Cybersecurity treaties may be nice, but it’s really every country for itself

November 11, 2015
U.S. Marine Sergeant Michael Kidd works on a computer at ECPI University in Virginia Beach, Virginia, February 7, 2012. Cyberspace was a hobby for Kidd before he joined the Marines in 2003, but he hopes to make it his new battlefield after suffering debilitating injuries in Iraq. At the naval air station in Virginia Beach, Virginia, the 26-year-old from Williamsburg is retraining to fight cyber threats, one of a number of wounded warriors transitioning to non-traditional combat fields in order to continue serving the United States' defense needs. Picture taken February 7, 2012.  REUTERS/Samantha Sais (UNITED STATES - Tags: MILITARY EDUCATION) - RTR2XOOE

U.S. Marine Sergeant Michael Kidd works on a computer at ECPI University in Virginia Beach, Virginia, February 7, 2012. REUTERS/Samantha Sais

The United States and China are attempting to negotiate what would be the first cyber arms-control agreement to ban peacetime attacks on critical infrastructure. The talks reflect the commitment that Washington and Beijing made at the conclusion of Chinese President Xi Jinping’s recent U.S. visit to “identify and promote appropriate norms of state behavior in cyberspace.” The first ministerial-level meeting on cybersecurity is due to take place before the end of this year.

The two countries’ effort to limit the cyber arms race is being widely compared to Cold War nuclear arms-control treaties. But this Cold War analogy is flawed because of fundamental differences between the nuclear and cyber domains.

President Barack Obama acknowledges that an “international framework” to regulate great-power competition in cyberspace is unlikely to be “perfect” because it would not solve cybersecurity threats posed by “non-state actors and hackers.” Yet as the president told the Business Roundtable on Sept. 16, “there has to be a framework that is analogous to what we’ve done with nuclear power because nobody stands to gain.”

A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. Picture taken January 2, 2014. REUTERS/Edgar Su (SINGAPORE - Tags: SCIENCE TECHNOLOGY BUSINESS TELECOMS TPX IMAGES OF THE DAY) - RTX174Q6

A map of China seen through a magnifying glass in a computer screen illustration in Singapore, January 2, 2014. REUTERS/Edgar Su

In the nuclear domain, the United States has long advanced state-based strategies to curb capabilities and manage the increasing risks of superpower competition. For, unlike cyber capabilities, nuclear weapons have been in the sole custody of states. State-based strategies have been successfully pursued to limit the size of arsenals, reassure nonnuclear states to forego the weapons option and compel nuclear weapons states to secure their arsenals so that terrorist groups cannot obtain them.

A similar strategy for cyber limitations would start by leveraging states’ mutual interests as stakeholders to ensure that the Internet operates smoothly by eliminating system-threatening viruses, or “botnets,” and combatting cybercrime. Another priority would be to complete the U.S.-China negotiations on a cyber arms-control agreement. The Obama administration views the potential bilateral agreement as a base on which to develop a global consensus.

The bedrock of a state-based strategy to address cyber challenges would be sound national policies, codified in domestic law and fully enforced. The key to this is to ensure that states rein in non-state actors, whether individuals or groups.

The problem, however, is that authoritarian states, such as Russia and China, have an interest in preserving “patriotic hackers” as a policy instrument while maintaining plausible deniability. They also seek to control politically threatening Internet content that most democratic states would regard as protected speech.

This arms-control push needs to be buttressed by a robust strategy of deterrence in both its variants — deterrence by denial and deterrence by punishment.

In the cyber realm, deterrence by denial would mean defensive measures that block an adversary’s ability to achieve its objective, such as disrupting a U.S. government website. For individual personal computers, anti-virus and anti-malware software can provide one form of deterrence by denial.

Part of the building of 'Unit 61398', a secretive Chinese military unit, is seen in the outskirts of Shanghai February 19, 2013. The unit is believed to be behind a series of hacking attacks, a U.S. computer security company said, prompting a strong denial by China and accusations that it was in fact the victim of U.S. hacking. REUTERS/Carlos Barria (CHINA - Tags: POLITICS SCIENCE TECHNOLOGY MILITARY) - RTR3DZ82

Part of ‘Unit 61398,’ a secretive Chinese military unit believed to be behind a series of hacking attacks, on the outskirts of Shanghai, February 19, 2013. REUTERS/Carlos Barria

As significant as a cyber arms-control agreement to ban attacks on critical infrastructure might be, the necessary complement to it is effective cyber defense mechanisms. This could include strengthening computer networks to block unauthorized access and increasing their resilience. That would frustrate any potential attacker. In these terms, the Chinese hack of the U.S. Office of Personnel Management database, which compromised the personal data of some 22 million current and former U.S. employees, was a stunning failure of deterrence by denial.

Deterrence by punishment would hold states accountable for cyberattacks that either they or their proxies conduct. Cold War nuclear deterrence relied on an ability to accurately attribute a potential attack to a specific adversary. In the cyber realm, however, attribution is a major problem.

In the case of the Sony hack last December, for example, the FBI was able to trace the attack back to North Korea only because of the country’s “sloppy” use of proxy servers to mask its action. The Obama administration responded covertly with a form of deterrence by punishment, when it essentially shut down North Korea’s Internet for a short period.

Cyber deterrence requires investments in cyber forensics to improve America’s real and perceived attribution capabilities. Any adversarial state contemplating a cyberattack must be made to believe, through the credibility of U.S. attribution capabilities, that it would be held accountable for its actions, or for the actions of a proxy acting indirectly on its behalf.

The goal is to make what one cyber expert calls the Internet “Wild West” less wild. Retooled versions of Cold War strategies — arms control and deterrence — will be essential policy tools for U.S. policymakers to achieve that goal. Their effectiveness is likely to be limited, however, because of the challenging character of the cyber domain — in which non-state actors increasingly exercise power and influence rivaling that of major states.


One comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

I wonder who was the state that released Stuxnet??????

Posted by No_apartheid | Report as abusive