Problems with Cyber Arms Control

By Paul Rosenzweig
Thursday, February 26, 2015, 3:17 PM

The New York Times has an editorial today, calling for an arms control effort in cyberspace.  The Times effort is, honestly, a bit simplistic, as is its conclusion:

The tougher challenge is on the global level. Cyberwarfare has already done considerable damage and can lead to devastating consequences. The best way forward is to accelerate international efforts to negotiate limits on the cyberarms race, akin to the arms-control treaties of the Cold War. Barring that, there are few viable ways to bring these new weapons and their use under control.

Others have noted the flaws in this sort of idea before.  As Jack Goldsmith has said, these types of treaties are inherently unverifiable.  And, of course, some of the examples that animate the Times (like the hack of Sony and bank theft) are a pretty long way from warfare, thereby confusing cyber conflicts or challenges, with true war.

My own take is even more fundamental -- we can't have a cyber arms control treaty if we don't know what cyber weapons are.  One will scour the literature for a definition -- right now we know it when we see it.  But that means we only know it when it is used -- and you can't have a post-use arms control treaty.  That's a gap that I've recently  tried to address in a paper co-authored with a GWU colleague, Trey Herr, entitled "Cyber Weapons and Export Control: Incorporating Dual Use with the PrEP Model" which we wrote for the GWU Cybersecurity Policy and Rsearch Institute and which is forthcoming for the Journal of National Security Law & Policy later this year.  Here is the abstract:

How do existing export control laws treat malware and cyber weapons and what complications arise with their use? This paper presents a technically grounded framework to examine under what conditions malicious software components might be covered by the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR). It presents the law in question and examines several key challenges in classifying and restricting the flow of cyber weapons.

Cyber war and weaponry are serious problems.  We shouldn't "forget about" the possibility of controlling or regulating their use.  But it will take more than a rote incantation of the need to negotiate limits to get us there.