Should There Be an International Treaty on Cyberwarfare?

That’s the question being asked this past week over at US News & World Report‘s Debate Club.  To answer it, US News assembled 7 experts who, with the exception of Bruce Schneier, replied in some form of the negative (see e.g. the responses of Herb Lin (no, or not yet), James Lewis (it’s not workable) Sean Lawson (it would be premature, unnecessary, and ineffective); Martin Libicki (focusing on international norms would be better); John Lindsay (it’s the wrong sort of solution); and Lawrence Muir (it’d be ineffective)).

Now, I’m a big fan of several of the contributors — I love Herb Lin‘s NAS work on the difficulties of distinguishing cyber-exploitations (aka espionage) from cyber-attacks (which don’t just steal information but harm the computer network or the infrastructure it supports); Martin Libicki‘s work on cyber deterrence is simply a must-read for anyone interested in thinking about military and State operations in cyberspace; while James Lewis and Bruce Schneier have well-deserved reputations for thinking deeply about cybersecurity issues.  And, the responses, short as they are, make for great (and occasionally) provocative reading.  That said, I’ve got three complaints about the set-up and the content of the so-called “debate” itself:

1) Where is the international law view?  Seven experts were invited to comment on whether or not a treaty is a good idea, and not one of them is an international lawyer?  That’s like asking whether IPv6 is a good idea and not including the views of a computer programmer.  Of course, other views are welcome, but it would certainly have helped the debate to include someone who works with treaties for a living.  And, to be clear, it’s not like international lawyers have uniform views on this issue — I’m pretty sure Jack Goldsmith is much cooler to the treaty form than I am, but I still think he’d offer different or additional rationales than the one’s posed so far.

2) Outside of Russia, does anyone really want a treaty on cyber arms control? The US News question suggests — and many of the responses assumed — that the only possible way a treaty can regulate cyberthreats would be through some analogue to a Cold War arms control treaty or a treaty banning cyberwar in the same way the Kellogg Briand Pact purported to ban warfare.  Now, it’s true Russia and a few others have pushed for such results, but those efforts have never really garnered much, if any, support in the West. Thus, I think focusing the debate onto this question misses the larger issue, namely, whether there should be some treaty or treaties dealing with cyberspace more generally?

At present, the COE Cybercrime Convention is the only cyber-specific treaty in existence, and its utility remains debatable. As such, there’s a really interesting question about whether international law should have anything more specific to say about cyberspace.  For example, should a treaty be used to confirm existing governance over the Internet’s infrastructure (ICANN etc.) or shift it to the ITU as China, Brazil and a few other States seem to be suggesting?  That’s likely to be real issue in the months/years ahead.

Similarly, much of the US News debate assumes a treaty may only proscribe behavior (and thus require a solution to the attribution problem and/or verification measures).  But I’ve argued elsewhere a treaty could regulate cyberthreats in a variety of other ways.  Indeed, treaties are much more flexible instruments than any of the contributors seem to recognize (I liken them in my new book to a Swiss Army knife, capable of performing multiple functions via a single instrument).  Thus, a treaty could encapsulate the very norms Martin Libicki suggests we need before getting into hard rules of behavior (a quick side-note, Libicki suggests the Helsinki Accords was a treaty — it wasn’t). Or, a treaty could facilitate/require the use of cyber operations before States can turn to kinetic weaponry; the very thing Lawrence Muir suggests a treaty would preclude.  Or, as Herb Lin suggests, a treaty could deal with low-hanging fruit — fraud, child porn, third party attacks on national infrastructures — whether simply  to regulate those threats or as a prelude to a larger dialogue about international governance in cyberspace. Of course, none of this is to suggest that a global treaty is the only way to go.  Indeed, I’m not convinced it’s the best place to start; a regional international agreement or one or more political commitments seem to hold more promise for dealing with these issues.  That, however, is a very different conversation than one asking whether we can end cyberthreats by simply saying they don’t exist as the Kellogg Briand pact purported to do with warfare.

3) Finally, I’ve got to say a few words about how some of the contributors (eg, Sean Lawson and Jon Lindsay) assume existing international law rules on the use of force and international humanitarian law are sufficient to regulate cyberthreats.  Such reliance is surely misplaced.  I’ve had the good fortune to participate in a wide array of forums on the question of how international law applies in cyberspace.  And, whether it was Berlin, MIT, or the US Naval Academy, the response is almost always the same.  Everyone seems to agree that existing rules on the use of force and international humanitarian law apply to cyber operations, but no one seems to agree on when or how such laws apply.  As I’ve argued in the past, that’s an inefficient, if not dangerous, place to be.  Thus, even if one thinks we don’t need new international treaties on cyberthreats, it does not follow that we do not need more discourse on how existing rules extend to and apply in this arena.  I still fear the results of contradictory assumptions by States (or non-State actors) about the legality of a particular cyber act, which Stuxnet has only reinforced with continuing debates on whether Iran could respond with kinetic force to that attack in self-defense.  The prospect that one State may assume a cyberattack falls below a use of force or armed attack threshold while the victim State perceives it as above those lines is not a happy one — it could lead to an unintended escalation of an incident into a larger armed conflict.  Add to this the possibility that a victim State may respond by attacking an innocent third State (or non-State actor) because it holds the mistaken belief (on its own or via a successful false flag operation) that the innocent State perpetuated the attack, and the possibilities of tragic consequences only multiply.

So, while I applaud US News for picking up on the need for further discourse on cyberthreats, I’d like to see future debates focus more on dealing with the threats as they exist and more realistic solutions, even if they may be more nuanced and harder to explain than comparisons to an earlier age implicit in asking about prospects for a cyberweapons treaty.