Arms Control for Cyber
Updated: Feb 21, 2022
OPINION — The Solar Winds cyber-attack in March 2020 that successfully targeted hundreds of U.S. Government agencies and private sector businesses was a wake-up call making clear that something must be done before it’s too late and that a state actor, either acting alone or contracting out to a criminal group, attacked our critical infrastructure, including programs that control the electric grid, air traffic control or water supply.
The Colonial Pipeline ransomware attack in May 2021 and the JBS meat processor ransomware attack in January 2021 were a few of the thousands of ransomware attacks that were reported to the FBI. Indeed, the FBI internet Crime Report of 2020 reported 2,474 attacks in the U.S., with losses of more than $29 million.
According to media reporting, a Russian-affiliated criminal group, Cozy Bear, was responsible for the Solar Winds attack and an East European criminal group, Darkside, was responsible for the Colonial Pipeline attack. Russian cyber criminals reportedly were responsible for the JBS attack.
President Biden made it clear to Russian President Vladimir Putin during their June 2021 meeting in Geneva, that cyber-attacks, to include ransomware attacks by criminal groups in Russia, need to cease and the U.S. President provided Putin with a list of 16 key infrastructure entities that are ‘off-limits’ to Russian cyberattacks.
Defending against these cyber-attacks is a priority of this and former administrations. Ensuring that the perpetrators are held accountable with the threat of sanctions and indictments are logical and necessary responses which, hopefully, will deter future attacks. Unfortunately, however, even with the threat of biting sanctions, these state-sponsored attacks by a growing number of cyber-criminal groups continues to grow.
It’s obvious that more must be done to deter countries from using cyber to attack other countries for economic and political advantage. We have relevant experience with nuclear energy and biological and chemical sciences that could and should be applied to cyber.
The threat of nuclear proliferation was addressed with the establishment of the Nuclear Nonproliferation Treaty (NPT) in 1970. Currently, there are 193 countries, with the initial five nuclear weapons states, that are committed to the peaceful use of nuclear energy and the eventual abolishment of all nuclear weapons. The threat of biological weapons was addressed in 1972, with the establishment of the Biological Weapons Convention, with a membership of 183 countries, which bans all biological and toxin weapons. And the 1994 Chemical Weapons Convention, with a membership of 193 countries, bans all chemical weapons.
We have relevant experience with nuclear energy and biological and chemical sciences that could and should be applied to cyber.
It should now be obvious that cyber, if not used for peaceful purposes, should be viewed as another weapon of mass destruction. The cyber attacks against government and private sector entities and the recent spate of ransomware attacks against critical private sector entities means we must be more proactive and establish international norms that hold countries accountable for their behavior and the behavior of their citizens and criminal groups that are involved in cyber-crimes.
We have rich experience convening conventions that addressed the unlawful and harmful use of nuclear energy and biological and chemical uses that could inflict significant pain and suffering on millions of innocent people. We could and should, do this with cyber.
Given that establishing a new forum to address cyber, in the hope of establishing an international organization that could advocate for the peaceful and beneficial uses of cyber, while prohibiting the harmful uses of cyber, and establishing a process to oversee compliance with these commitments will take time, it’s important that something be done now, as an important interim step.
As we enter into a five year extension of New START arms control negotiations with Russia, there may be value in using this venue to table the issue of cyber to determine if the U.S. and Russia are prepared to discuss the issue in a different forum, but with the vigor that was applied to nuclear weapons, starting with the Strategic Arms Limitation Treaty (SALT)in 1972, followed by the Strategic Arms Reduction Treaty (START) in 1991 and the 2021 five year extension, with the New START Treaty.
Any discussion of cyber and the establishment of a forum to ensure that cyber is used only for peaceful purposes should also include China, given that several cyber intrusions reportedly also emanated from China. Indeed, this could and should be a subject that continues to be discussed directly with China, especially given the 2015 agreement between former President Barack Obama and Chinese President Xi Jinping that neither the U.S. nor China “will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”