That’s the question being asked this past week over at US News & World Report‘s Debate Club. To answer it, US News assembled 7 experts who, with the exception of Bruce Schneier, replied in some form of the negative (see e.g. the responses of Herb Lin (no, or not yet), James Lewis (it’s not workable) Sean Lawson (it would be premature, unnecessary, and ineffective); Martin Libicki (focusing on international norms would be better); John Lindsay (it’s the wrong sort of solution); and Lawrence Muir (it’d be ineffective)).
Now, I’m a big fan of several of the contributors — I love Herb Lin‘s NAS work on the difficulties of distinguishing cyber-exploitations (aka espionage) from cyber-attacks (which don’t just steal information but harm the computer network or the infrastructure it supports); Martin Libicki‘s work on cyber deterrence is simply a must-read for anyone interested in thinking about military and State operations in cyberspace; while James Lewis and Bruce Schneier have well-deserved reputations for thinking deeply about cybersecurity issues. And, the responses, short as they are, make for great (and occasionally) provocative reading. That said, I’ve got three complaints about the set-up and the content of the so-called “debate” itself:
1) Where is the international law view? Seven experts were invited to comment on whether or not a treaty is a good idea, and not one of them is an international lawyer? That’s like asking whether IPv6 is a good idea and not including the views of a computer programmer. Of course, other views are welcome, but it would certainly have helped the debate to include someone who works with treaties for a living. And, to be clear, it’s not like international lawyers have uniform views on this issue — I’m pretty sure Jack Goldsmith is much cooler to the treaty form than I am, but I still think he’d offer different or additional rationales than the one’s posed so far.
2) Outside of Russia, does anyone really want a treaty on cyber arms control? The US News question suggests — and many of the responses assumed — that the only possible way a treaty can regulate cyberthreats would be through some analogue to a Cold War arms control treaty or a treaty banning cyberwar in the same way the Kellogg Briand Pact purported to ban warfare. Now, it’s true Russia and a few others have pushed for such results, but those efforts have never really garnered much, if any, support in the West. Thus, I think focusing the debate onto this question misses the larger issue, namely, whether there should be some treaty or treaties dealing with cyberspace more generally?