Against the background of seemingly ceaselessly proliferating cybersecurity incidents, debates about the need for international norms regulating malicious code capable of jeopardising economic, social and potentially human systems have gained increasing traction over the past few years. However, consensus on how to regulate cyberweapons appears hard to come by.
Norm-construction concerning cyberweapons at the international level is challenged by three main factors: 1) deep-rooted political contentions and definitional inconsistencies; 2) difficulties related to detection and verification; as well as 3) continuous and rapid technological advancement.
While physical weapons have been created and used since humanity’s earliest days, shaping understandings of harm, violence and war, as well as associated norms and regulations, cyberweapons do not look back on a similar history, nor do they fit customary schemes of classification. Varying terminology and definitions all highlight different features, contributing to theoretical muddle and conflation: the only point of convergence seems to be definitional ambiguity. Two prominent examples include Herr, who defines cyberweapons as “the combination of a propagation method, exploits, and a payload designed to create destructive physical or digital effects”, and Rid & McBurney, who see them as “computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings”.
Differences between Eastern and Western conceptions of cyberweapons and corresponding strategies of regulation (e.g. total ban vs. partial restriction) have made discussions on the international stage highly contentious. Back in 2011, Jack Goldsmith summed up the challenge in a way that is still relevant today: “There are deep and fundamental clashes not only over what practices should be outlawed but also and more broadly over what the problem is.” Moreover, “computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings” can take many different forms, which renders precise definitions concerning instruments, targets, and effects very tricky. Instruments, targets, and effects follow a dynamic logic and the high degree of malleability and potential for modification pertaining to cyberweapons severely challenge the articulation of precise and effective standards.
Another important obstacle to successful cyberweapons norm-construction concerns the issue of verification. Aside from being highly resource-intensive and time-consuming, it is tough because cyberweapons or components thereof can be hard to distinguish from benign online activity, making norm-construction a moving target. Furthermore, attack sources are hard to determine unequivocally. Anonymity and stealth, which most cyberattacks rely upon, invite non-compliance, unravel cooperation, and effectively act as norm deterrents.
Yet another challenge to international cyberweapons norm-construction stems from an ever changing and increasing attack surface. In addition to a steadily growing number of unpatched legacy systems facing decades of accumulated malware, the prevalence of weakly-secured internet of things devices exposes new weaknesses on a daily basis. The emergence of continuously changing types of vulnerabilities makes norm-construction arduous and increases the risk of norms pertaining to cyberweapons being irrelevant or obsolete even before having been adopted and internalized.
Although these challenges may seem overwhelming, there are numerous approaches that show potential for further progress on cyberweapons norm-construction. Three candidate measures that may help move discussions forward and support more stringent norm-development are 1) issue specificity; 2) verification cooperation; 3) and enhanced disclosure practices.
In the context of cyberweapons, successful norm-construction cannot be achieved based on broadly framed, overarching legal instruments, e.g. global umbrella treaties or covenants. Rather, discussions concerning shared standards for cyberweapons should be organised around specific, manageable issue areas, and include stakeholders from different backgrounds, which are capable of flagging areas of intersection and convergence. Issue specificity, e.g. the creation of norms pertaining to specialised areas such as the protection of critical financial infrastructure and data in peacetime and wartime, or the prohibition of vulnerabilities stockpiling related to critical infrastructure systems, such as uranium enriching centrifuges can help reduce ambiguity apropos instruments, targets, and effects and allows for the strategic construction and connection of different cyberweapons debates, as well as for the attribution of stakeholder responsibilities.
Greater institutionalisation and heightened (independent) threat intelligence cooperation, e.g. along the lines of multi-actor research laboratories, can help reduce the verification problem. In some instances, consolidated tracebacks and shared threat intelligence, as well as forensics tools, can provide sufficient attribution and compliance monitoring and support the emergence of shared understandings and behaviours regarding cyberweapons. The setting up of dedicated crisis hotlines, or discrete bilateral discussion rounds uniting opposing parties can provide further options for more in-depth collaboration.
Ever-accelerating technological change, the pushing-to-market of insecure products, and the stockpiling of vulnerabilities by private and public organizations can be addressed by means of proactive, norms-based disclosure practices across public and private agencies, i.e. stealing the thunder of vulnerabilities before they can be exploited by means of cyberweapons. Responsible vulnerability disclosure schemes can provide a fertile breeding-ground for the development of shared understandings pertaining to cyberweapons by inducing reputational costs for non-adherents. Indeed, responsible vulnerabilities disclosure may be a candidate norm in and of itself. Similarly, bug-bounty programs, capture-the-flag (CTF) and other white-hat actives may offer other avenues for strengthening rules of appropriate behaviour in the context of cyberweapons.
Cyberweapons norm-construction needs to be pursued diligently by state and non-state actors alike despite all the obstacles identified. Issue specificity, verification collaboration, and enhanced disclosure schemes are important ingredients for further progress on cyberweapons norm-construction and provide opportunities for meaningful collaboration.
Authors: Jacqueline Eggenschwiler and Jantje Silomon are DPhil students at the University of Oxford.