When revelations about Stuxnet, a computer virus designed specifically to sabotage Iran’s nuclear programme, made the headlines in June 2010, cybersecurity shot to the top of many countries’ national security agendas. Many countries announced that they would beef up their offensive capabilities in cyberspace, inspiring fresh discussion about the development, use and control of cyberweapons and of surveillance technologies in cyberspace. What are the implications of these technologies for arms production and arms control? How realistic is it to try to control them through traditional arms control mechanisms?
The cybersecurity bonanza for arms producers
Cybersecurity concerns have been good news for traditional arms producers and military services companies. BAE Systems, EADS, Finmeccanica, General Dynamics, Raytheon and Thales have all expanded into the cybersecurity market in recent years to benefit from its rapid growth at a time when states are making or threatening spending cuts in some key weapons markets. According to a recent market research report by Visiongain, all of the companies listed above were in the top 20 cybersecurity companies worldwide, alongside traditional cybersecurity providers such as Symantec, the Intel Corporation and IBM.
The traditional arms producers and military services companies that have expanded their cybersecurity business provide security professionals (in the military, intelligence and law-enforcement communities) with products and services designed for offensive operations in cyberspace—developing cyberweapons and network attack strategies; looking for undiscovered vulnerabilities in hardware and software (so-called zero-day vulnerabilities); and surveillance and espionage services. Alongside these are products and services—such as network and data protection software; testing and simulation; and training and consulting—that are designed to protect networks and information systems or make them more resilient to cyberattacks. A significant part of their cybersecurity business, particularly in the latter category of goods and services, is with non-military government agencies and private companies.
However, obtaining a comprehensive picture of who is involved in the business of cyberweapons and cybersurveillance technologies is difficult. Besides the large corporations are many small and medium-sized enterprises—for example Blue Coat and Amesys, which made headlines for allegedly providing surveillance and censorship technologies to the regimes of Bashar al-Assad in Syria and Muammar Gaddafi in Libya, respectively. States, too, might have their own development programmes. Furthermore, independent hackers, activist groups and criminal organizations may develop or deploy cyberweapons and cybersurveillance technologies. There is little incentive for anyone involved to be transparent—anonymity is a major added value of cyberattacks.
Can arms control work in cyberspace?
The use of cyberweapons and cybersecurity technologies for warfare, espionage and political surveillance poses huge practical and conceptual challenges for the international community. In the military realm, the applicability of international law to cyberweapons like Stuxnet is unclear and has fuelled discussion about whether offensive action using a cyberweapon could be considered a legitimate casus belli for conventional warfare. The use of cyber tools for espionage is also increasingly a sticking point in diplomatic relations between countries like China and the United States.
These concerns have led to discussions about whether international controls should, or even could, be applied to cyberweapons and related technologies, as they are for conventional weapons and weapons of mass destruction (WMD). Would the kind of arms control frameworks now used for physical weapons—international treaties, trade control mechanisms, sanctions—work for the production, use and trade of cyberweapons? Could they prevent a cyber-arms race, the transformation of cyberspace into a battlefield, and ubiquitous state surveillance throughout the Internet?
In 2011 Russia submitted a draft international code of conduct for information security to the United Nations, as part of an initiative supported by China, Tajikistan and Uzbekistan. This code would require states not to use ‘information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate weapons or related technologies’. While some questioned the motives behind the move, it at least triggered debate on the feasibility of an international treaty, perhaps comparable to the 1992 Chemical Weapons Convention (CWC) or the 1972 Biological and Toxin Weapons Convention (BTWC), that would ban the use of cyberweapons.
This debate, however, revealed major practical and political obstacles to such a treaty. The first was the question of exactly what it would be banning. There are still widely differing opinions about what should be considered a cyberweapon. Some prefer a narrow definition based on that for physical weapons: a tool used to inflict harm or the threat of harm. Others believe that spyware (such as Trojan Horses and encryption-stripping technologies) and other surveillance software should be included, as they could gather strategic information that would help in the preparation of an attack. However, most surveillance software is used for purely commercial crimes such as industrial espionage and fraud.
Also, the speed with which new methods and tools for attacks are developed would make any attempt at listing and classification of cyberweapons an endless and rather futile exercise. A cyberweapon would most likely be superseded before it ever made it onto an official control list.
Another issue is the technical complexity of monitoring ‘stockpiles’ of cyberweapons. Being software, cyberweapons can be reproduced and stored at minimal cost. Furthermore, arms control treaties require verification mechanisms, but it is beyond dispute that no state would allow a third party to scan its governmental computer systems and networks for this purpose.
There is also the question of attribution. The authors and users of cyberweapons can easily conceal their identities, making it difficult to discover with any certainty who launched a cyberattack and whether the purpose was criminal or military.
Finally, many states might see little to gain from banning tools that enable them to take military action without the use of armed force and with a great level of secrecy.
Relying on restraint
Although a global ban on cyberweapons is unlikely to materialize, this does not prevent states from putting restrictions on their own use of cyberweapons and cybersurveillance technologies, or from trying to negotiate and establish some global norms on their use. These norms could include, for example, no-first-use policies, programming cyberweapons to self-destruct at the end of hostilities, and outlawing attacks against civilian infrastructure.
Verifying that states are respecting their commitments would probably be very difficult. Even so, this exercise would be a step towards building confidence and understanding. In the words of Bruce Schneier, a cybersecurity expert, ‘the very act of negotiating limits the arms race and paves the way to peace’.
ABOUT THE AUTHOR(S)
Dr Vincent Boulanin is Director of the Governance of Artificial Intelligence Programme at SIPRI.
When revelations about Stuxnet, a computer virus designed specifically to sabotage Iran’s nuclear programme, made the headlines in June 2010, cybersecurity shot to the top of many countries’ national security agendas. Many countries announced that they would beef up their offensive capabilities in cyberspace, inspiring fresh discussion about the development, use and control of cyberweapons and of surveillance technologies in cyberspace. What are the implications of these technologies for arms production and arms control? How realistic is it to try to control them through traditional arms control mechanisms?
The cybersecurity bonanza for arms producers
Cybersecurity concerns have been good news for traditional arms producers and military services companies. BAE Systems, EADS, Finmeccanica, General Dynamics, Raytheon and Thales have all expanded into the cybersecurity market in recent years to benefit from its rapid growth at a time when states are making or threatening spending cuts in some key weapons markets. According to a recent market research report by Visiongain, all of the companies listed above were in the top 20 cybersecurity companies worldwide, alongside traditional cybersecurity providers such as Symantec, the Intel Corporation and IBM.
The traditional arms producers and military services companies that have expanded their cybersecurity business provide security professionals (in the military, intelligence and law-enforcement communities) with products and services designed for offensive operations in cyberspace—developing cyberweapons and network attack strategies; looking for undiscovered vulnerabilities in hardware and software (so-called zero-day vulnerabilities); and surveillance and espionage services. Alongside these are products and services—such as network and data protection software; testing and simulation; and training and consulting—that are designed to protect networks and information systems or make them more resilient to cyberattacks. A significant part of their cybersecurity business, particularly in the latter category of goods and services, is with non-military government agencies and private companies.
However, obtaining a comprehensive picture of who is involved in the business of cyberweapons and cybersurveillance technologies is difficult. Besides the large corporations are many small and medium-sized enterprises—for example Blue Coat and Amesys, which made headlines for allegedly providing surveillance and censorship technologies to the regimes of Bashar al-Assad in Syria and Muammar Gaddafi in Libya, respectively. States, too, might have their own development programmes. Furthermore, independent hackers, activist groups and criminal organizations may develop or deploy cyberweapons and cybersurveillance technologies. There is little incentive for anyone involved to be transparent—anonymity is a major added value of cyberattacks.
Can arms control work in cyberspace?
The use of cyberweapons and cybersecurity technologies for warfare, espionage and political surveillance poses huge practical and conceptual challenges for the international community. In the military realm, the applicability of international law to cyberweapons like Stuxnet is unclear and has fuelled discussion about whether offensive action using a cyberweapon could be considered a legitimate casus belli for conventional warfare. The use of cyber tools for espionage is also increasingly a sticking point in diplomatic relations between countries like China and the United States.
These concerns have led to discussions about whether international controls should, or even could, be applied to cyberweapons and related technologies, as they are for conventional weapons and weapons of mass destruction (WMD). Would the kind of arms control frameworks now used for physical weapons—international treaties, trade control mechanisms, sanctions—work for the production, use and trade of cyberweapons? Could they prevent a cyber-arms race, the transformation of cyberspace into a battlefield, and ubiquitous state surveillance throughout the Internet?
In 2011 Russia submitted a draft international code of conduct for information security to the United Nations, as part of an initiative supported by China, Tajikistan and Uzbekistan. This code would require states not to use ‘information and communications technologies, including networks, to carry out hostile activities or acts of aggression, pose threats to international peace and security or proliferate weapons or related technologies’. While some questioned the motives behind the move, it at least triggered debate on the feasibility of an international treaty, perhaps comparable to the 1992 Chemical Weapons Convention (CWC) or the 1972 Biological and Toxin Weapons Convention (BTWC), that would ban the use of cyberweapons.
This debate, however, revealed major practical and political obstacles to such a treaty. The first was the question of exactly what it would be banning. There are still widely differing opinions about what should be considered a cyberweapon. Some prefer a narrow definition based on that for physical weapons: a tool used to inflict harm or the threat of harm. Others believe that spyware (such as Trojan Horses and encryption-stripping technologies) and other surveillance software should be included, as they could gather strategic information that would help in the preparation of an attack. However, most surveillance software is used for purely commercial crimes such as industrial espionage and fraud.
Also, the speed with which new methods and tools for attacks are developed would make any attempt at listing and classification of cyberweapons an endless and rather futile exercise. A cyberweapon would most likely be superseded before it ever made it onto an official control list.
Another issue is the technical complexity of monitoring ‘stockpiles’ of cyberweapons. Being software, cyberweapons can be reproduced and stored at minimal cost. Furthermore, arms control treaties require verification mechanisms, but it is beyond dispute that no state would allow a third party to scan its governmental computer systems and networks for this purpose.
There is also the question of attribution. The authors and users of cyberweapons can easily conceal their identities, making it difficult to discover with any certainty who launched a cyberattack and whether the purpose was criminal or military.
Finally, many states might see little to gain from banning tools that enable them to take military action without the use of armed force and with a great level of secrecy.
Relying on restraint
Although a global ban on cyberweapons is unlikely to materialize, this does not prevent states from putting restrictions on their own use of cyberweapons and cybersurveillance technologies, or from trying to negotiate and establish some global norms on their use. These norms could include, for example, no-first-use policies, programming cyberweapons to self-destruct at the end of hostilities, and outlawing attacks against civilian infrastructure.
Verifying that states are respecting their commitments would probably be very difficult. Even so, this exercise would be a step towards building confidence and understanding. In the words of Bruce Schneier, a cybersecurity expert, ‘the very act of negotiating limits the arms race and paves the way to peace’.
ABOUT THE AUTHOR(S)