Myth #11: Arms control in cyberspace is not possible.
Myth: Arms control as an essential part of international peace and security-building is not applicable to cyberspace. This domain follows rules that differ strongly from air, sea, land and space. Therefore all established concepts of international security and the lessons learned from other military technologies cannot be applied to the Internet and any attempt to establish an arms control regime for cyber weapons is doomed to fail.
Busted: With Stuxnet, a malware that was targeted at a nuclear facility in Iran and detected in 2010, the international community realized that there are states which use cyberspace as the next domain for intelligence gathering and military purposes. (#10) This raised concerns that states could use cyber weapons to disrupt or destroy IT systems, worries that were confirmed by a 2013 report by the UN Disarmament Research Institute.
International policy-makers started to question how rules of arms control that had been developed over the last decades to restrict the usage and destructive effects of other weaponizable technologies and regulate their production or trade can be made to fit cyberspace. Early normative approaches like the Wassenaar Arrangement, a trade and export treaty, are appropriate for international trust building but limited in their impact on reducing arms races and the escalation potential between conflicting nations. Cyberspace with its characteristics of instantaneity, non-materiality and the possibility to seamlessly copy code and data undermines these approaches. You can see tanks massing at the border; it is much more difficult to see malware being prepared for attacks.
But Internet-based security challenges are critical for the private sector as well. Computer scientists and commercial companies have been developing approaches to fight cyber-weapons targeted at them for a long time. These approaches can be translated to calm the cyber arms race. An example of this is digital goods like songs which are as copyable as anything else in cyberspace. Nevertheless, companies have introduced digital rights management measures. Even if these are not always as effective as intended, this basically is, in arms control terminology, a regulation of proliferation. Other examples are Blockchain mechanisms for digital, tamper proof logs of information, the IPv6 mechanism for a worldwide unique identification of any device in cyberspace or the Border Gateway Protocol that enables data transfer across national IT networks and implements the traditional concept of borders. Many of these approaches, following the dual use logic in a non-traditional way, can be successfully applied to arms control in cyberspace.
Truth: Cyberspace is a human-made domain. While there are no specific cyberarms-oriented regulations or treaties, many approaches developed by computer scientists for ensuring cybersecurity and defending against cyberattacks in the offline world can be applied to cyberspace. Cyberarms control is possible, but it is necessary to go beyond existing normative approaches and sensibly adapt them.
Source: Thomas Reinhold and Christian Reuter, Arms Control and its Applicability to Cyberspace, in Christian Reuter (ed.), Information Technology for Peace and Security (Wiesbaden: Springer, 2019), 207-231