Much attention has been focused recently on the budding possibility of a Sino-American cyber arms control agreement, whose foundation would be a mutual pledge of "no first use" of bits and bytes to cripple critical civilian infrastructure. It is an intriguing development, despite having three very troubling flaws.
The first problem afflicts the agreement’s logical basis, given that both sides pledge not to mount such attacks "in peacetime." But what if such an attack, a "digital Pearl Harbor," were to be the opening act of war — when "peacetime" would have been thereby ended? A bit of a conundrum, complicated further by the fact that most advanced militaries rely, to varying degrees, on civil infrastructures that they do not own or control for much of their communications, logistics, and other functions. So, in a sense, civil infrastructure can actually be viewed as consisting of a range of strategic, military-related targets.
Next there is the major perceptual problem that lies at what might be called the "boundary layer" of this agreement that does not explicitly extend to cyber espionage. The difficulty here is that the sorts of actions, exploits, and intrusions that go with virtual spying are observationally equivalent to the preparatory access to the adversary’s systems that would be sought prior to launching an actual attack. Thus the cyber peace would always be poised on a knife-edge of instability. A related perceptual complication is that the ultimate identity of the attacker is not always clearly or easily distinguished — and so the potential for a third party, C, to attack A anonymously, or to finger innocent B as the culprit, is a very real risk, one that might lead to escalation to war in the physical world — which was the scenario that I unfolded in my short story in Wired back in 1998,"The Great Cyberwar of 2002."
The third difficulty with the Sino-American cyber arms control initiative lies in its scope. The initially narrow focus on infrastructure protection does little or nothing to deal with the large-scale theft of intellectual property that constitutes what can be called the realm of "strategic crime." U.S. President Barack Obama has said much about this over the past few years, and has explicitly called out China as a culprit. In a recent public statement growing out of a meeting between him and Chinese President Xi Jinping, both leaders affirmed neither country would knowingly engage in intellectual property theft.
When asked during his recent testimony before the Senate Armed Services Committee whether there was any real chance of curtailing intellectual property theft, the Director of National Intelligence, former general James Clapper, gave a one-word answer: "No." He went on to make critical comments about the possibility of cyber arms control, indicating instead his preference for a focus on improving defenses. His only nod to any sort of agreement was an allusion to Ronald Reagan’s approach to engaging in arms reduction talks with the Russians back in the 1980s: "Trust but verify." So it seems, even in American officialdom, that the window of opportunity for cyber arms control has only been opened just a crack.
But it may prove enough of an opening to move ahead, for the "no first use" doctrine is something that has caught on in the nuclear realm — though it took many decades for the United States to decide to move in this direction (there are still some extreme conditions noted in the American nuclear posture statement that would allow first use, but for all practical purposes this is no longer a usable first option).
Issues of verification aside, nations — not just China and the United States, but others, too — have incentives to behave circumspectly about starting a strategic cyberwar that would incur huge economic costs and run the risk of a virtual conflict escalating into a shooting war in the physical world. Full disclosure: I introduced the idea of a cyber no-first-use doctrine in an article in the journal Ethics and Information Technology back in 1999 ("Can Information Warfare Ever Be Just?"), so I am hardly impartial. It has been a long wait to hear leading heads of state talking about such a possibility, and we must allow the discourse to unfold, rather than simply to dismiss it as idealistic or quixotic.
The best way to envision cyber arms control may be to think of it as analogous to other controlled activities in areas in which diffusion of the enabling technology itself is unstoppable. In the varied realms of chemical and biological weapons, for example, countless nations have access to the materials required to craft such weapons. And yet, there are behavior-based arms control agreements in force, to which nearly all countries subscribe, that forbid their use. In the main, there is strong compliance with few violations. Such compliance may well be possible in the cyber arena, too. It is an approach well worth exploring.
With regard to the logical possibility that a "peacetime" pledge is not violated if a strategic cyber attack starts a war, the response to this concern is that such an attack could still be limited to military-related targets. To return to the nuclear analogy, this would be very much like the "counterforce" strategic doctrine of the Cold War era that sought to target missiles and other military targets, not population centers. In this way, it was thought, a nuclear war could be waged without massive civilian deaths.
Only a small portion of critical infrastructure is essential for military operations, so cyber combatants would have good chances of operating against armed forces without imposing too much civilian suffering. To be sure, a conflict of this sort would inflict much costly, disruptive collateral damage, but far less than would be the case in a city-busting, apocalyptic general nuclear war. Thank God counterforce nuclear doctrine was never put to use. But cyberwar is much more thinkable than an atomic Armageddon, so the counterforce doctrine that never had to be used for its original purpose may well be dusted off when thinking about how to conduct conflict in the virtual domain.
The most nettlesome problem, of course, is the veil of anonymity in which cyber aggressors — nations or networks — may be inclined to enshroud themselves. Clearly, forensics must continue to improve so as to identify attackers accurately. And just as clearly, a great deal of work is needed to bring forensics up to the needed level of accuracy. Also, strategic deception about the identity of the perpetrator, as mentioned above, must be guarded against. But these challenges are no reason to give up on the promise of cyber arms control.
On balance, the emerging, maturing discourse about applying notions of arms control to the cyber realm is a "net positive" (no pun). There are indeed obstacles to overcome, but the potential gains for peace and cybersecurity make the efforts to master these challenges more than worth the while.