Time for a Cyber NonProliferation Treaty?

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!


The "news" that Russia and other countries is seeking to create a treaty, and potentially an enforcement agency, to prevent, mitigate and control cybercrime and cyberwars is not that new.

Since at least 1995 Russia has attempted to create a formal framework to control and prevent such activity and  is implying that US resistance to such work is a proof that the US encourages and fosters such attacks and crime.

Nothing can be further from the truth.

While it is certainly understood why a government for a country which is not leading in a specific area – for example here – computer technology, would push other states to put a muzzle on their utilization and in such doing, prevent a perceived benefit from being capitalized on, some may not understand what would cause the US to be against such a move.

Allow me to suggest a few reasons why the notion is both ludicrous and abhorrent to a free society.


Firstly, unlike the case when referring to Nuclear and to Chemical nonproliferation, there is nothing to "have" or to "store". In contrast to the need to process, create, and securely store ordnance or dual-use items, where the case is Cyber warfare, any and every computer can be, and sometime is, an "instrument of war". Only in very controlled societies, such as Russia or Iran, can access to computing infrastructure be so restricted as to carefully control who, when, where, and how has access to a desktop.


Secondly, the definition of war is far from being universal. Some innocent action, automatically performed by routers, for example, might be seen as "offensive" while some, clearly suspicious in nature, such as network-mapping may have completely civilian reasons and need.

Thirdly, as is the case with nearly all cyber-activity, national borders have no meaning, or very little meaning, in this regard. Who would be the aggressor if the activity resulted from a server owned by a Danish company, hosted in the US, traveling over Japanese-owned bandwidth, and controlled by a Romanian? What laws of war have been broken here?

Fourthly, and despite the fact I expect a disagreement over this point, there is a lack of a definition of what constitutes an attack. Would 100,000 pings be one attack or 100,000? Would one attack by 50,000 zombies be one action or 50,000? What if those 50,000 were in 12 different countries? What if they were controlled by an individual from the victim country itself? Would that still be "war"?

The next point is something that can be, and indeed has, been defined successfully Russia demands that we would

…ban a country from secretly embedding malicious codes or circuitry that could be later activated from afar in the event of war.

As I said, this is not new. For over forty years, Dr. Colonel Roger Schell (USAF, Retired) has called for the use of more secure (up to A1 classified) systems in order to counter the threat of Subversion. Dr. Schell certainly knows what he is talking about, and has seen instances of other countries sponsoring such subversion activities – in code or hardware – in devices used in the US. For a country such as Russia, and to a lesser extent, the US, reliance on imported circuitry is de rigueur. The only reason that the US is less reliant on such technologies is that the US military has a specific rule disallowing the use of certain items and code in many sensitive systems. While Russia has similar rules, its industrial base has not fully been able to provide 100% answer to the in-county manufacturing of all needed circuitry, so far. This fact has caused Russia, which is certainly top-notch in its mathematical thinking capacity, to be more dependant on circuitry made elsewhere for some of its critical systems – especially those that have dual-use, i.e. not just military, purpose – such as SCADA networks throughout the country.

Russia is indeed speaking out of both sides of its mouth when it argues that the European convention of cybercrime allows investigation into a case without first informing local authorities – while all the while demanding such super-sovereign ideas be included in a global treaty.


Let’s face it. Cyber activity is the reason why 1984 – like scenarios do not work. I am proud to live in a country that understands that the Internet is a Genie which can not be re-bottled.




Leave a Reply

Your email address will not be published. Required fields are marked *