By Gabriel Molini*
While recent history has been marked by the overhanging threat of a nuclear holocaust, warfare continues to evolve and expand even beyond the deadliest weapons humans have ever created. It is simple to show the horror and damage caused by any potential use of weapons of mass destruction (WMDs), but it is not always as straightforward to assess what could lead to the use of such weapons because, historically, the possible employment of nuclear weapons has been intrinsically linked to an outbreak of conventional warfare. This idea, while still most likely to be attributed to nuclear conflict, is no longer as accurate—nor relevant—as it once was. While nuclear threats remain, technology has created another concern: new weapons that show no respect for borders or flags, existing only in cyberspace, but with physical consequences that have yet to be fully seen. Ambiguity surrounding their use and consequences makes regulating these weapons particularly difficult, but lessons from past WMD regulation successes can help inform the next steps when it comes to responding to cyberweapons.
Like weapons of mass destruction, cyberweapons don’t necessarily target combatants but are created to exploit flaws in both civilian and military operating systems, regardless of whether the systems support non-combatants. Currently, there is no universal definition for “cyberweapons” nor is there a clear procedure for measuring the response from such weapons. The United States has stated via previous Nuclear Posture Reviews that a cyberattack could invite a nuclear response, and NATO Secretary General Jens Stoltenberg has already indicated that a cyberattack could lead to invocation of Article 5 of the NATO charter. This shows a clear chain of possible escalation but it still doesn’t clarify what type of attack would lead to such a response.
Cyberweapons are incredibly malleable and accessible. This versatility and difficulty of attribution make it more difficult for leaders to make decisions as to how to respond to such an attack in a justified and measured manner. Such attacks have already been seen on a smaller scale. As of this writing, there is only one documented case of a death, and it was due to the individual suffering a medical emergency and being rerouted due to the optimal hospital suffering a ransomware attack. Another episode that garnered a great deal of attention was that of the Colonial Gas Pipeline hacking in 2021, a ransomware attack that led to significant fuel distribution issues throughout the Eastern United States for a few weeks. Both were attributed to criminal groups and did not lead to any escalation. When Russia invaded Ukraine in 2022, there was a concern that Russia would launch cyberattacks against Western countries; as of yet, that has not happened.
What would happen if Russia had launched massive cyberattacks? Or if another country does in the future? While immediate escalation to a nuclear response would be unreasonable, there remains deterrent value in underlining that a cyberattack with consequences equally a weapon of mass destruction could lead to such levels of retaliation. The key question then is if it might be possible to develop some set of rules to guide cyber weapons use that would diminish the possibility of the use of such tools and the possible escalation to other weapons of mass destruction. International governments must aggressively work toward crafting guidelines before they are forced to play catch-up in the wake of a state-sponsored attack.
In the past, world governments have worked together to develop international agreements that create rules of war inter alia to avoid civilian losses. There are no international conventions or treaties that specifically oversee the usage of cyberweapons; thus, current international standards overseeing cyber issues are predominantly focused on crimes rather than the military usage of such tools. Despite theoretical academic studies like The Tallinn Manual created as far back as 2013, the idea of how laws for cyberweapons could be applied to nationally sponsored cyberattacks has not yet manifested into international agreements.
A different approach that might be able to generate consensus on the issue of cyberweapons is for the world governments to come to an agreement about the harm that can be caused by widespread access to such weapons. While it will be difficult for an agreement to be made, participating governments could potentially agree on common standards, or de facto export controls that could limit the commercial viability of private enterprises that engage in cyberwarfare. The United States, for example, has already placed the cyber-arms company “NSO Group” on a blacklist that prohibits American consumers from buying its products. “NSO Group” became infamous for its creation of Pegasus spyware, which allowed for any electronic device to be converted into a spy tool. The company had already sold its product to many governments around the world, including both democratic and authoritarian regimes. With the company being placed on a U.S. blacklist, it makes it difficult to gain access to U.S. markets. Were other governments to ban such companies, it would raise the difficulty of doing such business. This program would ideally work in conjunction with telecommunications and internet providers to create monitoring centers that look for cyberwarfare being transmitted through their systems to limit the reach of such attacks. Building trust and cooperation on private enterprises and cyberweapons can offer further options for collaboration in the future.
With the continued development of cyberweapons, it will become more difficult to limit their reach. When such programs gain access to computer systems, it is very difficult to dislodge them. As with the intricate nature of modern-day communications and infrastructure, if such nodes were to be knocked offline, there would most likely be an effect on civilians or non-combatants. Indiscriminate targeting and the difficulties surrounding proper attribution could possibly escalate tensions between states, and the consequences for such tension are heightened if the parties involved are armed with nuclear weapons. That is why international efforts to regulate and control cyberweapons and their effects must become an international priority to avoid escalation in the digital realm with implications in the physical one.
*Editor’s note: Writing for the Center’s new Next Up in Arms Control series, Gabriel Molini is a senior at The Catholic University of America studying Politics and Intelligence. He is originally from San Juan, Puerto Rico. He is an alumnus of the Congressional Bundestag Youth Exchange Program. He can be reached through LinkedIn at Gabriel Molini or at Gabo.email@example.com.