Show sidebar

Towards a Cyber-Security Treaty

The Democratic National Convention (DNC) leaks revealed last week have presumably reminded many Americans to the severe cyber-threats this country is facing. Particularly alarming were the allegations that Vladimir Putin is behind the hack. Homeland Security Secretary Jeh Johnson raised his concern that Russian hackers might be able to target voting machines on Election Day. WikiLeaks founder, Julian Assange, announced that the leaks were merely the first episode of an election-season series — largely still behind the curtain.

But international law offers little by way of remedies against state-sponsored exposure of foreign secret information. The analysis typically focuses on the international legal duty of non-intervention – a fundamental but indeterminate concept of international law. As usual in these contexts, we heard yet again last week about the Tallinn Manual, and its attempt to adapt the laws of war to the cyber-security context. But the twin frameworks of jus ad bellum and jus in bello hardly provide answers to questions raised in the aftermath of the DNC hack.

Rather than rehashing the discussion of the laws of war, policymakers and lawyers in Washington should take this opportunity to reevaluate another option: a cyber-specific treaty. This option has largely been disregarded by the Obama administration, which has preferred not to restrict its cyber offense capabilities. Putin, on the other hand, may have tabled the most constructive treaty option thus far: a cyber-treaty based on the Chemical Weapons Convention (CWC). Whether initially raised in good faith or not, the DNC hacks illustrate why this option should now be granted some sustained attention.

Moving Beyond the Laws of War

While the standard resort to the laws of war and its derivatives is understandable, it is by no means necessary, and probably not even a desirable orientation towards cyber-security. 

This is because the laws of war are inapplicable to most cyber operations. The DNC Hack, for example, did not cause any physical destruction or bodily harm. It therefore does not reach the severity threshold that justifies the resort to self-defense measures (ad bellum) or the law of armed conflict (in bello). What remains, as a matter of international law, is the general norm of non-intervention, which does not say much about hostile state-sponsored activities in cyberspace.

Policymakers must therefore first acknowledge existing legal frameworks that transcend the orthodox focus on the law of war. These likely provide a much better starting point. Last year’s Report of the U.N. Group of Governmental Experts, for example, has come up with cyber-specific rules of responsible behavior in cyberspace. In addition, Russia, China and four other States have signed an additional non-binding “international code of conduct for information security”, in which they pledged “not to use information… to interfere in the affairs of other States or with the aim of undermining the political, economic, and social stability.”

While these frameworks provide evidence of common interests, they are indeed only a start, due to their non-binding nature. Stepping out of the laws of war rhetoric, the most ambitious and probably the most productive approach to cyber threats would be to push toward the framing of a cyber-specific treaty. A cyber-treaty would mitigate some of the outstanding challenges the DNC hack has illustrated. It would help preventing the expansion of cyber-attacks falling below the threshold in which the laws of war kick in; as importantly, it would help protect democratic political processes and domestic self-government at home and abroad.

Towards a Cyber-Specific Treaty

A treaty specific to cyber operations is no novel idea. The treaty approach was not adopted because the United States did not want to limit its rich and multifaceted cyber-interventions abroad. But a failure to pursue a treaty framework will likely come at the US’s own peril. Not only the US, but also Russia and China have become major players in this field. If one wishes to limit the damage the three can impose on each other, some agreement is required. Perhaps even merely negotiating a cyber-treaty has some value. Such a process highlights controversies and disagreement; at the same time, it “limits the arms race and paves the way to peace.”

Back in 2012, Russia sought to conclude a treaty. At that time, Vladislav P. Sherstyuk, deputy secretary of the Russian Security Council, laid out what he described as Russia’s “bedrock positions” on disarmament in cyberspace. Russia’s proposed treaty was modeled on the Chemical Weapons Convention (CWC). Russia proposed that such treaty “would ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war.” This emphasis was likely motivated by a desire to rebuke the US and Israel for the famous Flame and Stuxnet malware that infiltrated Iranian nuclear facilities’ computer systems in 2010.

As Mary Ellen O’Connell and Louise Arimatsu explained in a report from the same year, the US’s resistance to proposals for a treaty may have related to:

“US plans to use the Internet for offensive purposes […] U.S. officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true U.S. position.”

In 2015, Russia and China signed a pact that includes a pledge not to hack each other, as well as provisions on law enforcement cooperation and exchange of cybersecurity technologies. While Russia failed to get the US to agree on basic cyber-security principles, the two other super-powers moved forward bilaterally.

To be sure, Russia’s good intentions are nothing that we can opine about (as we do not attempt to determine Obama’s intentions). However, even if the commitment to the new cyber-specific treaty is merely a matter of optics, it may seriously help reducing risks. To understand how that might work, consider the wisdom of Sherstyuk’s appeal to the CWC in particular.

The Chemical Weapon Convention (CWC) Model for a Cyber-Treaty

The CWC is a 1997 arms-control convention, originally signed by 95 nations (188 as of today). Signatories pledged to eliminate chemical weapons, their production facilities, as well as refrain from using chemical weapons under any circumstances. The CWC also requires states to adopt measures to implement the treaty. Signatories are required, for example, to legislate statutes that penalize activities contrary to the provisions of the treaty. Finally, the CWC establishes the Organisation for the Prohibition of Chemical Weapons (OPCW), which oversees the adherence to the convention by carrying out inspections in the territory of State parties. The establishment of the OPCW is truly the most revolutionary aspect of the CWC.

The OPCW provides assistance to state parties. Among other work, it engages in advocacy promoting the abolition of chemical weapons, and provides assistance in the peaceful use of chemistry. In 2014, the OPCW led the collection and elimination of Syrian chemical weapons. While this operation has not clearly eliminated the threat of chemical weapons in Syria, it certainly played an important role.

This could also be applicable to cyberspace. A cyber-treaty based on the CWC, would establish an independent organization to monitor trans-boundary cyber activities, assist with real-time ongoing cyber-attacks, and provide intelligence to attribute cyber operations to a particular actor. This will be challenging, as cyber-security is one of the most sensitive and classified parts of contemporary national security. However, a treaty-based organization could opt for a representative structure and decision-making processes that will protect its work from being monopolized by any one super-power. Such an organization will also provide training to officials of state parties that do not have the knowledge or the means to acquire cyber security training.

The authority of the Organization will be naturally limited, but serious violations may be submitted to the United Nations, whether the General Assembly, or in more serious cases, the Security Council. The CWC rests on these assumptions. They should also be incorporated in the cyber-treaty.

The CWC requires states to legislate appropriate laws to comply with the stipulations of the Convention. A more recent example relevant to cyberspace is the 2001 Council of Europe Convention on Cyber Crime, which requires states to adopt specific laws prohibiting illegal access, data interference, computer related fraud, and more.

This model would work alongside the cyber-treaty intergovernmental organization, and will provide some sort of common ground for policy, since states parties will adopt similar domestic laws limiting the development and use of cyber offensive techniques. For example, the cyber-treaty could require states parties to adopt laws prohibiting private companies and individuals from developing certain offensive codes and techniques.

Finally, one of the CWC’s main purposes is to differentiate between desirable civilian uses of chemistry and the development of chemical weapons. The idea is to prevent the latter while not discouraging the former. This basic tenet too is applicable to the cyber realm, where some research and new technologies may be very beneficial.

A Few Important Caveats

To be sure, adapting the CWC model (with relevant modifications) to cyberspace will still not solve all threats and challenges. As David Koplow has shown in an important work, both the US and Russia are systematically violating key provisions of the CWC. Why would a cyber-treaty modeled on the agreement fare any better?

While key players are expected to continue to search for ways around their treaty-based duties, such a treaty will advance cyber-peace and cooperation between states. Russia has shown interest in developing such a treaty, while the US has not been particularly cooperative. Cyber offense is a two-way road. Back in 2012, Schneier explained this very clearly: “We might have an offensive advantage—although that’s debatable—but we certainly don’t have a defensive advantage.” Since the US is planning to maintain its attacks and surveillance of other states, it is likely to remain the target of similar activities. Recent events have proven that this is indeed the reality we live in.

An important part of the Democratic Party’s foreign policy program in its campaign for the Presidency is a harsh stance against Russia’s aggression against Ukraine. Conversely, the Republicans under Donald Trump seem to have made a renewed “friendship” with Russia a strategic goal, while tolerating the annexation of Crimea. The thought, apparently, is that this will help defeating the Islamic State (IS) in Syria. Against this backdrop, one must ask whether, from the perspective of international law, such a strategic treaty with Russia will not signal an undue compromise of a foundational building block of 20th Century international law: the prohibition on the forceful acquisition of territory.

This is a serious objection, which we do not want to take lightly. Ultimately, it may indeed weigh against negotiating a comprehensive cyber-specific treaty in which the US and Russia will be two major negotiators. However, a blanket rejection of cooperation with Russia on an area of emerging global importance may reflect undue dogmatism, and not bar a continued rejection of Crimea’s annexation. Furthermore, against the backdrop of Clinton’s failure to take a stance against the occupation and annexation of the Palestinian Territories, uncritical reliance on the prohibition of territorial conquest seems hypocritical.

Finally, an important objection can be raised from the perspective of the national security of the United States and its allies. Wouldn’t the ceding of authority in this area to an international body reduce the US’s flexibility in employing its presumed relative technological advantage freely? This objection too must not be written off. Like the CWC, a cyber treaty would probably best be premised on a combination of prohibitory provisions and regulatory ones. The hope is that this will allow negotiators, within the scope of agreed arrangements, to keep significant cyber capacities available when needed for self-defense.

At the very least, an initial cyber-treaty may create some sort of framework to address violations and assist states in responding to cyber-attacks. Ignoring the need for of a cyber-treaty poses a real danger to the national security of the United States and other countries. The laws of war are designed to protect civilian lives and civilian infrastructure. They are not good at regulating technological activities, of preventing foreign intervention in processes of domestic self-government. The CWC model can teach us a lot about regulating cyber hostilities, and should be a lesson for global cybersecurity governance.

Tags: , , , ,

About the Authors

is a Cyber Fellow at the Center for Global Legal Challenges at Yale Law School. You can follow him on Twitter (@idokilovaty).

is a senior lecturer (associate professor) at the University of Haifa Faculty of Law, where he teaches international law and a number of related courses, including an elective on law and terrorism, environmental law, and a clinical seminar.