Cybersecurity treaties may be nice, but it’s really every country for itself

The United States and China are attempting to negotiate what would be the first cyber arms-control agreement to ban peacetime attacks on critical infrastructure. The talks reflect the commitment that Washington and Beijing made at the conclusion of Chinese President Xi Jinping’s recent U.S. visit to “identify and promote appropriate norms of state behavior in cyberspace.” The first ministerial-level meeting on cybersecurity is due to take place before the end of this year.

The two countries’ effort to limit the cyber arms race is being widely compared to Cold War nuclear arms-control treaties. But this Cold War analogy is flawed because of fundamental differences between the nuclear and cyber domains.

President Barack Obama acknowledges that an “international framework” to regulate great-power competition in cyberspace is unlikely to be “perfect” because it would not solve cybersecurity threats posed by “non-state actors and hackers.” Yet as the president told the Business Roundtable on Sept. 16, “there has to be a framework that is analogous to what we’ve done with nuclear power because nobody stands to gain.”

In the nuclear domain, the United States has long advanced state-based strategies to curb capabilities and manage the increasing risks of superpower competition. For, unlike cyber capabilities, nuclear weapons have been in the sole custody of states. State-based strategies have been successfully pursued to limit the size of arsenals, reassure nonnuclear states to forego the weapons option and compel nuclear weapons states to secure their arsenals so that terrorist groups cannot obtain them.

A similar strategy for cyber limitations would start by leveraging states’ mutual interests as stakeholders to ensure that the Internet operates smoothly by eliminating system-threatening viruses, or “botnets,” and combatting cybercrime. Another priority would be to complete the U.S.-China negotiations on a cyber arms-control agreement. The Obama administration views the potential bilateral agreement as a base on which to develop a global consensus.

The two countries’ effort to limit the cyber arms race is being widely compared to Cold War nuclear arms-control treaties. But this Cold War analogy is flawed because of fundamental differences between the nuclear and cyber domains.

The bedrock of a state-based strategy to address cyber challenges would be sound national policies, codified in domestic law and fully enforced. The key to this is to ensure that states rein in non-state actors, whether individuals or groups.

The problem, however, is that authoritarian states, such as Russia and China, have an interest in preserving “patriotic hackers” as a policy instrument while maintaining plausible deniability. They also seek to control politically threatening Internet content that most democratic states would regard as protected speech.

This arms-control push needs to be buttressed by a robust strategy of deterrence in both its variants — deterrence by denial and deterrence by punishment.

In the cyber realm, deterrence by denial would mean defensive measures that block an adversary’s ability to achieve its objective, such as disrupting a U.S. government website. For individual personal computers, anti-virus and anti-malware software can provide one form of deterrence by denial.

As significant as a cyber arms-control agreement to ban attacks on critical infrastructure might be, the necessary complement to it is effective cyber defense mechanisms. This could include strengthening computer networks to block unauthorized access and increasing their resilience. That would frustrate any potential attacker. In these terms, the Chinese hack of the U.S. Office of Personnel Management database, which compromised the personal data of some 22 million current and former U.S. employees, was a stunning failure of deterrence by denial.

Deterrence by punishment would hold states accountable for cyberattacks that either they or their proxies conduct. Cold War nuclear deterrence relied on an ability to accurately attribute a potential attack to a specific adversary. In the cyber realm, however, attribution is a major problem.

The goal is to make what one cyber expert calls the Internet “Wild West” less wild.

In the case of the Sony hack last December, for example, the FBI was able to trace the attack back to North Korea only because of the country’s “sloppy” use of proxy servers to mask its action. The Obama administration responded covertly with a form of deterrence by punishment, when it essentially shut down North Korea’s Internet for a short period.

Cyber deterrence requires investments in cyber forensics to improve America’s real and perceived attribution capabilities. Any adversarial state contemplating a cyberattack must be made to believe, through the credibility of U.S. attribution capabilities, that it would be held accountable for its actions, or for the actions of a proxy acting indirectly on its behalf.

The goal is to make what one cyber expert calls the Internet “Wild West” less wild. Retooled versions of Cold War strategies — arms control and deterrence — will be essential policy tools for U.S. policymakers to achieve that goal. Their effectiveness is likely to be limited, however, because of the challenging character of the cyber domain — in which non-state actors increasingly exercise power and influence rivaling that of major states.

The opinions expressed here are solely those of the authors.