Cybersecurity Treaties: A Skeptical View

Prospects for a cybersecurity treaty seem to have improved in the last year.  The Russians have long proposed a cyberwarfare “arms-limitation” treaty.  Until recently, the United States has balked at the proposal. But the U.S. government is in the process of reconsidering its position.  Last June, National Security Agency (NSA) Director Keith Alexander said of the Russian proposal: “I do think that we have to establish the rules, and I think what Russia has put forward is, perhaps, the starting point for international debate.”  Former NSA and Central Intelligence Agency Director General Michael Hayden made a similar proposal in late July.  The United Nations recently reported progress on cybersecurity treaty talks, and the North Atlantic Treaty Organization and the International Telecommunications Union are also exploring possible cybersecurity agreements.  Many commentators think that such agreements are necessary and inevitable. This essay sounds a skeptical note.  Part I explains why international cooperation is thought to be a central solution to the cybersecurity problem.  Part II sketches the cautionary lessons to be gleaned from our experiences with the Cybercrime Convention.   Parts III-V examine three major hurdles to a global cybersecurity treaty: the lack of mutual interest; the problems the United States faces in making concessions adequate to gain reciprocal benefits; and the problem of verification.  Part VI briefly considers the feasibility of narrower and softer forms of cooperation