Why a Cybersecurity Treaty Is a Pipedream, and a Better Approach for New Conflict Technologies

Adam Segal and Matthew Waxman, both fellows at the Council on Foreign Relations, write at CNN.com on why the global cybersecurity threat leads many to believe that the only way to address this transnational issue is through a treaty – and why such a treaty is a pipedream.

The hacker – a government, a lone individual, a non-state group – stealing valuable intellectual property or exploring infrastructure control systems could be sitting in Romania, China, or Nigeria, and the assault could transit networks across several continents. Calls are therefore growing for a global treaty to help protect against cyber threats.

As a step in that direction, the British government is convening next week the London Conference on Cyberspace to promote new norms of cybersecurity and the free flow of information via digital networks. International diplomacy like this among states and private stakeholders is important and will bring needed attention to these issues. But the London summit is also likely to expose major fault lines, not consensus, on the hardest and most significant problems. The idea of ultimately negotiating a worldwide, comprehensive cybersecurity treaty is a pipe dream.

Different interests among powerful states – stemming from different strategic priorities, internal politics, public-private relationships and vulnerabilities – will continue to pull them apart on how cyberspace should be used, regulated, and secured. With the United States and European democracies at one end and China and Russia at another, states disagree sharply over such issues as whether international laws of war and self-defense should apply to cyber attacks, the right to block information from citizens, and the roles that private or quasi-private actors should play in Internet governance. Many emerging Internet powers and developing states lie between these poles, while others are choosing sides.

Segal and Waxman point out not only ways in which a treaty regime is almost certainly an instance of utopian international law dreaming that, if anyone actually relies on it, is highly likely to fail.  They go on to present a positive agenda of steps that states can take in order to develop what amount to state practices aimed at consolidating looser norms of state behavior and best practices of states.

‘Treaty regimes’ and ‘state practice norms’ also frame arguments over other new conflict technologies, not just cyber.  Drone based targeted killing is the most obvious example.  When I write, for example, that there are many reasons why drones and targeted killing practices will spread, for reasons that have nothing to do with the US sparking an imagined “arms race” and everything to do with technological transformation in aviation, even many of those who agree with that assessment instinctively reach to treaty mechanisms as the way to regulate their use.

That will likely work out fine in civil aviation and the use of drones.  I’m sure states will eventually incorporate drones in ordinary civil aviation into protocols for air traffic control and transborder use, and might well show up in some form of aviation treaty or international rules.  But it seems to me highly unlikely and indeed counterproductive to pursue treaty mechanisms for their use in armed conflict in its legal sense, or in uses of force that are outside of technical states of armed conflict (such as cross border strikes against terrorist safe havens where no armed conflict is otherwise underway), what I have sometimes clumsily called “intelligence-driven uses of force.”  The common interests are hard to discern, enforcement mechanisms practically non-existent pursuant to the treaty regime, and defection hard to monitor or prove, given the often covert nature of the use.

These treaty negotiating problems are compounded – in drones, cyber, other areas of technology – by the strategic condition that these technologies fundamentally favor the offense at a relatively cheap price, in material terms but also in strategic terms of deniability and covertness.  Technologies that allow discrete strikes from a distance, favoring the offense and with limited ability on defense, and the potential ability to prove devastating particularly in the cyber area – these are conditions that favor states wanting treaties, but quietly developing the technological capabilities to defect at will, with strong deniability.  Not only do the strategic terms of these technologies favor destabilizing offense, in other words, their covert and deniable possibilities favor public treaty negotiations to trap the unwary who take the treaty seriously – while preserving the technological capability of deniable defection from the treaty regime at will.

For these and other reasons, I agree with the thrust of Segal and Waxman’s positive agenda in the cybersecurity area that the preferred approach in all these technology-driven areas is instead for states such as the United States to develop independent state practice, and accompany it by explicit statements as to what it believes the long term normative principles for use are and should be.  The State Department has taken important steps in this direction in Legal Advisor Harold Koh’s statements that any use of force, including (speaking colloquially, not technically) covert action, must meet the threshold conduct standards of necessity, distinction, and proportionality.  That’s an important acknowledgment, often overlooked, about the nature even of covert uses of force.

Or consider Robert Chesney’s recent post at Lawfare on what he shrewdly calls the “Pandora’s Box Critique of Drones,” a critique that encompasses the “arms race” and several other “look-what-the-US-has-unleashed” arguments that have many advocates at this moment.  (Chesney has been engaged in a major study of the integration in US domestic law of Title 10 military operations and Title 50 intelligence community operations.) He remarks on the ways in which the US has been setting out principled limits on both the resort to force with these new technologies and the principles governing their use:

Last, the Pandora’s Box critique.  [Daniel] Swift [writing in Harper’s] argues (once more quoting Alston) that our approach to drone strikes will “come back to haunt the United States,” as more and more countries develop this technology (Swift emphasizes Iran in the concluding line of his paper). While it is always wise to bear in mind such possibilities, I just can’t agree with those who imply that states like Iran, China, and Russia would not develop and deploy armed drone technology without the precedent of the American drone program, nor that these states would refrain from using the technology in certain ways but for the legal positions that the United States has taken. On the latter point, it is important to bear in mind that the U.S. government has never asserted the authority to simply use lethal force wherever in the world al Qaeda members might be found, without respect to the wishes of the host-state in whose territory the al Qaeda members turn out to be. Aside from Iraq, Afghanistan, and Libya, the public record suggests that lethal force has been used in Pakistan, Somalia, and Yemen, and that in each instance the U.S. government either had consent from the host state (private, perhaps, but consent nonetheless) or else was acting in a circumstance in which the host state was unwilling or unable to act. U.S. actions are precedent for nothing more, and nothing less, than this.

Of course, that does not mean that a state like Iran won’t do its best to analogize some future action to the U.S. drone program, in circumstances in which we do not find the analogy persuasive (because we disagree that the host-state is unwilling or unable to act, or more likely, because we disagree that the target of that state’s use of force posed a sufficient threat to justify such an action). Such cases no doubt will arise one day. But I am skeptical that such cases would not arise but for current U.S. drone activities. In any event, the debate should focus much less on the weapons platform involved and far more on the question of which fact patterns are appropriate to justify non-consensual uses of force on the territory of other states.

Many will find these state practice approaches, which make no claim to the status of international law as such, but instead practices informed by and grounded in fundamental international law principles, to lack the presumed international legitimacy of a treaty.  But critics should consider the damage done by a treaty that takes many years to develop, if it ever gets past negotiations – while quite possibly the technology evolves meanwhile into something else not obviously governed by the treaty and its rules.  And then it turns out to have overreached and fails to restrain.  There are legitimacy costs there, too.

Comments are closed.