World leaders fear that cyber-terrorism and cyber-warfare may pose a real threat to national security. In the future, unknown hackers might target everything from electricity to elections.
Therefore, national security planners may look beyond reactive cyber-defense tactics to proactive, cyber-defense strategies.
Cyber-arms control is one possibility. The Russian government has suggested that the 1997 Chemical Weapons Convention (CWC) could serve as a model.
On the surface, the arms control analogy appears difficult to make. Chemical warfare is designed to kill humans, cyber-warfare is designed to kill machines (or their functionality). But let's see where the comparison could be helpful -- and where cyber-weapons may be unique.
Chemical weapons employ the toxic properties of chemicals to kill or injure human beings and animals. Archeologists have found poison-covered arrowheads dating to 10,000 BC. In WWI, chemical weapons may have caused one-third of the estimated 5 million casualties.
First, the most important reason for the success of CWC was political will. In 1997, Bill Clinton and Boris Yeltsin declared that we should "banish poison gas from the Earth." Political leaders today are beginning to describe the cyber-attack threat in similar terms: Chinese Minister Lou Qinjian has complained of "massive and shocking" damage caused by hacking, and President Obama announced that unknown hackers had "plunged entire cities into darkness."
Second, there is a universal nature to the threat posed by both chemical and cyber-weapons. For CWC, signatories feared not only nation-state use; they also worried that chemical weapons may be used by terrorists. CWC's goal is thus worldwide participation and the elimination of an entire class of weapons of mass destruction (WMD). Currently, CWC has 188 signatories, encompassing 98 percent of governments and 95 percent of the Earth's population. The ubiquity of cyberspace and the fact that hackers are able to anonymize their attacks may put a fear of cyber-weapons into the same universal category.
Third, CWC helps its members to fulfill treaty requirements and provides advocacy in the event that a member is threatened by chemical weapons. The persistence of cyber-vulnerabilities and the challenge of implementing best practices in computer security suggest that a Cyber Weapons Convention could create an international institution to provide technical, legal, and policy guidance to its members. One significant but politically and technically difficult step might be the joint observation of Internet traffic flows.
At this point, however, the helpful analogy between chemical and cyber-weapons breaks down. Arms control in CWC relies on the principles of prohibition and inspection. Both are currently very hard to imagine implementing in cyberspace.
Since 1997, CWC has overseen the destruction of over 60 percent of the world's declared chemical agent stockpiles and almost 50 percent of chemical munitions. However, it is difficult to prohibit something that is hard to define, and cyber-weapons present just such a challenge. In the single month of May 2009, Kaspersky Lab
counted 42,520 "unique malicious, advertising, and potentially unwanted" programs on its clients' computers.
Another key to the success of CWC is its inspection regime. Since 1997, there have been over 4,000 CWC inspections in 81 countries, and almost 5,000 industrial facilities are subject to inspection at any time. This is a large but manageable number. Compare it to one 256-Gbyte USB Flash drive, which holds over 2 trillion bits of data. Or the number of Internet-connected computers in the US, 400 million.
Some regular inspections probably already take place at the ISP level -- perhaps as part of China's Golden Shield Project, the European Convention on Cybercrime, Russia's SORM, and the USA PATRIOT Act -- but all such initiatives will face the same problem of overwhelming traffic volume.
In spite of these challenges, cyber-arms control may be a part of our future. CWC is an imperfect analogy, but it still offers national security planners with a few helpful ideas and some inspiration. In the future, if enough political will is generated to sign an international cyber-arms control treaty -- perhaps in the wake of a surprisingly powerful cyber-attack -- political leaders may give scientists the funding they need to attack the technical challenges of prohibition and inspection.
— Kenneth Geers, US Representative to the Cyber Center of Excellence in Tallinn, Estonia