The Department of Defense released their Strategy For Operating In Cyberspace in July. In the document, they add Cyber to the traditional 4 domains…Land, Sea, Air, and Space.
This paper raises the question, at least in my mind: Should there be a Cyberwarfare treaty? I think the short answer is a definite “Maybe.”
I think a longer answer is that a arms treaty, like chemical or nuclear, is meant to deter the production of those types of weapons by government entities. Even if such a treaty were to be ratified, it would not stop other entities, whether commercial, criminal, or private from creating the same.
Similarly, all computer software has a shelf life, and this is also true for computer viruses. A hacker creating a computer virus is reliant upon an operating system. When those operating systems are updated, patched, or replaced, the virus ceases to have value. This is not true for other types of arms control. A 50 year old nuclear warhead is still dangerous.
What would such a treaty say? Should it be specific to the types of code that shouldn’t be written? Should it ban countries from producing soldier-hackers? Should it create an outright ban on the types of computer warfare that are not allowed? Should there be a Geneva Convention for the Internet?
All these conventions don’t fit the makeup of the internet. This is the internet where companies and technologies, whole computer languages, have lifecycles measured in months, not years. Assuming that a written treaty could apply is a misunderstanding of how the Internet is governed. Every aspect of the internet is governed by social convention, software licenses, and terms of service. These conventions necessarily change very quickly over time. Not to mention that even if such a treaty could be ratified, it would be obsolete by the time the ink was dry.
It would be great if Governments were willing to commit to one another that they won’t attack each others nuclear reactors with computer viruses. Jails. Air traffic Control systems. This misses the point of the greatest protection we already have…the one that worked throughout the cold war…mutually assured destruction. Because of Globalization, an attack on the US, would have immediate and drastic economic consequences for every other nation state in the world. Even a small scale attack on a major country would have similar consequences…given the amount of damage that the world has felt the problems in Ireland, Greece, and Portugal. And there is no reason to think that an attack would be limited to only one country at one time. If such an attack were to take place, it would be just as easy to attack everyone that is against your particular point of view.
A treaty like this would probably be unnecessary given current Alliances.
The best idea for a treaty like this would be a world wide treaty that includes all major players to share resources, visibility, intelligence, to protect critical infrastructure against non-state actors. This would be very similar to how many organizations as well as state governments have developed inter-organizational Information Security Advisory Councils to share real time threat information. Some large ISPs like AT&T and Verizon are offering this kind of real time threat monitoring from a world-wide perspective, so it would be a huge step in CyberSpace if governments took the same measures.
Click here for part 2 of my series on Cyber Warfare Treaties.