The Department of Defense released their Strategy For Operating In Cyberspace in July of 2011. In the document, they add Cyber to the traditional 4 domains...Land, Sea, Air, and Space. This paper raises the question, at least in my mind: Should there be a Cyberwarfare treaty? I think the short answer is a definite "Maybe."
I think a longer answer is that a arms treaty, like chemical or nuclear, is meant to deter the production of those types of weapons by government entities. Even if such a treaty were to be ratified, it would not stop other entities, whether commercial, criminal, or private from creating the same. With nuclear or biological weapons, it would have been very difficult for a private entity to produce, store, or use weapons. This is not the case with software.
Jeffrey Carr, in his new edition of "Inside Cyber Warfare" says that there are currently 28 nation states that have cyber warfare capabilities. Does the rapid spread of Cyber Warfare capabilities mean that there should be a treaty? There are major differences in how Cyber conflicts would take place versus other types of conflicts. For example, unlike physical confrontation, any Nation in the world can attack any other Nation directly or indirectly. In addition, rogue political parties or factions within a nation can take actions that don't necessarily represent the country's views as a whole. Do the different dynamics of Cyber Warfare warrant a treaty? Does the amount of damage that can be caused by Cyber Warfare relative to the cost of hacking warrant a treaty?
The answer in the United States, apparently, is "Yes". At least one Cyber Warfare treaty was created in 2011. The ANZUS treaty between Australia and the United States was extended to include Cyber Attacks. If one country is attacked, then it is considered to be an attack on both. It might be likely that other alliances will consider similar extensions this year (NATO, the UN, etc.).
Geneva Convention for Cyber War?
There are other types of warfare that do have treaties. The Geneva Convention covers many aspects of physical confrontation, but there has never been a formal international espionage treaty, which Cyber Warfare is more analogous to. This isn't to say that this isn't a great time to start.
A Cyber Warfare treaty could address analogs in Cyber Security similar kinds of things that are already addressed in the Geneva Convention. For example:
Even these few examples create their own problems, however. What if, for example, a Nation State attacks a biological weapons or nuclear weapons production facility (as was the case with Stuxnet)? Does this actually help enforce the Geneva Convention? What if there is a danger to civilians around where these facilities are located?
Software Isn't Like Other Weapons
All computer software has a shelf life, and this is also true for computer viruses. A hacker creating a computer virus is reliant upon an operating system. When those operating systems are updated, patched, or replaced, the virus ceases to have value. This is not true for other types of arms control. A 50 year old nuclear warhead is still dangerous.
A Cyber Treaty Would Say What?
What would such a treaty say? Should it be specific to the types of code that shouldn't be written? Should it ban countries from producing soldier-hackers? Should it create an outright ban on the types of computer warfare that are not allowed? Should there be a Geneva Convention for the Internet?
All these conventions don't fit the makeup of the internet. This is the internet where companies and technologies, whole computer languages, have lifecycles measured in months, not years. Assuming that a written treaty could apply is a misunderstanding of how the Internet is governed. Every aspect of the internet is governed by social convention, software licenses, and terms of service. These conventions necessarily change very quickly over time. Not to mention that even if such a treaty could be ratified, it would be obsolete by the time the ink was dry.
It would be great if Governments were willing to commit to one another that they won't attack each others nuclear reactors with computer viruses. Jails. Air traffic Control systems. This misses the point of the greatest protection we already have...the one that worked throughout the cold war...mutually assured destruction. Because of Globalization, an attack on the US, would have immediate and drastic economic consequences for every other nation state in the world. Even a small scale attack on a major country would have similar consequences...given the amount of damage that the world has felt the problems in Ireland, Greece, and Portugal. And there is no reason to think that an attack would be limited to only one country at one time. If such an attack were to take place, it would be just as easy to attack everyone that is against your particular point of view.
The best idea for a treaty like this would be a worldwide treaty that includes all major players to share resources, visibility, intelligence, to protect critical infrastructure against non-state actors. This would be very similar to how many organizations as well as state governments have developed inter-organizational Information Security Advisory Councils to share real time threat information. Some large ISPs like AT&T and Verizon are offering this kind of real time threat monitoring from a world-wide perspective, so it would be a huge step in CyberSpace if governments took the same measures.
CyberCrime vs. Cyber Warfare vs. Cyber Terrorism
How do we distinguish between Cyber Crime and Cyber Terrorism or Cyber Warfare? I think this is where progress is most likely to be made with any Cyber Treaties. In order to successfully track the global criminal, there needs to be a global network of cooperation between legal systems on a scale that doesn't exist today. After 6,000 credit cards were stolen, the Israeli Government declared that this was an act of terrorism. Is that an overreaction? Should the Israeli Defense Forces respond by hacking the hacker?
Shouldn't we be focusing on prevention? How much is law enforcement willing to engage with businesses and individuals to protect their information? How do we know when an incident of hacking should be escalated from being a law enforcement matter to being a national security matter?
Cyber Criminals can automate crime. They can commit hundreds of crimes per second, and in fact they can perpetrate multiple of types of crimes all at the same time. Law Enforcement can't automate catching criminals, prosecuting them, or incarcerating them. This is necessarily done one criminal at a time. Law Enforcement will always be slower than Cyber Criminals.
One might ask, what other organizations are there that the 28 Cyber Warfare Club members already belong to? Interpol is one example. InterPol, has a staff of about 600 and a budget of 80 million. In contrast, the FBI has a staff of 35,500 and a budget of 8 billion. To me, this means by necessity, cybercriminals will go global to reduce their risk from being caught domestically by the biggest law enforcement agency in the world.
The lowest hanging fruit for a Cyber Security Treaty, then, is probably Cyber Crime, not Cyber Warfare. Countries could coordinate their Cyber Crime efforts, which makes a lot of sense, especially in a global economy.