World House Student Fellows Policy Project: Arms Control in the 21st Century

By Ariel Smith (SAS, 2017), Itai Barsade (SAS, 2017), Rodrigo Ornelas Vargas (SEAS/W, 2018), Louis Davis (SAS, 2017), and Kathryn Dura (SAS, 2018)


Introduction:

Arms control is meant to “address the logic of a security dilemma,” that is, to stabilize relations between two countries through measures of cost reduction and damage limitation. Historically, arms control agreements have dealt with nuclear, biological, chemical, and conventional weapons, but typically have not accounted for contemporary weapon systems. The key focal point for our research will be cybersecurity. We aspire to contribute research that facilitates norm development in responding to state-sponsored cyberattacks. We will also analyze cases and examine circumstances and variables affecting the prevalence of cyberattacks.  This will help government officials better understand how to think about cross-domain deterrence, as well as potential international agreements to regulate cyber capabilities.


Overview of Previous Arms Control Agreements:

The long history of arms control spans hundreds of years. In the 12th century, the Second Lateran Council banned the use of crossbows against Christians. In 1675, a ban on poison bullets made the Strasbourg Agreement the first treaty on chemical weapons. The industrial revolution led to new developments in military technologies, and a corresponding uptick in arms control agreements. In 1899, Tsar Nicholas convened the First Hague Conference, which sought to limit the development of firearms. After WWI, the Washington Naval Conference imposed maximum quotas on the size and total number of naval ships. Additionally, in 1925, the Geneva Conference banned chemical weapons.

As technology evolved, so too did the content and objectives of arms control agreements. We will examine these agreements through the categories of possession, transfer, and use and discuss the degree to which they are relevant for this research project. While a few of the agreements could be placed into more than one category, for simplicity, they will each be placed into only one.


Possession

First, there are several key treaties dealing with possessing and then testing nuclear weapons. One is the Limited Test Ban Treaty (LTBT) which was created in 1963 to prohibit all nuclear tests except those conducted underground. Overall, it is relatively successful with 123 signatory states though ten have signed but not yet ratified. International policymakers attempted to broaden the idea of LTBT by creating the Comprehensive Nuclear Test Ban Treaty (CTBT) in 1996. It sought to “ban all nuclear explosions.” However, this treaty failed as eight key states including the United States, China, Israel, Iran and others have either not signed or not ratified it. Finally, in 1974, the U.S. and U.S.S.R. signed the Threshold Test Ban Treaty which limited the yield of nuclear weapons to 150 kilotons and was successful.

Biological weapons (BW) and chemical weapons (CW) are two additional classes of weapons of mass destruction (WMDs) for which there are existent arms control treaties. In comparison to nuclear weapons, chemical and biological weapons (CBWs) are much easier to produce and are considered by scholars of international politics, including Dr. Horowitz, as the “poor man’s atomic bomb.” The Biological Weapons Convention (BWC), which entered into force in 1975, was the first non-proliferation regime to eliminate an entire class of WMDs by banning the production and use of offensive biological weapons, while the Chemical Weapons Convention (CWC) of 1997 was the first disarmament treaty to contain both an international institution and verification mechanisms for purposes of prohibiting and monitoring the use and production of a class of weapons, in this case chemical weapons.

Historically, there have also been efforts to regulate the possession of conventional weapons, equipment, and vehicles, with the objective of limiting the destructive impact of arms races. An example of largely ineffective conventional arms control efforts is The First and Second London Naval Treaties (1930s), which sought to limit the growth in naval armaments among world powers at the time (France, UK, USA, Japan, and Italy). Japan and Italy withdrew from the Second Treaty, weakening the benefits of this agreement, and it ended shortly after its inception with the beginning of World War II.

A more effective effort was the Treaty on the Conventional Armed Forces in Europe (1990), which was negotiated and became effective in the last years of the Cold War. It imposed limits on the quantities of conventional military vehicles, weapons, and equipment in Europe, with the goal of establishing military balance between the Warsaw Treaty Organization and NATO. This treaty also mandated the destruction of excess weapons in Europe. It was effective from 1992 until 2007, when Russia completely halted its participation on the grounds that NATO had breached the Treaty.

These arms control agreements regarding possession are a staple for previous weapons but are not easily applicable to cyberattacks. For example, it is relatively easy to regulate the possession of conventional military weapons since, practically speaking, they must be stored somewhere that accommodates their size. However, cyber capabilities are not nearly so visible as relevant software can be created and stored with only a computer. This could offer states plausible deniability which makes regulating computer software challenging.


Transfer

Second, there are a couple key treaties dealing with countries transferring weapons, in these cases nuclear and conventional, to other states. Under non-proliferation treaties, the most successful is the Nuclear Nonproliferation Treaty (NPT) which entered into force in 1970 and continues indefinitely. It recognizes the U.S., Russia, France, Britain, and China as states with nuclear weapons and those non-nuclear states that sign agree to not acquire nuclear weapons and facilitate peaceful uses of nuclear energy. The treaty has 191 state signatories. Along similar lines, there are numerous treaties that create “nuclear-weapon-free zones” which ban the “development, deployment, and use of nuclear weapons.” These include Africa, Southeast Asia, Central Asia, Latin America, and the South Pacific.

A more recent example is the Arms Trade Treaty (2014), which regulates international trade in conventional weapons (including SALW - small arms and light weapons) to promote regional and international peace, as well as reduce human suffering. It has been adopted by the UN General Assembly, ratified by 89 states, and signed by 44. This treaty obligates member states to monitor arms exports and ensure that they do not breach arms embargoes nor are used for terrorism or human-rights abuses. It also requires member states to have standardized regulations for arms imports and exports. While it does not stipulate enforcement mechanisms, it promotes transparency and aims to increase the accountability of violators. Its effectiveness remains to be seen due to its recent nature.

Similar to possession, these arms control agreements regarding transfer are highly applicable for conventional weapons, but not necessarily to cyberattacks. For example, cyber software can be transferred between actors using a flash drive as opposed to the transfer of nuclear weapons which requires serious transportation. Such cyber transmissions are therefore incredibly hard to spot let alone regulate. Nonetheless, without a structured state response to the transmission of cyber intelligence or attack knowledge, states face insurmountable security obstacles. 


Use

Finally, there are several examples of agreements that regulate states using the weapons that they possess. For example, the INF and START agreements did much to tackle what nuclear weapons could be used. The Intermediate-Range Nuclear Forces Treaty (INF) was signed in 1987 between the U.S. and the U.S.S.R. It was significant because it “established an intrusive verification system and…eliminated entire classes of weapons” such as all intermediate-range and shorter-range nuclear-armed ballistic missiles and ground-launched cruise missiles. Similarly, the Strategic Arms Reduction Treaty (START) was signed in 1991 between the Soviet Union and the United States. It limited long-range nuclear forces – land-based intercontinental ballistic missiles, heavy bombers, etc. – and limited both signatories to 1,540 warheads on heavy ICBMs. The verification regime for this treaty involved “data exchanges, notifications, and on-site inspections to gather information about forces and activities” pertinent to the treaty. As such, this intrusiveness and required cooperation demanded by the treaty built confidence and encouraged openness.

These arms control agreements regarding use are the most applicable for both previous weapon systems and cyber. Given that regulating use and transfer for cyber is nearly impossible, the only practical way to create agreements is around use when state capabilities are the most visible. As such, by analyzing arms control agreements that concern use, we hope to understand what has succeeded and failed to establish international norms regarding engagement in cyber warfare and the use of cyberattacks.


Ways Forward:

Since cyberattacks constitute a kind of contemporary weapon, the international community has not yet come up with norms that dictate appropriate responses. Moving forward, our group will develop a sequence of scenarios where cyber warfare is used (e.g. when a private sector business is hacked, when governmental emails are hacked, etc.). Using these scenarios, we will evaluate the optimal course(s) of action for the attacked government. The evaluation will be partially based on the equivalent scenario with more conventional weapons. For example, if a cyberattack caused x amount of monetary damage to a private company, that could be an action equivalent to dropping a bomb on a factory for that company. Therefore, it is necessary to calculate the resulting physical damage, soft power damage, and setback time in order to determine a proportional response. After running the cases and evaluating the damage, our group will create a prescription of retaliatory actions and thus develop a normative framework regarding cyber warfare.


Conclusion:

We are investigating cyber security, and where cyber intrusions fall in types of warfare; this would help us evaluate the magnitude of this type of warfare and (ideally) lay out proportionate response plans. Cyberattacks impact both the public and the private sector; their adverse effects may be merely suspicious or may destroy entire companies and/or governments. As the potential damage from cyberattacks continues to increase with the advancement of computer technology, there is a clear need for precedent both in managing the aftermath of a cyberattack as well as regulating a state’s ability to engage in cyberwarfare. The recent DDOS (Distributed Denial-of-Service) attack of Oct. 21, 2016 was the largest of its kind in history and it was caused by malware that spread to Internet of Things devices and associated automation technologies. These observed vulnerabilities direct our group to examine 1) the history of major Internet breaches; 2) if these breaches happened in the private or public sectors; 3) the responses or lack thereof to these breaches; and 4) a potential strategy for dealing with such breaches moving forward in an increasingly digital era.