Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

On Cyber Arms Control (Apropos of the <em>New York Times</em> Editorial)

Herb Lin
Saturday, March 7, 2015, 1:57 PM
A bit late, but one more observation about the New York Times editorial calling for cyber arms control.

Published by The Lawfare Institute
in Cooperation With
Brookings

A bit late, but one more observation about the New York Times editorial calling for cyber arms control. In their words, "the best way forward [to reduce cyber threats] is to accelerate international efforts to negotiate limits on the cyberarms race,” in much the same way that we did with the nuclear arms control treaties of the Cold War. Paul Rosenzweig correctly points out that we need to know what a cyber weapon is before we can regulate it. But there are two other fundamental points that also need to be addressed. The first is related to Paul’s point—threats in cyberspace include those that result in destruction or damage and those that result in the loss of data—a characteristic not shared by nuclear weapons, which are ultimately useful only for exploding. From the perspective of the target, these two threats—destruction and exfiltration of data—are largely indistinguishable at least at first, since they use the same technical methods for penetrating the system or network of interest. For the United States (or any other nation) to agree to limits on destructive cyber weapons, it would also have to be willing to limit its cyber espionage activities. Since cyber espionage is such a productive approach for gathering intelligence information, it is highly unlikely that any nation would agree to such limits—especially in the uncertain world of today and tomorrow where clandestinely collected information is so very useful. Second, a key aspect of the nuclear arms race involved each side accumulating more and more nuclear weapons relative to the other side. The cyber “arms race” doesn’t involve each side trying to match the other side—the goal is to stockpile as many zero-day vulnerabilities as possible regardless of how many the other side has. So the fundamental dynamic of numerical “action-reaction” just doesn’t apply. We can have a discussion about what it would mean to curb the arms race – but from my perspective, that isn’t a discussion that should be based on what others do, it’s a discussion about what we think we should be doing in our own self-interest. IF we think that having and exercising offensive capabilities in cyberspace is in our net national interest, then we should be stockpiling as many zero-day vulnerabilities as we can find. IF we think that having and exercising offensive capabilities in cyberspace is not in our net national interest, then we should stop such stockpiling. And what counts as our net national interest? That’s what we need to have a national discussion about. Many advocates of restraint will say “our aggressive pursuit and use of offensive cyber capabilities—including for espionage—legitimizes the use of such capabilities against us,” and so we should not do that. Many opponents of restraint will say that “our adversaries will use their offensive cyber capabilities against us no matter what,” so restraining ourselves unilaterally is foolish. There are, of course, many arms control measures other than limiting numbers. And some of those measures may be worth considering. In the end, it’s entirely true that reducing the cyber threat has to include some measures to persuade adversaries to moderate the scope and nature of the cyberattacks they use against us. So let’s have a conversation about what would be persuasive and what those measures should be.

Dr. Herb Lin is senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University. His research interests relate broadly to policy-related dimensions of cybersecurity and cyberspace, and he is particularly interested in and knowledgeable about the use of offensive operations in cyberspace, especially as instruments of national policy. In addition to his positions at Stanford University, he is Chief Scientist, Emeritus for the Computer Science and Telecommunications Board, National Research Council (NRC) of the National Academies, where he served from 1990 through 2014 as study director of major projects on public policy and information technology, and Adjunct Senior Research Scholar and Senior Fellow in Cybersecurity (not in residence) at the Saltzman Institute for War and Peace Studies in the School for International and Public Affairs at Columbia University. Prior to his NRC service, he was a professional staff member and staff scientist for the House Armed Services Committee (1986-1990), where his portfolio included defense policy and arms control issues. He received his doctorate in physics from MIT.

Subscribe to Lawfare