challenges of Dual-Use Technologies

• The dual-use nature of many cyber instruments complicates regulation, as tools intended for cyber defense or espionage can also be repurposed for malicious attacks.
• This dual-use aspect introduces complexities that are distinct from previous arms control treaties.

Verification: A Major Hurdle

Establishing suitable verification mechanisms for arms control in cyberspace is one of the most significant obstacles. Unlike traditional weapons, cyberweapons cannot be easily quantified or categorized for regulation. The nature of cyberweapons allows for infinite replication and global sharing without any associated costs. For example, simply deleting a piece of malicious code from a device does not guarantee its removal, as it may reside in backup systems or remain accessible elsewhere on the internet.

This reality intensifies the challenges of creating effective verification mechanisms, as they would need to be remarkably intrusive. Many nations may be unwilling to engage in such intrusive verification processes due to concerns about exposing their own cyber defenses and vulnerabilities, which could potentially be exploited for espionage. However, while attribution—the process of identifying the actors behind cyber operations—was once deemed too complex, advancements in this area are making it increasingly feasible. This could serve as a foundation for sanctioning the use of cyberweapons rather than the weapons themselves.

The Rapid Evolution of Cyber Technologies

The swift evolution of cyberattack tools and technologies often outpaces regulatory efforts. By the time any regulation is established, the technology may have already progressed beyond its intended scope. Cyberattack code is typically based on ongoing software developments tailored for specific targets, leading to rapid changes and variations. Future cyberattacks are likely to differ significantly from past incidents, rendering traditional regulatory measures inadequate.

• For instance, recent events have highlighted the necessity for adapting regulations to keep pace with technological advancements.
• The private sector plays a crucial role since most cyberspace infrastructure is privately owned, making their involvement essential for effective arms control.

Focusing on Malicious Actions

Ultimately, political will is vital for establishing arms control measures in cyberspace. States, recognizing the strategic value of cyber capabilities, may be reluctant to comply with treaties that could limit their operational advantages. The current geopolitical climate further complicates efforts to achieve widespread agreement on these complex issues.

Analysis of literature and discussions with experts indicate that conventional arms control measures cannot be directly applied to cyberweapons. Instead, attention should shift towards prohibiting specific malicious actions. This approach allows for the development of agreements that can adapt to technological advancements and the dual-use nature of cyber tools.

Since 2015, international negotiations within the United Nations (UN) have produced 11 norms aimed at promoting responsible state behavior in cyberspace, focusing on limiting state actions and defining positive obligations. However, these norms remain voluntary and non-binding, leading to frequent violations. The challenge lies in transforming these norms into binding commitments and holding states accountable for their malicious cyber activities.

Attribution plays a crucial role in this context, as it involves publicly assigning cyber operations to specific actors based on evidence. Once considered too complex, it is now increasingly achievable and could serve as a basis for imposing sanctions for the use of cyberweapons rather than the weapons themselves. Pursuing this avenue could yield creative alternatives and solutions for arms control in cyberspace, paving the way for potential international mechanisms or institutional frameworks to address these pressing challenges.

Helene Pleil is a Research Associate at the Digital Society Institute (DSI) at ESMT Berlin.
At Euronews, we believe all views matter. Contact us at view@euronews.com to share your insights and join the conversation.