Because the Internet carries a borderless aspect, it is unsurprising that international solutions to cybersecurity problems have become an increasingly insistent area for debate. The notion of a cyber disarmament treaty is appealing as we begin to wrap our minds around the destructive possibilities in cyber, including the potential for civilian casualties of cyber dimensions of recognized armed conflicts—a traditional arena for treatymaking.
In this paper, I argue that calls for cyberwarfare treaties miss the mark because they conflate traditional forms of force with the avenues that nation-state cyber actors are exploiting. In this, I differ from existing cyber treaty skeptics because my rationale hinges on the substantive nature of the cyber threat as one ill-suited to treaties.
I agree with others’ critiques that definitions in the cyber world remain vague, often haphazard or poor adjustments of kinetic world definitions. Yet the search for terminology to best address cyber threats and behaviors is not a problem particular to cyber disarmament. Another common critique of cyber disarmament is that we have no enforcing body. Similarly, I find this critique true but not necessarily unique—international law of all sorts faces problems in law enforcement.
I contend that the reason a cyber disarmament treaty is not an appropriate tool to address the threat of cyberwarfare is that it fails to recognize that the most threatening cyber warfare concerns involve quiet but lucrative zero-day threats. A zero-day threat is a foundational “hole” in software or hardware that can be exploited before its existence is even known. Emerging research shows that zero-day exploitations last longer and the payload is significantly higher than that of traditional hacking. Because a cyber disarmament treaty could only effectively bind countries to behavior that is known to the other players, it would not bind zero-day hacks or the deliberate installation of zero-day vulnerabilities in products. The notion of a treaty derives from a sense that violence is knowable at the moment when a defector acts. Cyber warfare simply acts outside of that assumption much of the time.
Available at: http://works.bepress.com/merritt_baer/5/