21 Sep Does President Obama Have to Send the “Cyber Arms Control” Agreement with China to the Senate?
U.S. and Chinese negotiators are apparently very close to working out an agreement to limit the use of cyberweapons against each other. There is talk that this agreement will be concluded before Chinese President Xi Jinping’s state visit to the U.S. next week. The agreement will be pretty narrow in scope and apparently would not address the acts of cyber-theft and espionage that China allegedly carried out earlier this year. According to the NYT:
The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.
I am skeptical that this kind of agreement could be effective for the reasons that Jack Goldsmith and Paul Rosenzweig have laid out (see also Goldsmith at greater length here). But putting aside its effectiveness, it is worth asking whether a “cyber arms control agreement” would be the type of an agreement that required approval by two-thirds of the Senate as a treaty.
Much depends on exactly what the agreement purports to do. If the agreement actually contains a commitment by the U.S. to “not be the first to use cyberweapons to cripple the other’s critical infrastructure”, than it is much closer to the traditional kinds of arms control agreements that have usually been approved under the U.S. system as treaties. Unlike the Iran Nuclear Deal (which is mostly about lifting economic sanctions), the U.S. would be committing to refraining from using certain weapons or from exercising its military forces.
On the other hand, U.S administration sources caution that this agreement would not lay out specific obligations, but it “would be a more ‘generic embrace’ of a code of conduct adopted recently by a working group at the United Nations.” But even an agreement incorporating that code of conduct might be considered an “arms control” agreement since it requires that a state “should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;” The rest of the code of conduct also imposes fairly robust obligations on a state.
I will have to think about this some more, but on first cut, it is possible that this cyber control agreement will have to be sent to the Senate as a treaty. I think Senate approval of such a treaty would be a non-starter given the current political climate, so perhaps the Obama Administration will announce that this will be a sole executive agreement after all. Whether that is permitted under the Constitution remains unclear though.