Freeman Spogli Institute for International Studies Program on Energy and Sustainable Development Stanford University


Publications




Image of Cover

Weighing the Case For a Convention to Limit Cyberwarfare

Journal Article

Author
David Elliott - Affiliate at CISAC

Published by
Arms Control Today, November 2009


The United States must take steps to protect its critical national infrastructure against serious cyberattack. One step might be to negotiate a multilateral convention to limit such attacks by states, which are the most likely source of an attack at the level of greatest concern. Although verification of compliance would be difficult, the convention in and of itself might be worthwhile for its norm-setting value, to be a restraining factor in the offensive decisions of other states, and as a necessary step in obtaining fuller international cooperation in controlling the general cyberthreat.

On the other hand, the U.S. military believes that cyberattack in its own hands may be an important addition to its war-making capacity. It may be unwilling to limit that capacity, particularly as the understanding of cyberwarfare potential is still being formed.

Balancing these conflicting objectives will require a full debate and executive decision. This process will have to be carried out by a special high-level government group because of the sensitive and fragile nature of certain aspects of the information involved.

One model of a convention that could serve as a starting point would commit the parties to no-first-use of cyberattack directed at elements of another party's critical infrastructure if the disruption from that attack was intended to be widespread, long-lasting, or severe. One reason for these thresholds is to differentiate continuing, manageable lower-level attacks from those that constitute a serious violation by a state-party. All the terms in this commitment could be defined in an Understanding Annex, as in the ENMOD Convention, and would be the subject of negotiation. The convention would also preclude assistance to others in conducting prohibited attacks.

Because the cyberthreat is evolving rapidly and is difficult to define, any proposed solution is very unlikely to address the problem effectively for the long term or perhaps even the medium term. On the other hand, it may be important to constrain this form of warfare in the relatively early stages of its development. The type of limited convention described in this article strikes an appropriate balance by establishing some important initial parameters that could serve as the basis for more comprehensive agreements in the future.