Tim Stevens

Since 2010, and the emergence of Stuxnet into international security affairs, cyberweapons have been the object of much debate. Stuxnet demonstrated that physical damage could be caused by weaponised code, in this case by subverting the industrial control systems of a nuclear facility in Iran. Likely the product of a US-Israeli intelligence program to set back Iranian nuclear weapons ambitions, Stuxnet is one of the first instances of weaponised code intended to generate strategic effect through physical sabotage, in this case by damaging a centrifuge array used for uranium enrichment. It has been identified as something of a game-changer in international affairs but there is still little consensus over the utility of cyberweapons in supporting political ambitions. There is even less agreement over how best to regulate their use and development. What, if anything, are we going to do about them?

Cyberweapons are computer code intended to threaten or cause physical, functional, or mental harm to structures, systems, or living beings. They have no conventional physical being but are informational entities that cannot exist outside of computer systems. Their effects may be felt further afield, if deployed accurately and effectively, as Stuxnet apparently demonstrated. Their unique anatomy aside, they are unlike other weapons in other ways too. They are not cyber bombs, which US Secretary of Defense Ashton Carter claimed to be dropping on Islamic State in February 2016. This suggests they can be deployed anytime and anywhere. But cyberweapons are actually bespoke, requiring careful research and development to exploit specific vulnerabilities in target systems.

Despite the relative novelty of Stuxnet and its possible successors, the debate overcyberweapons began in the late 1990s in the United States. For example, how can authorities monitor the use or transfer of code across systems like the internet? Information is not amenable to physical tracking and interdiction like conventional arms or biochemical weapons precursors. If monitoring is so difficult, how can a regulatory or prohibition framework enforce compliance? And, if evading such mechanisms is relatively easy, why would states not continue to develop cyberweapons in secret? Might states, in fact, reject any attempt at regulation, in order to preserve their freedom of action in this emerging domain of warfare?

These issues are often produced as evidence that pursuing the governance of cyberweapons is futile and, possibly, counterproductive. If global, binding agreements on ‘cyber arms control’ and counter-proliferation are not possible, why embark on them in the first place? However, other possible avenues might be explored. Why should a global treaty on cyberweapons be a prerequisite of effective governance? Would it not be useful to determine and expand what systems and structures are already in development, rather than reject governance attempts out of hand because they cannot guarantee an overarching global solution? There are three main areas in which global cyberweapons governance is emerging, albeit in piecemeal fashion: cyberwarfare, cybercrime, and export controls on dual-use technologies.

The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, is part-way through determining how international humanitarian law (jus in bello) applies to cyberwarfare, including the use of cyberweapons. Its Tallinn Manual Process has established that jus in bello applies fully to cyberweapons, which can therefore only be used if they meet strict criteria of necessity, distinction and proportionality. NATO states are now incorporating opinio juris into policy and doctrine, even though none is certain how this framework will work in practice. Russia rejects this process, accusing NATO of militarising cyberspace. This is not an unreasonable claim but it ignores that customary international law applies to all states, regardless of individual objections to its interpretation.

National cybercrime policies are common but there is only one international mechanism, the Council of Europe Convention on Cybercrime (2001), which all states, European or otherwise, may sign and ratify. Member-states commit to harmonising domestic cybercrime legislation and to facilitating transnational policing and investigation. The Convention does not mention cyberweapons expliclty but Articles 4.1 and 4.2 criminalise the use of computer systems to cause non-consensual damage and harm. Article 11 prohibits the aiding and abetting of such activities. These provisions could apply to cyberweapons and their supply chains. The Convention may have some counter-proliferation and criminal deterrence value but is unlikely to apply to state cyberweapons use. Military and intelligence agencies’ involvement in murky cyberweapons markets is an additional confounding factor. As with cyberwarfare, Russia and China prefer to make alternative arrangements.

State and non-state proliferation of cyberweapons are both covered by a December 2013 amendment to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods (1996). Cyberweapons are dual-use and can be used for defensive or research purposes, or deployed in offensive fashion as a cyberweapon proper. Wassenaar attempts to restrict the sale or transfer of hardware and software that facilitates some aspects of possible cyberweapons use. It does not deal with cyberweapons per se but those software and hardware infrastructures that support their deployment. Despite initial enthusiasm, the US has rejected the amendment, on the grounds that it would hamper research and decrease security. Other states have been more cooperative but the absence of the US threatens the integrity of an already weak institution.

These three fields constitute a nascent global governance architecture, albeit a fragmented one. In no case do all major players (US, Russia, China, EU) agree on which institutions or norms are appropriate or desirable and all fields need significant development. However, fragmentation is a condition of all global governance, not its antithesis. Rather than lament the existence of fragmentation, efforts should be directed towards shifting conflicting relationships to ones of cooperation and potential synergy. Overarching hierarchical authorities are not always the optimal mode of governance and fragmentation may additionally provide opportunities for regulatory, organisational and technical innovation, and for the civil society engagement that is currently lacking.

It took many years to develop effective frameworks for regulating and prohibiting many different weapons classes. None is perfect but each serves the public good better than its absence. So too with cyberweapons. Their full capabilities have yet to be demonstrated but cyberweapons have the potential to cause substantial harm and damage, maybe even to human life itself. We are witnessing the quiet emergence of a global governance architecture for cyberweapons. It is fragmented and contested but is perhaps more productive than none at all.


Tim Stevens is Teaching Fellow in Politics and International Relations at Royal Holloway, University of London. He is the author of Cyber Security and the Politics of Time (Cambridge University Press, 2016), and tweets at @tcstvns.

Image: Kjetil Korslien CC BY-NC-ND