Comparisons are often made between the regulation of cyber and nuclear weapons. This analogy, however, is severely limited – particularly in relation to disarmament – and fails to reflect the unique dynamics of each. This short discussion will briefly examine the different logics of nuclear and cyber-deterrence (in cases of state-versus-state use). It argues that, unlike nuclear, cyber disarmament is not a feasible policy, in large part due to cyber’s dual civilian and military use. In the absence of disarmament as a viable strategy, it asks how cyber-weapons and war can be regulated, concluding by proposing an International Cyberwar Convention (ICWC) with a number of institutional functions, such as rule clarification and counter-measures for transgression.

Nuclear weapons are highly physical, measurable objects which fall exclusively under state control. Although uranium enrichment has dual-purpose for nuclear power, the destructive scope of nuclear weapons is widely recognised. This has helped establish a widespread system of global monitoring (however hard to enforce) which regulates the development, let alone use, of such weaponry. So-called nuclear deterrence works on the assumption that if a state has internationally-known nuclear capabilities, other states will not launch nuclear weapons against it, for fear of a nuclear response which would result in mutually-assured-destruction. Efforts to promote nuclear disarmament work within this contextual framework. 

In contrast, cyberspace is governed by new dynamics. Cyber-weapons are usually intangible; widely and easily available; hard to reliably attribute; and used ubiquitously and simultaneously by civilians, the state and the military. This makes demarcation between cyber-weaponry and wider cyber-technology extremely difficult. Cyber-weaponry can broadly be divided into the delivery method weapon, such as a computer; and an intangible cyberspace component, such as computer-programmes, digital command operations and network viruses. Yet the infrastructure, networks and technology upon which cyber-weapons depend are simultaneously critical to the smooth operation of modern digitalised life, for example, online banking. 

The most notable examples of (alleged) state use of cyber-weaponry include Israeli and US deployment of the Stuxnet malware to disable an Iranian nuclear facility in 2010. The Stuxnet worm took control of the centrifuge array in the Natanz nuclear facility, causing individual machines to malfunction and self-destruct, despite false data suggesting to operators correct functioning (see Raboin, 2011). Distributed-denial-of-service (DDoS) attacks were launched by Russia against Estonia in 2007 (see Lucas, 2017) and Georgia in 2008 (see Krebs, 2008). DDoS attacks function by overwhelming a system with so many additional requests that the network stops. In Estonia, sites visited approximately 1000 times per day, had nearly 2000 visits and requests per second (Meyers, 2007). It is, however, the frequency rather than technological nature that distinguish legitimate requests from those with hostile intent used in a DDoS attack. This again makes cyber regulation and disarmament difficult. 

These examples demonstrate the unique dynamics of cyber-space. In the context of cyber-conflict, with at least partially dematerialised effects, revisitation of how terms such as territoriality and spatiality, causality and temporality, ‘destruction’ and ‘injury’ are defined is vitally needed. Traditional notions of deterrence must also be reassessed to apply to cyberspace. 

Scholars broadly agree that cyberspace favours the attacker (see Libicki, 2009; Clarke and Knake, 2010). The speed, anonymity and virtual omnipresence of cyberattacks that can be launched from multiple locations across the world puts great pressure on cyber-defences. Cyberspace appears to reward those with strong offensive capabilities, who strike first, quickly and pre-emptively. Indeed, a cyber-weapon can rarely be identified as such until after an attack. Contrary to traditional notions of deterrence, an adversary cannot credibly be persuaded that a cyber-attack they unleash would be met with an immediate and costly response. Neither can a state reveal its offensive capability, nor plausibly threaten a certain scale of retaliation, because to do so would be to illuminate the very vulnerabilities of an adversary’s system that give cyber-weapons their potency. 

Moreover, attribution challenges give hostile actors scope to act with impunity. Lack of certainty regarding the identity of a cyber-attack perpetrator severely limits the lawful scope of a victimised state to respond. A cross-domain response – that is a non-cyber response to a cyber-attack – is often seen as an option in cases of contested attribution, for example diplomatic or economic sanctions. Yet there remains fear of unlawfully escalating conflict, and recognition of the severity of misattribution. The difficulty of credible, lawful retaliation is augmented by the – perhaps deliberate – lack of consensus regarding what is a proportional response in cyberspace. As Schmitt (2015) argues, ‘it cannot be the case that you can drop a bomb on every 17-year-old kid that is hacking into your systems and military systems’. What would constitute a proportional response to such conduct remains, however, contested. 

These unique dynamics render full disarmament neither a viable, enforceable nor indeed useful option for cyberweapons. They are simply too difficult to divorce from the multiple and highly advantageous societal – as opposed to specifically military – uses. Moreover, proponents of nuclear disarmament do not necessarily advocate the wholesale end of war, but recognise the particularly indiscriminate destruction that nuclear weapons can cause. In contrast, some scholars argue that cyber-weapons have the potential (if properly and enforceably regulated) to be more discriminatory, proportional and ‘ethical’ (in terms of reducing civilian casualties, and material destruction and damage) than conventional weapons. Lucas (2017) argued that Stuxnet ‘may have been the first purely ethical weapon ever deployed’. 

How to move forward? The need for an International Cyber-War Convention:

In light of these observations and of SCRAP’s foundational aims, the central question is how – in the absence of disarmament as a viable option – cyber-weapons should be regulated. To-date, global efforts to regulate cyber-war have been limited, despite bilateral, regional and private sector emphasis on defence cooperation, and tackling of cyber-crime. I propose that an International Cyberwar Convention (ICWC) would be a useful step to a) provide rule clarification; b) improve transparency and attribution; and c) offer incentives for compliance and authorisation of counter-measures for transgression. These reflect the particular practical challenges of cyberspace that need urgent redress. The remainder of this article will briefly outline what is envisaged by such institutional functions. 

At present, whilst the applicability of international law to cyberspace is broadly undisputed, there is a lack of consensus regarding how it applies, and how to define terms such as ‘armed force’, ‘hostilities’ and ‘destruction’. This ‘grey area’ of law gives states freedom to act with impunity, pushing the metaphorical boundaries without consequence. Whilst the classification of ‘armed conflict’ is highly difficult, it is important to note that none of the incidents outlined at the start of this article were declared cases of international war. It is thus important to set thresholds, for example, for what constitutes ‘armed force’ in cyberspace, so states know what conduct – and response – is legally permitted. At present, it is more important to draw a line, than where exactly that line is drawn. An ICWC would also build international confidence by signalling state intentions: if a state is willing to explicitly violate a binding international agreement, then it reveals much about their motives. 

The drawing of such a line is, however, futile if cyber-attacks cannot be reliably attributed. An ICWC would therefore have a crucial role in creating a collective attribution mechanism. Attribution is difficult, but not impossible, particularly in relation to state-versus-state use of cyber-weapons, where stakes are high and resources generally plentiful. FireEye – a Californian-based cyber-security firm – revealed the links between the cyber-hacker group APT28 and the Russian state through examination of forensic details left in the malware. If such technical expertise could be pooled, and resources, intelligence and data shared, attribution would become easier. Particularly in cases of a hostile state’s use of a third-party state’s cyber infrastructure to launch an attack, cooperation from that third-party would be especially useful. There should also be reassessment of what ‘reliable attribution’ is. As in courts of law, it rests on ‘beyond reasonable doubt’ rather than 100 percent certainty. Lucas (2017) proposes the ‘Agatha Christie principle’ – ‘namely, ignore the background distracts, and focus upon who stands to benefit most from the deed in question. Nine times out of ten, you’ve got your perpetrator and 90 percent certainty is probably close enough for government work’.

Most importantly, for an ICWC to have hope of success there must be sufficient incentives for states to join. For smaller states, such as Georgia, less able to defend themselves from the cyber-onslaught of technological-giants like Russia and the US, an ICWC that promises a range of support and benefits to compliance is highly appealing. For larger states, however, who fear that commitment to an ICWC would constrain their freedom of action, whilst allowing non-signatories to catch-up technologically and act with impunity, the case for compliance is more difficult. Yet, given that other states are likely to catch-up regardless, such technological giants have incentive to join. As predominant players, they would have great scope to lead the development of an ICWC and shape how international norms around cyberspace develop (implicitly in their interests). 

Whilst this article challenges analogies between nuclear and cyber, particularly in relation to disarmament, there are parallels between this and how nuclear powers have, through offers to develop civilian nuclear technology, limited proliferation but also maintained a clear global hierarchy which serves their self-interests. 

Finally, having clarified rules of conduct, an ICWC would need to be able to authorise and enforce counter-measures for transgression. At present, there is little consensus regarding what conduct is prohibited, what constitutes a proportional response in cyberspace and how cross-domain reprisals should be managed. Yet, to limit cyber-conflict and enhance deterrence as a credible course of action, realistic and practically enforceable counter-measures must be established. Whilst NATO invocation of Article 5 in relation to cyberspace remains ambiguous, there is scope for collective response. This would have to, however, avoid the pitfalls of the UN Security Council which, plagued by divisions within the P5, is subject to counter-productive political alliances of self-interest. This article thus proposes delegation of authorisation of counter-measures for transgression to an international independent body. 

The development of an ICWC faces significant challenge from scholars, practitioners and politicians alike. Expert views range from belief that any international agreement designed to constrain state action would be futile given its unenforceability (Clarke and Knake, 2010), to belief that it is too soon, or that a ‘soft-law’ strategy of voluntary norms and lose guidelines would have greater utility than formal obligations (Lucas, 2016). This paper contends, however, that a binding agreement is not only vital, but possible (despite inevitable challenges). An ICWC has scope to reflect, shape and accelerate norm development, averting a potential scenario where hostile state use of cyber-weapons continues almost entirely unregulated.