As the recent report of the Global Commission on Internet Governance chaired by Carl Bildt makes clear, the Internet has become an indispensable enabler for economic and military activity that benefits us all, but also leaves us vulnerable and insecure. Now with the advent of cloud computing and the “Internet of Things” the attack surface is rapidly increasing. Part of the reason that we have not seen serious war yet is that deterrence works in cyber space. There are four major means of deterring: punishment or reprisal for an attack; a strong defense that denies the attacker benefits at reasonable cost; entanglement so that an attacker hurts himself as well as the victim; and norms or taboos which impose costs on an attacker’s soft power.
Cyber arms control is part of the normative process, but if it is modeled after the treaties that marked the nuclear era, it will fail. Those treaties spelled out in great detail how to manage and verify large, costly, observable weapons. In contrast, cyber weapons can be as simple as a few lines of code and are often difficult to distinguish from benign Internet transactions. Verification treaties would be extremely difficult.
Even if nuclear-style arms control treaties are not promising, it is possible to reach agreements on norms by which states limit their behavior. One example is the agreement not to attack certain aspects of the civilian infrastructure of another country in peacetime, which is in the 2015 report of a UN Group of Government Experts (GGE), and was later endorsed by the Group of 20. The GGE report also recommended a norm of helping any state that requests assistance at a time of attack, and a pledge not to interfere with computer emergency response teams.
When President Barack Obama and Chinese President Xi Jinping discussed rules of the road for cyber relations at their September 2015 summit, it represented a landmark for a new field. On the contentious issue of intellectual property, they reached an agreement not to use cyber means for commercial espionage. Recent reports by private cyber security firms, as well as comments by government officials, suggest that such commercial cyber espionage has tapered off in the ensuing year, though it is not clear how much of that change was caused by the summit declaration or preceded it.
Less contentious, and thus less in the news, the two presidents also endorsed the UN GGE report, indicating that even if formal arms control treaties are not promising, it is possible to reach agreements on rules of the road that limit state’s behavior. The two presidents also discussed confidence-building measures such as “hot lines” for special high-level communication in case of crisis. In the following year, there have been cabinet level cyber meetings.
Critics scoff at rules such as “no first use against certain civilian targets.” What is to prevent cheating? The answer is self–interest. If states find themselves vulnerable, and worry whether they fully comprehend the unintended consequences of their own cyber offense, and how to prevent conflict escalation, they may find that pledges of self-restraint during peacetime are in their mutual interest.
Norms against interference with certain civilian facilities in peacetime, or self-imposed limits on stockpiles of undisclosed vulnerabilities in code are not panaceas that will produce cyber security. Problems still remain related to the details of cyber theft of intellectual property; corruption of the supply chains that provide the chips that go into machines; disruption of undersea cables; spies or disloyal insiders, and many others. But it is worth remembering that the first nuclear arms control agreements – the Limited Test Ban Treaty of 1963 and the Non-Proliferation Treaty of 1968 – did not solve all the problems of controlling nuclear weapons. But after two decades of slow learning, those agreements started a process. Perhaps President Obama and President Xi’s modest start will do something similar for cyber security. The progress reports nine months after their summit suggests that they may have taken some useful first steps.