The outbreak of war in Ukraine in February 2022 marked the dawning of a long-predicted era in which cyber space became as much a theatre for warfare as the kinetic battlefield, but a little over two years on, no progress has been made on establishing the rules of war as they pertain to cyber tools and weapons, an issue that now urgently needs to be addressed.
This is according to a newly published paper from the European School of Management and Technology (ESMT’s) Digital Security Institute (DSI) in Berlin, and the Technical University of Darmstadt in Germany, which explores some of the challenges facing effective regulation and control of cyber weapons.
Based on a literature review considering the challenges and obstacles facing cyber arms control measures, and interviews with subject matter experts, DSI research associate Helene Pleil and her colleagues examined the hurdles that need to be overcome by the international community.
The researchers concluded that traditional measures of arms and weapons control cannot really be applied to cyber tools, so alternative and more creative solutions will have to be thought up. Pleil argued that one path could be to define and sanction the use of cyber tools, rather than the tools themselves, to enable agreements to be made and upheld.
“According to the literature and experts, neither the control of a cyber weapon nor any other technological regulation for cyber space will work,” said Pleil.
“Instead, the focus must be on banning certain actions, since experts do not see any chance for verification mechanisms, especially because of the high level of intrusion that would be required,” she said.
Fundamental challenges
One of the biggest and most fundamental challenges that arms control advocates face will be to arrive at clear and uniform definitions of key terms – including the term cyber weapon – since the conventional definition of a weapon does not really capture what a cyber weapon is or does. Even if one could successfully bring the US, China and Russia around a negotiating table, if they cannot define what they want to control, the cyber talks will be over in minutes.
A second and related issue is referred to in the paper as the “dual-use-dilemma”. Simply put, a computer, USB stick or piece of software can be used for legitimate civilian purposes as well as military ones, which makes it very hard to draw a line between what constitutes these scenarios and as such renders it virtually impossible to ban the tools themselves. Or as Pleil et al put it, you can easily ban nuclear weapons because civilians don’t walk around with ICBMs in their pockets, but they do carry laptops and smartphones.
The role played by the technology industry will also need to be considered in this context. States do not have sole control over cyber tools that may be used as weapons – they are developed by security companies and sold in the private sector, where organisations have ownership and operational rights. The private sector will need to be involved and committed for cyber arms control to be effective, and as the actions of mercenary spyware companies have shown, this is a big ask – the existence of rogue actors such as the disgraced Israeli firm NSO Group is a case in point.
The third challenge again follows on from the first two in some regards. According to the researchers, finding suitable verification mechanisms to establish arms control in cyber space is very hard indeed.
By and large, we know who the nuclear-armed powers are and what capabilities they have, so as the US and the USSR showed via the Salt and Start agreements of the 1960s, ‘70s and 80s limits can be put on their stockpiles and successful de-escalation achieved. This is not really possible when it comes to cyber weapons, unless Washington and Moscow can be persuaded to cap the number of hackers going to work for their intelligence agencies.
Then, we must consider how quickly technology is progressing, even as predictions of the demise of Moore’s Law continue to be regularly made. The tools and technology used in cyber attacks are changing rapidly, and so do the tactics, techniques and procedures (TTPs) deployed by state-run hackers in both the US and the Western powers, and China, Russia and others. Simply put, the development of new weapons will continue to outpace regulatory efforts – by the time a regulation is even discussed, the technology will have advanced.
Finally, said Pleil, there is currently a lack of political will to establish cyber arms control measures. Countries are only now discovering the strategic value of cyber tools and as the current geopolitical situation shows, their interests are divergent. Complying with a hypothetical treaty on the use of cyber tools could risk a government missing out on potential advantages.
This final challenge is perhaps the most chilling – looking to history, the Geneva Conventions were first proposed by a Swiss businessmen moved by what he saw after the 1859 Battle of Solferino between a Franco-Italian alliance and the Austrian Empire. Subsequent refinements to the Geneva Conventions were made in response to the horrors of trench warfare during World War I, and Nazi atrocities in World War II. The fear must be that it may take a devastating cyber incident that costs hundreds of thousands of lives to force governments to talk.
The full research was published in the Zeitschrift für Außen- und Sicherheitspolitik (Journal for Foreign and Security Policy).