Why WMD-like treaties are unlikely with cyber

For the U.S. government, curtailing the use of so-called cyber weapons is not akin to treaties banning the use of weapons of mass destruction. In fact, the term itself is ambiguous.

“I don’t know what a cyber weapon is,” Christopher Painter, coordinator for Cyber Issues at the State Department, told lawmakers today. Painter, who appeared in front of a Senate Foreign Relations Subcommittee, explained that the government looks at effects in cyberspace, not the tools per se. 

“A cyber weapon can be dual use … so what we focused on instead of cyber weapons is we looked at effects,” he said. The dual-use issue obfuscates regulation to some degree because the same cyber tactic could be used to inflict harm or protect a network. With the norms the government has worked to establish in cyberspace, it’s important to look at effects and endpoints, he said. In attacking critical infrastructure, what’s the endpoint, what tool do you use, he said, adding that trying to restrict cyber weapons isn’t going to work because technology is changing so rapidly and the dual-use issue could restrict or limit industries and governments that want to protect themselves.

“I think researchers will tell you they use malware…to try to protect our systems,” Painter said.

“I think the correct course is for us… [is] to pursue this idea of what effects we’re trying to control, what are the rules of the road, what are the norms that we want, how does international law apply, how do we communicate with each other…to make sure we have a long term, stable environment in cyberspace…That’s, I think, a more effective route, especially now,” he asserted adding that compared to the nuclear discussions, we’re really in the infancy of these conversations.

There is concern that some at the highest levels are mischaracterizing cyberspace and trying to analogize it in unrealistic ways. One such example is the use of the term “cyber bomb” by the both the secretary and deputy secretary of Defense in reference to the offensive cyber efforts carried out against ISIS. A group of academics recently called for a cession of this term, writing that “the United States has no such cyber bomb and hyperbolic rhetoric clouds our understanding of the role that cyber assets can play in conflict.” The authors note that cyber is unlike any physical battlefield and “one must understand that ‘cyber’ is really a catch-all term that combines various types of actions that one can undertake in and through digital information and communication technologies (ICTs). Though the vast majority of malicious cyber activities revolve around crime and espionage, war emerges as a dominant metaphor for thinking about cyber conflict.”

Painter addressed this issue in response to how certain international norms surrounding self-defense apply or are triggered by a cyber incident. “An ‘armed attack’ is a specific term that triggers the right to self-defense in a particular way. And even when that threshold is reached, we say sometimes as a country we might decide not to respond,” he said. Furthermore, in cyberspace, “there’s a difference between an attack and an intrusion. An attack and a destructive attack is different than an intrusion and the kind of disruptive effects it has under international law.”

Many have struggled with this terminology in cyberspace as specific actions will typically warrant a specific response. Director of National Intelligence James Clapper and former director of NSA Michael Hayden have both said that, given the chance, they would have executed the equivalent of the Chinese intrusion into the Office of Personnel Management databases that compromised millions of personnel records, saying such action falls under the espionage category. 

“Are we talking about cyber intrusions and incidents in the same manner? If one organization says we’ve had a cyber attack, what does that really mean? Is it an intrusion, is it an attack? What’s the context for that because that has operational implications for us,” Capt. David McAllister, director of Intelligence for the U.S. Transportation Command, said recently.  

Cyber Command Commander Adm. Michael Rogers has also expressed similar concerns. “Terminology and lexicon is very important in this space,” he told the House Intelligence Committee last year. “And many times I’ll hear people throw out ‘attack’ and ‘act of war’ and I go, ‘That’s not necessarily in every case how I would characterize the activity that I see’.”       

As clear red lines are drawn in cyberspace, Painter noted, malicious actors can be incentivized to creep up to the line with the understanding that they won’t risk retaliation. This, Painter said, is not a desirable environment either, adding that the DOD cyber strategy includes strategic ambiguity in this space, which he welcomes.