When President Obama and Chinese President Xi Jinping discussed cyberweaponry rules of the road at their recent White House news conference, it represented a landmark for a new field. International cybersecurity has come of age. When intelligence officials testified before Congress about the major threats to the United States just a few years ago, cyberwar was barely mentioned; now, it’s at the top of the list.
Whenever countries confront a disruptive new technology that they cannot control, they eventually seek arms-control agreements. In the nuclear era, it was 18 years after Hiroshima before the first such agreement was reached. Today, cybersecurity is at a similar point. Although the modern Internet was born in the 1970s, it was only during the past two decades that it became an indispensable enabler of economic and military activity that benefits us while also making us insecure. With the advent of cloud computing and the “Internet of Things,” the area of vulnerability is rapidly expanding.
Is cyber arms control the answer? Not if it’s modeled on the treaties of the nuclear era. Those agreements spelled out in great detail how to manage large, costly, observable weapons and included monitoring procedures that Ronald Reagan summarized with the adage “trust, but verify.” Cyberweapons, by contrast, can be as simple as a few inexpensively acquired lines of code. They are available to state and non-state actors and can be hard to distinguish from benign online activity. It can also be difficult and time-consuming to determine who is behind their use. The “verify” portion of any cyber-control agreement would be extremely problematic.
But that doesn’t mean it’s impossible to reach agreements on rules limiting behavior. States could agree not to attack certain aspects of the civilian infrastructure of another country in peacetime. In fact, such a recommendation was included in a July report of a U.N. group of governmental experts, which Obama and Xi agreed to have a bilateral group of senior experts examine. The U.N. group also recommended that governments accept a responsibility to help any state seeking assistance with a malicious attack; pledge not to interfere with the operation of emergency response teams created by other states to deal with attacks; and seek to build confidence by increasing the transparency of their cyberpolicies. The two presidents also discussed establishing hotlines to facilitate high-level communication during a crisis.
Critics scoff at vows such as “no first use” of cyberweapons against certain civilian targets. What is to prevent cheating? The answer is self-interest. If states feel vulnerable, and worry about the unintended consequences of going on cyberoffense, they may find that peacetime pledges of self-restraint are in their mutual interest.
A norm of self-restraint could also help with dangerous “zero-days,” or undiscovered coding vulnerabilities that take their name from the amount of time that programmers have to act to stop a malicious outsider from exploiting the opening. Governments and non-state actors tend to hoard information on such flaws as deterrents or for possible use in future attacks, and they fetch high prices on black-market Web sites. But if the United States unilaterally adopted a norm of responsible disclosure of zero-days to companies and the public after a limited period, it would destroy their value as weapons — simultaneously disarming ourselves, other countries and criminals without ever having to negotiate a treaty or worry about verification. Other states might follow suit. In some aspects, cyber arms control could turn out to be easier than nuclear arms control.
Such steps are not panaceas that would produce cybersecurity. We would still have to contend with cybertheft of intellectual property; corruption of the supply chains that provide the chips that go into our computers and devices; the disruption of undersea cables; spies or disloyal insiders; and many other threats. But it is worth remembering that the first nuclear-arms control agreements — the Test Ban Treaty of 1963 and the Non-Proliferation Treaty of 1968 — did not solve all of the problems of controlling nuclear weapons. Rather, they started a process. Perhaps Obama and Xi’s modest beginning will do something similar.
Joseph S. Nye Jr. is a professor at the Harvard Kennedy School and a member of the Global Commission on Internet Governance.