Chapter

Reimagining Cyber Arms Control

What can we learn from the Arms Trade Treaty and the Wassenaar Arrangement for the proliferation of offensive cyber capabilities?

Diving into the complexities of defining cyber weapons, the hurdles in verification, and the conundrums of compliance and enforcement, this case study analyzes cyber accountability from the perspective of conventional arms control. It does so by looking at two instruments: the Arms Trade Treaty and the Wassenaar Arrangement.

This analysis advocates for an approach that regulates behaviors and outcomes rather than technologies, overcoming challenges of shifting definitions and technological development. It suggests updating the concept of “dual use” for digital technologies, acknowledging their peacetime uses and associated human rights concerns.

The case study also proposes a toolbox approach, focusing on specific cyber threats and challenges rather than a single umbrella-type agreement. The author underscores the need for a nuanced understanding of cyber threats, acknowledging the unique challenges posed by the cyber domain.

This case study is part of the recently released report, Advancing Accountability in Cyberspace: Models, Mechanisms, and Multistakeholder Approaches

Introduction

A healthy debate has existed amongst academics and policymakers for more than a decade on the feasibility of applying traditional arms control and nonproliferation approaches to international cyber security. Some experts posit that there are too many differences for these fields to have any relevance, whereas others have identified specific experiences, principles or frameworks which they view as instructive or even directly applicable for addressing diverse cyber threats. From an accountability perspective, the broad success of many arms control and nonproliferation mechanisms and tools for improving transparency and enhancing cooperation makes them appealing and of interest—whether as a model for possible new instruments in cyber or as mechanisms that might be updated to account for digital technologies.

This chapter presents a simplified overview of the main arguments for and against an arms control approach to international cyber security. This is followed by case studies examining two arms control mechanisms—the Arms Trade Treaty (ATT) and the Wassenaar Arrangement—from which we identify relevant take-aways for cyber.¹

Cyber, Arms Control, and Nonproliferation

Arms control is traditionally understood as efforts that seek to restrict or control the development, production, stockpiling, proliferation and usage of arms including small arms and light weapons (SALW), dual-use items², and weapons of mass destruction (nuclear, chemical, and biological).³ Arms control often includes measures that seek to increase the transparency of military capabilities and activities, with the intention of reducing the risk of misinterpretation or improving trust and confidence.

Nonproliferation is an aspect of broader arms control efforts. Nonproliferation refers to activities that seek to prevent the spread of weapons and capabilities to new actors. As observed by one group of scholars, “The purpose of nonproliferation regimes includes: minimizing instability; increasing predictability in relations between potentially hostile states; pre-empting the development of new weapons; contributing to conflict management by establishing a framework to enable negotiations among parties, generally fostering a non-hostile atmosphere.”⁴

It is important to underscore that arms control and nonproliferation efforts are regimes composed of formal and informal mechanisms, including legally binding agreements as well as informal trust-building

measures and information-sharing, among other activities and agreements. Arms control is “not simply about legally binding, verifiable treaties between states, although these are of course welcome, but rather all measures designed to dampen incentives to begin hostilities, limit the damage if conflict should occur, and that enhance stability.”⁵

Critics of applying arms control and nonproliferation approaches to cyber security offer a range of arguments and perspectives. Many of these tend to coalesce around some common and often interrelated points, as summarized non-exhaustively below.⁶

Definitional Challenges

Arms control and nonproliferation are precise and specific in the items they apply to, even those that are dual use. A primary challenge for cyber arms control or nonproliferation efforts has always been the question of what is being controlled. Various efforts to define a “cyber weapon” have been made, but they lack universality.⁷ Diverse experts further note that the inherently dual-use nature of ICT tools and what some consider to be “cyber weapon” is different than how dual-use has been understood and applied within traditional arms control.⁸ Others have noted that the subcomponents of a “cyber weapon” could be subject to different legal regulation based on their nature (i.e. some may be dual-use, others inherently military in nature).⁹

As such, defining cyber weapons is not straightforward “as many weapons of cyber nature may not be weapons unless used in a specific way”.¹⁰ Others have noted the challenges inherent in tracking and controlling items that are virtual, which cannot be destroyed but can be regenerated, or which may not also have universal lethality.¹¹ Some stress the role that purpose and intention play when trying to determine if an item or tool could be deemed a cyber weapon.¹²

Verification

Virtually all commentaries on cyber arms control and/or nonproliferation highlight the central challenge of verification, and relatedly, compliance and enforcement. One source summarizes the cyber verification problem as having “two prongs”. The first is about being able to ascertain the size of a state’s cyber arsenal, per the definitional challenges already described, and the second prong relates to monitoring efforts to ensure future compliance.” This second prong is made complicated given that the covert nature of cyber operations¹³ generates reluctance among governments to agree to verification methods that “…could expose a state’s own cyber capabilities, but also reveal gaps in its defense.”¹⁴

Some have identified methods that would serve verification purposes in ways that are mindful of the unique contours of cyber security. While it has not gained widespread political traction, a variety of nongovernmental stakeholders have in recent years explored the possibility of developing a Global Cyber Attribution Consortium composed of nongovernmental experts utilizing a transparent and standardized approach to attribution for cyber operations.¹⁵

Compliance, Enforcement, and Attribution

Following on from the above challenges of verification, there are issues relating to compliance and enforcement of any cyber arms control or nonproliferation agreements, and by extension—attribution, whether technical, legal, or political. As one group of scholars has explained, “Primarily, cyberattacks can be carried out in relative anonymity. The peculiarity of secrecy and plausible deniability of the attack makes it very hard to sanction the states from which the attack has been carried out. Therefore, any constraint in the use of cyber weapons would at least require a solution to the attribution problem. Moreover, malicious software is abundant and extremely difficult to identify and suppress. Therefore, an international agreement on cyber arms control would currently face serious problems with verification and enforcement.”¹⁶

Other Factors

The literature also variously touches on other factors, including the diversity of actors in cyber and their respectively varied levels of authority;¹⁷ the rate of technological change and progress; the necessity of political will; and the emphasis placed by some experts on the complementary yet unique role of deterrence, however it is defined or understood in a cyber context.¹⁸

There are also arguments pointing to the utility of applying arms control and/or nonproliferation approaches to the cyber domain. Yet, most proponents are quick to stress that the concepts and agreements themselves cannot be transferred to the cyber domain wholesale. Rather, one could look to particular concepts or frameworks that are instructive or that there is value in studying the policy and diplomatic processes leading to the negotiation and adoption of various mechanisms, not least given the politically challenging contexts in which many such mechanisms were forged.¹⁹

For example, the potential value of no-first-use policies, de-targeting, confidence building, prohibition on the development of certain hazardous technologies, cooperation for peaceful purposes, and regional arrangements have been examined as particularly salient concepts.²⁰ Several scholars have stressed the potential of confidence-building measures (CBMs), which already exist within certain regions and sub-regions for cyber security purposes.²¹ Other relevant experiences from small arms control instruments include learning from national reporting practices, the involvement of civil society and other stakeholders, and the role that different types of instruments and mechanisms can play in achieving particular cyber stability goals.²² Demilitarized zones are an important aspect of some arms control agreements; it could be worth interrogating whether it is possible to define similar zones or perimeters for cyber, that should be excluded from warfare.²³

It has been stressed that any form of cyber arms control will likely involve a mixture of formal and informal mechanisms and intermediary steps, and be single-issue and focused rather than broad and general.²⁴ Cyber arms control could also be approached from a preventive or regulatory perspective.²⁵ In this vein, some scholars have encouraged an approach that seeks to regulate behaviors and outcomes rather than the technologies themselves which could help to overcome challenges relating to definitions, dual-use, and ongoing technological development.²⁶

Case Study 1: The Arms Trade Treaty

The international Arms Trade Treaty (ATT) is a legally binding arms control treaty adopted by the UN General Assembly (UNGA) in 2013 and entered into force in 2014.²⁷ It is often considered groundbreaking because of the extent to which human rights and humanitarian concerns are integrated into the obligations of State parties have with regards to controlling the transfer of weapons.

The ATT seeks to regulate the international trade in conventional arms by establishing the highest possible common international standards for doing so and thereby seeking to prevent and eradicate the illicit trade and diversion of conventional arms. The Treaty’s text sets out the scope of weapons and items it applies to, as well as obligations for exporters, importers, and transit states. It also contributes to transparency and information exchange through its provisions on reporting.

As of early 2024, the ATT has 113 State parties and 28 signatories (countries that have signed but not yet ratified it) including Singapore and the United States; the latter of which “unsigned” the treaty in 2019. Fifty-four countries remain outside the ATT, including India, Pakistan, Russia, and Saudi Arabia.²⁸

A core component of the ATT is its risk assessment procedure and related criteria as set out in Articles 6 and 7. Under Article 6, all State parties must consider the potential impact of each arms transfer against specific criteria, such as the existence of an arms embargoes or the likelihood that the arms in question would be used in the commission of genocide, crimes against humanity, grave breaches of the Geneva Conventions of 1949, attacks directed against civilian objects or civilians, or other war crimes as defined in international agreements to which it is a Party. Transfers that would contravene the above are prohibited.

Article 7 offers a “second step” of the risk assessment process for items that are not stopped by the considerations of Article 6. Here, the exporting state must consider if the export in question could be used to commit or facilitate a serious violation of international humanitarian law or of international human rights law; or commit or facilitate an act constituting an offence under international conventions or protocols relating to terrorism or transnational organized crime. Notably, there is also a requirement to consider the risk of the arms being used to commit or facilitate serious acts of gender-based violence or serious acts of violence against women and children.²⁹

Other parts of the Treaty set out guidelines for states that are importing weapons and require importers and exporters to cooperate in sharing information necessary to make the above assessment. It also includes obligations for countries that have weapons transiting through their borders and for brokering activities. Article 11 is devoted to provisions and actions that address concerns around the diversion of arms transfers to illicit markets.

Implementation and Enforcement

The ATT contains no explicit enforcement mechanism. Article 14 (on Enforcement) outlines that “Each State Party shall take appropriate measures to enforce national laws and regulations that implement the provisions of this Treaty.”

The Treaty does, however, have requirements for national reporting, found in Article 13. State parties are obligated to submit two reports: an Initial Report shortly after joining the Treaty, and an Annual Report. The Initial Report helps to provide a snapshot of a state’s arms control policies and practice upon joining the Treaty, whereas the Annual Report includes information “concerning authorized or actual exports and imports of conventional arms covered under Article 2(1) that were made during the preceding calendar year.”³⁰

Overtime, voluntary templates have been developed for both and reports and are made publicly available—unless otherwise indicated—on the ATT website. Since 2013, the Arms Trade Treaty Baseline Assessment Project (ATT-BAP) at the Stimson Center has supported states in understanding the obligations of the ATT and to promote effective implementation. ATT-BAP has developed tools to help provide a baseline for assessing progress in implementing the ATT and to enable measurement of the treaty’s impact and long-term effectiveness.³¹ These tools are also utilized for identifying state capacity and resource needs, including the identification of critical gaps and available resources to implement the ATT.³²

State parties meet annually for a Conference of States Parties (CSP), and there are often two “preparatory committee” sessions, or PrepComs, held during the intersessional period to prepare for the CSPs. Over time, ATT State parties have established three permanent working groups: on Treaty Universalization; Effective Treaty Implementation; and Transparency and Reporting. Some of these have established further sub-working groups or subsidiary bodies. The Groups meet during the PrepComs and tend to be where more focused documentation or outputs are developed and later tabled for possible endorsement at CSPs.

Over the years the Working Groups have, in this way, been able to produce extensive resources to support the ATT including toolkits and guidelines relating to Treaty interpretation or implementation, incentivizing Treaty universalization, or to aid in meeting reporting requirements. Working Groups are open to the participation of any state as well as nongovernmental organizations and have different approaches for selecting chairpersons to lead their work.

The ATT has a small Secretariat in Geneva, and the Treaty presidency rotates annually. Financial contributions are based on the UN Scale of Assessments and are used to support CSPs and other meetings and core Secretariat functions.³³

How Was the ATT Developed?

The ATT is the product of over a decade of committed advocacy and diplomacy. The idea began with Nobel Peace Laureates, supported by civil society organizations worldwide who were concerned about the unrestricted spread of weapons following the end of the Cold War and their role in fueling conflict, poverty, and human rights abuses.³⁴ With its focus on the legal trade in conventional weapons, the proposed ATT was a complement to earlier instruments that targeted illicit trafficking in conventional arms, notably the 2001 UN Programme of Action on small arms and light weapons.

A 2006 civil society-led “Million Faces” petition contributed to the start of a diplomatic process inside the United Nations (UN). In 2009, the UNGA launched a time frame for the negotiation of the ATT. This included one preparatory meeting in 2010, two in 2011, and a negotiating conference in 2012.

The four-week long negotiating conference produced a draft treaty text but failed to adopt a treaty by consensus after the United States, Russia, and a few other states blocked adoption. A mandate was obtained via the UNGA to hold a Final Conference in March 2013.

Negotiations continued over particular provisions and treaty language, some of which generated so-called “loopholes” in the treaty’s text.³⁵. Unfortunately, consensus was also blocked in the final hours of the Final Conference. Many member states from diverse global regions moved to take the draft treaty to the General Assembly to be adopted by a vote. This vote occurred on 2 April 2013, when the Treaty was finally adopted by a vote of 154 in favor, 3 against, and 23 abstentions.

As with any multilateral instrument, the negotiations were complex and hard-fought; certain proposals that may have enjoyed high levels of support at one stage of the process were lost or modified along the way. Any legal mechanism or framework is ultimately a product of compromise and lands where negotiators can find sufficient middle ground.

As noted above, the role of nongovernmental stakeholders throughout the treaty process was significant.³⁶ While many of these groups came from civil society, including survivors of armed violence, arms industry representatives and investors also attended or contributed to the treaty’s development. It is also noteworthy that there was strong opposition to the ATT from pro-gun groups in the United States, who tried to frame the agreement as counter to U.S. gun ownership rights.

Impact and Effectiveness

Views on the impact of the ATT and its implementation are mixed. In general, the overall record of implementation has been found to be lacking. Critics, mainly but not exclusively from civil society, have pointed out that some State parties continue to transfer arms to recipients that are likely to use them in violations of human rights and IHL, or that it has served to facilitate the trade in arms rather than prevent harmful transfers and that there are no consequences for perceived violations.³⁷

Russia and other major exporters remain outside the Treaty. The United States signed but did not ratify the ATT; former President Trump tried to “un-sign” the U.S. from the agreement in 2019.³⁸

Like many other multilateral arms control and disarmament instruments, the ATT is experiencing financial challenges due to membership dues that are in arrears. Concerns have also been raised about the status of Treaty reporting, which has declined in recent years, and about more State parties choosing to keep their reports private.³⁹

Positively, the Treaty enshrines in international law the relationship between human rights and the negative impact that international arms flows can have. In particular, its provision on gender-based violence (GBV) is considered groundbreaking as it requires State parties to consider the probability of the arms in question being used to commit or facilitate GBV, or serious acts of violence against women and children.

The ATT has also created a single standard of practice for the international community. Prior to the ATT, arms export (and import) policies were governed by a patchwork of unilateral, bilateral, and regional agreements and policies; this created legal loopholes that facilitated illicit arms trading and diversion to illicit markets. While the ATT is not yet fully universal, high levels of cross-regional membership have helped to “level the playing field” and set more common policies and practice, which in turn have closed some of the pre-existing loopholes and grey areas that existed as a result of the patchwork approach to regulation.

The Treaty’s implementation has also fostered a community of experts from within and outside governments who convene regularly to discuss and assess issues of international arms trading. The volume of toolkits, guidelines, model legislation, workshops and other resources that have been produced since the Treaty’s entry into force is not insignificant and has gone a long way to foster greater cooperation and understanding about international arms flows and has contributed to national-level measures such as the establishment of control lists, policies, and more.

A voluntary trust fund mandated by the Treaty support countries with treaty implementation.⁴⁰ It has supported 83 projects since 2016. Implementation assistance covers a range of activities from procurement and training in firearms marking, to helping develop legislation or national control lists. The ATT International Assistance Database is a secure web-based platform that enables states to submit requests and offers for assistance for Treaty implementation on a voluntary basis.⁴¹

Relevance to Cyber

Recognizing that the ATT is a legally binding instrument—an unlikely scenario in the cyber context at present—it nonetheless offers experiences and practice that can be instructive for advancing cyber accountability.

The negative impact of some cyber and digital tools on human rights is increasingly well-documented and attracting attention from policymakers.⁴² As such the experience of the international community, working together with legal, technical and subject matter experts to develop common criteria for the Treaty’s risk assessment process rooted in human rights and IHL is instructive for efforts to limit cyber surveillance or intrusion software, or to regulate the activities of those who produce and distribute such items. This may also be instructive for parsing out differences between irresponsible, illegitimate, and illegal. The central role of human rights, international human rights law (IHRL), and international humanitarian law (IHL) is deeply relevant for those who want to see more rigorous application of relevant cyber norms and legal principles within the cyber security field and demonstrates that international security and human rights considerations can be integrated within policy frameworks.

The ATT is also important for harmonizing what had previously been a patchwork-style approach to international arms transfers, comprised of various regional treaties and differing national practice. This is similar to the function that UN Security Council resolution 1540 played for dual-use items that can be used for the production, development, or delivery of weapons of mass destruction. Patchwork approaches sometimes inadvertently create loopholes or incompatibilities between instruments, which become exploitable. This makes it important to harmonize and clarify obligations and responsibilities. That said, there is always a risk that “leveling the playing field” will water down high standards to a lower common denominator.⁴³

While the ATT does include a scope of physical items that the treaty applies to, it also has a heavy focus on regulating behavior and activities, and the role of diverse non-state actors including brokers, those engaged in transit and transshipment activities, among others. A focus on behavior rather than on items or “cyber weapons” is a recommendation that has come through from diverse cyber arms control experts, as outlined in the introduction. Even then, more clarity would be needed as to what constitutes a cyber weapon in order to introduce controls: capacities for offensive cyber warfare (computer network attacks), espionage operations (computer network exploitations), information operations, or the use of cyber technologies that are primarily a threat to human rights?

Finally, on a functional level, there are also lessons to be drawn from activities relating the ATT approach to working groups and reporting initiatives. The working group format, which is open to nongovernmental stakeholders may be particularly useful for the UN OEWG or a future Cyber Programme of Action. Likewise, the experience of reporting templates and in particular Stimson’s contribution through the Baseline Assessment Survey are instructive for UN-based activities such as surveys of national implementation or interest in monitoring norms operationalization.

Case Study 2: The Wassenaar Arrangement

The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, or Wassenaar Arrangement (WA), is a voluntary export regime established in July 1996. It is the successor to the Coordinating Committee for Multilateral Export Controls (COCOM), which was created to restrict exports of conventional arms to the former Soviet Union and Eastern bloc.

According to its founding document,⁴⁴. the WA was:

…established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations. Participating States will seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals and are not diverted to support such capabilities.

The founding document also stresses that the WA seeks to complement and reinforce the export control regimes for weapons of mass destruction and their delivery systems; is not directed against any state or group of states; and uses export controls to combat terrorism.

Participation in WA requires that states be producers and exporters and must implement national export control laws that prohibit the sale of arms or sensitive dual-use goods to areas of concern. In line with its mandate, Wassenaar Members are expected to behave in accordance with international nonproliferation norms and standards such as the Nuclear Nonproliferation Treaty (NPT), the Missile Technology Control Regime (MTCR), the Chemical Weapons Convention (CWC), and the UN Register of Conventional Arms.⁴⁵There are presently 42 Participating States, 33 of which are founding members.⁴⁶

How Does It Work?

The WA is comprised of two types of control lists: a munitions list for conventional weapons; and a list of Dual-Use Goods and Technologies. This second list is further divided into nine categories as well as a “Sensitive List” and “Very Sensitive” list.⁴⁷ The WA operates via agreement among Participating States that they will control exports and retransfers of items contained on these lists, through national legislation which is guided by agreed Best Practices, Guidelines or Elements.⁴⁸Members also agree to report on transfers and denials of specified controlled items to destinations outside of the Arrangement, and to exchange information about sensitive dual-use goods and technologies.⁴⁹

The Arrangement does not prohibit a participating country from making an export to a particular destination that has been denied by another participant, but participants are required to notify other participants within 60 days, and preferably within 30 days, after they approve a license for an export of sensitive dual-use goods that are essentially identical to those that have been denied by another participant during the previous three years.⁵⁰ This has the potential to aid in accountability by improving transparency, provided that states follow through on the requirement.

Representatives of Participating States meet regularly in Vienna, which is where the headquarters and secretariat are based. The Plenary is the decision-making body of the Arrangement, composed of representatives of all Participating States and meets annually. The Plenary Chair position is subject to annual rotation and all decisions are taken by consensus. Subsidiary bodies are established for the preparation of recommendations for Plenary decisions and calls ad hoc meetings for consultations on issues related to the functioning of the Wassenaar Arrangement. Participating States also identify “Vienna Points of Contact (VPOC)” who are called for periodic meetings by the Plenary Chair to facilitate intersessional information flow and communications between and among Participating States and the Secretariat.

The Arrangement does not contain any specific enforcement mechanisms, in that Participating States do not have access to tools by which they can compel their peers to conform to export control arrangements.

Historical Development

The establishment of the WA is closely interwoven with modern political history and geopolitics, specifically the end of the Cold War. The WA’s evolution, notably in relation to decisions and procedures around membership, scope, and enforcement likewise affects dynamics and tensions amongst members in the present day.

For four decades, the primary international organization for coordinating restrictions on dual-use exports among western states was the Coordinating Committee For Multilateral Export Controls (COCOM) which was first established in 1949. The focus of COCOM was to control exports to the Soviet Union, Warsaw Pact states, and from 1957 onwards, China. COCOM’s membership included 17 countries, including all members of NATO (except Iceland), Japan and Australia. Notably, it operated on the basis of consensus (interpreted as unanimity) and functioned without any legal basis or authorization. The practice of consensus effectively gave any Participating State a veto over the export of a controlled good or technology by any other Participating State to the Soviet Union, a Warsaw Pact state or after 1957, China.⁵¹

COCOM was disbanded in 1993 and its members agreed to replace it with a new entity and move to a model of “national discretion” in arms export control, in which no state could veto the export decisions of another. Efforts to create a replacement entity were driven largely by the United States in the context of its other efforts at the time around promoting policies of “multilateral restraint” in the area of arms exports.⁵² The newly established WA had a wider and more heterogenous membership than COCOM had and was also different in not naming explicit targets and in including conventional weapons. The emphasis on “national discretion” meant that there is not a centralized body or entity responsible for overseeing if Participating States are acting in conformity with the WA or playing a role in deciding about arms transfers. In 2000, the plenary adopted a set of Best Practices for effective enforcement, in the areas of preventive measures, investigations, effective penalties, and information exchange.⁵³

Impact and Effectiveness

There are different views on the impact and effectiveness of the Wassenaar Arrangement. Many see its value as a cornerstone of the modern arms export control regime, in which context it has facilitated or enabled the development of other agreements and frameworks, or aided with confidence-building, information exchange and transparency efforts.

Yet the potential benefits are undermined by the limitations of its membership, in that non-Participating States do not have access to reports. The absence of significant arms exporters such as China and Israel has also been cited as a limitation⁵⁴ although Israel has put in place legislation which adopts all Wassenaar controls automatically.⁵⁵

Membership has had implications for other aspects of the WA’s implementation. While broader than COCOM, most members are Western developed countries, causing some non-Western states to view the WA negatively, and as an exclusive club or as an extension of Western (notably US) approaches and practices to arms export control.⁵⁶ Yet even amongst the membership there are different views on core issues such as the instrument’s scope or about which recipient countries can be deemed “states of concern”. For example, the United States has sought to target particular countries, such as Iran, Iraq, Libya, and North Korea, but others have supported the Wassenaar Arrangement’s “impartiality” on this issue.⁵⁷ As currently constructed, Wassenaar “will not, however, be directed against any state or group of states; impede bona fide civil transactions; nor interfere with the rights of states to acquire legitimate means with which to defend themselves.”⁵⁸

Russian membership has been controversial and has many implications for consensus-based decision making within the WA, as in all other multilateral fora. Some note that Russian participation has allowed the international community to have some transparency on Russian export activity, but there has not been a corresponding change in decision-making as concerns Russian approval of exports to unstable regions. Since 2022, the issue of Russia blocking proposals for new control list items has become more of an issue. The U.S. stated that Russia had blocked proposals relating to the controls of quantum technologies and the Netherlands reportedly held back on a proposal for new controls of semi-conductor manufacturing equipment given the low likelihood of consensus in the WA right now.⁵⁹

One empirical study of arms import data has shown that the WA has had a limited impact on preventing “destabilizing accumulations” of conventional weapons and no clear evidence of a shift in arms trade because of the regime’s formation.⁶⁰ Unlike the ATT, decisions about export control under WA do not consider potential human rights violations; national security considerations form the basis.

Relevance to Cyber

In recent years, the WA has adapted to technological change by expanding the scope of its control lists in ways that have drawn attention to the instrument from within the cyber community. Some trace this back to initiatives within the WA undertaken during the late 1990s and early 2000s in relation to adding encryption techniques and technologies.⁶¹ This prompted the international cyber security community to increasingly focused on the WA’s potential application to dual-use information and communication technology, perhaps more than other arms export control mechanisms. As such, the

ability of the WA to foster greater accountability or transparency within the cyber domain is already being evaluated in real-time.

The way in which the early efforts on expanding the WA to include encryption unfolded influenced how the technology sector would view later efforts concerning other technologies and the move to a “cyber arms control” approach. It also ushered in an era of greater involvement within the work of the WA from nongovernmental stakeholders including cyber security professionals, lawyers, academics and activists.⁶²

In 2010, revelations about the use of digital surveillance technologies by oppressive governments prompted the EU and U.S. to consider steps that would seek to restrict their proliferation. Several of the firms producing such technologies were based in European countries, and had been exporting their products to, among other clients, governments with poor human rights records; in some instances, such products were directly linked to the repression of journalists and activists.

In 2013, France and the United Kingdom took initiative to introduce the first significant amendment to the WA to adopt a set of controls that would cover certain surveillance and intrusion tools, notably IP surveillance systems and intrusion software.⁶³ As described in the 2013 plenary statement:

New export controls were agreed in a number of areas including surveillance and law enforcement/intelligence gathering tools and Internet Protocol (IP) network surveillance systems or equipment, which, under certain conditions, may be detrimental to international and regional security and stability. Participating States also further clarified existing controls in respect of inertial measurement equipment or systems and relaxed some controls such as for instrumentation tape recorders and digital computers.⁶⁴

IP surveillance systems were added to the part of the Dual-use List that covers the category of “Telecommunications” in a way that set out various conditions in order to determine if the different aspects of a system in question fall under the control list. Intrusion software was included within the “Computers” section of the Dual-Use List.⁶⁵ The provision covered components used to generate, install, or control intrusion software—rather than intrusion software itself—in an effort to target the producers rather than targeted individuals who may end up with the components on their devices.Bohnenberger, Fabian, “Proliferation of CyberSurveillance Technologies: Challenges and Prospects for Strengthened Export Controls,” Strategic Trade Review, Volume 3, Issue 4, Spring 2017 pp. 81—102 http://www.str.ulg.ac.be/wp-content/uploads/2017/04/The-Proliferation-of-Cyber-Surveillance-Technologies-Challenges-and-Prospects-for-Strengthened-Export-Controls.pdf. As a result of these and other related changes to WA, companies developing and selling these types of tools from within Wassenaar countries must now apply for a license from their governments before exporting their products abroad.

In 2015, U.S. efforts to implement the 2013 amendment nationally caught the attention of cyber security professionals. Cyber companies and other civil society actors have raised a variety of concerns over the amendment’s content, as well as about ensuing actions taken within the United States domestically and later developments in the Wassenaar Arrangement.⁶⁶ In brief, one big concern was that the definition of the software being controlled was overly broad and vague, and thus would potentially encompass many legitimate security tools, such as those used for penetration-testing and some security research. There was some pushback on exemptions to penetration testing tools within software controls. Vulnerability disclosures were also a concern because the U.S. indicated it might use intrusion software controls to regulate the trade in zero days. The implications of this for other states, as well as for international collaboration of identifying and reporting vulnerabilities.⁶⁷

Some of these controversies were due to insufficient engagement with technical experts—notably security researchers—and potentially due to confusion or lack of adequate communication and coordination between the different U.S. government departments involved in international talks versus those tasked with implementing the WA decision domestically.

The concern over what technologies would be subject to export controls united a diverse set of nongovernmental cyber security experts and practitioners, ranging from human rights groups to tech companies and security researchers, in an effort to motivate the U.S. government to push for changes within the WA. This was accomplished in 2016 and 2017 via a series of exemptions that are based on the intent of the user (i.e., for vulnerability disclosures and cyber incident response) and work to clarify definitions and understandings around terminology.⁶⁸

In early 2024, Switzerland proposed controls on another cyber-surveillance tool in the Wassenaar list but, experts feel it is not certain to be adopted given the divisions among members described earlier.⁶⁹

Ongoing activity within the WA make it somewhat challenging to evaluate the instrument for lessons learned for cyber accountability on its own merit as an export control instrument and not in relation to cyber and ICT-related debates within WA. Moreover, export control is not universally viewed as the best vehicle for slowing the spread of ‘cyber weapons’ or continuous technological development, given the numerous ways that these ‘items’ can be exchanged and in ways far more challenging to track than conventional weapons.

That said, the experience of trying to update an arms export control instrument for a digital context provides important insights and observations that are relevant both for efforts within the WA as well as for the pursuit of other export-based avenues and frameworks, should they emerge. Calls to curtail the sale and transfer of commercial spyware and, relatedly, cyber mercenaries (understood here as firms developing and selling such spyware) are growing in urgency.

This might be an instance where leveraging the WA to enhance cyber accountability is a road to keep traveling down, but bearing in mind the lessons learned from past efforts. It helps bring into focus the importance of determining whether to attempt to control an item or a technology, or rather to set controls for state behavior and decision-making processes. Within that, the question of intent becomes critical.⁷⁰ The practice of agreeing to report on transfers and denials of specified controlled items and to exchange information about sensitive dual-use goods and technologies is a boost to transparency and accountability, even it occurs within the non-universal confines of WA membership. Continuing to discuss and debate how to develop export control models for cyber and digital tools does have merit, as it helps to unpack and examine fundamental aspects of the cyber environment, and coordination amongst actors therein.⁷¹

There are also lessons to be taken about the importance of engaging with nongovernmental stakeholders and experts and about the diverse ways in which international policy making can impact national policies and practice.

Key Takeaways and Recommendations

Building on both case studies and broader literature review of cyber arms control, we offer the following takeaways and recommendations for applying an arms control and nonproliferation approach to cyber:

1. An approach which seeks to regulate behaviors and outcomes rather than technologies is more likely to overcome challenges relating to shifting definitions and ongoing technological development.

Additionally, and in the context of export control, updating and adapting the concept of “dual use” for digital technologies to make the term applicable to a broader scope of items is worth exploring. As some research notes,⁷² it would be more relevant and effective to approach duality from a starting point which acknowledges that many technologies are used in peacetime rather than in conflict and thus generate human rights concerns that have historically been beyond the purview of the dual use dichotomy.

2. The toolbox approach of formal and informal mechanisms and mini regimes will enable policy and regulatory responses that are more focused on specific cyber threats and challenges than pursuing a single umbrella-type agreement.

As demonstrated by arms control and nonproliferation, there are a range of tools and mechanisms that can co-exist alongside formal mechanisms, including reporting, best practice exchanges, the production of guidelines, establishing working groups within broader forums, and confidence and trust-building measures. The toolbox might also include criminal law standards leading to prohibitive punishment. Yet, and as demonstrated by the case studies, a lack of compliance incentives will be problematic and reduce effectiveness of any instrument or tool. To be meaningful and effective, cyber accountability mechanisms should consider how to incentivize compliance or participation.

3. Robust involvement of a diversity of nongovernmental stakeholders is crucial for success. While this is an already widely known truth for many in cyber diplomacy or policymaking, there is also pushback and resistance to involving civil society or industry. The role of these and other types of stakeholders in the case studies presented here demonstrates the role these actors played in ensuring that the mechanisms in question aligned with real-world use of the items or technology in question or responded to real-world concerns. Yet, states must also be involved in, and assume their own responsibility for, malicious cyber activity.

Notes

1
For a comparison of the two instruments, see Tobia Vestner, Synergies between the Arms Trade Treaty and the Wassenaar Arrangement, Geneva Centre for Security Policy, May 2019.
2
Dual-use items that can be used both for civilian purposes and to produce, maintain or operate conventional, biological, chemical or nuclear weapons.
3
“Arms control, disarmament and non-proliferation in NATO,” NATO, last updated February 27, 2023, accessed August 21, 2023, https://www.nato.int/cps/en/natohq/topics_48895.html.
4
Barbieri, Christian, Jean-Pierre Darnis, and Polito Carolina, Non-proliferation Regime for Cyber Weapons.A Tentative Study, 2018, p. 2, https://hal.science/hal-03813466.
5
Futter, Andrew, “What does cyber arms control look like? Four principles for managing cyber risk,” European Leadership Network, June 2020, accessed November 2023, https://www.europeanleadershipnetwork.org/wp-content/uploads/2020/06/Cyber-arms-control.pdf.
6
Readers are encouraged to review Rheinhold, Pleil and Reuter, “Challenges for Cyber Arms Control: A Qualitative Expert Interview Study,” Zeitschrift für Außen- und Sicherheitspolitik, Vol.16, August 2023, pp. 289–310.
7
See, for example: Thomas Rid and Peter McBurney, “Cyber-weapons,” RUSI Journal, February/March 2012, Vol. 157, No. 1, pp. 6-13, doi 10.1080/03071847.2012.664354; J. Benjamin and M. Haney, “Nonproliferation of Cyber Weapons,” International Conference on Computational Science and Computational Intelligence (CSCI), 2020, pp. 105–108.
8
Riecke, Lena. “Unmasking the term “dual use” in EU spyware export control,” https://www.universiteitleiden.nl/en/research/research-output/governance-and-global-affairs/unmasking-the-term-dual-use-in-eu-spyware-export-control; Trey Herr and Paul Rosenzweig, “Cyber Weapons and Export Control: Incorporating Dual Use with the PrEP Model,” Journal of National Security Law and Policy, 2016.
9
Herr, Trey and Paul Rosenzweig, “Cyber Weapons and Export Control: Incorporating Dual Use with the PrEP Model,” Journal of National Security Law and Policy, 2016.
10
Benjamin, J. and M. Haney, “Nonproliferation of Cyber Weapons,” International Conference on Computational Science and Computational Intelligence (CSCI), 2020, p. 106.
11
Borghard, Erica D. and Shawn W. Lonergan, “Why Are There No Cyber Arms Control Agreements?” Council on Foreign Relations, January 16, 2018, https://www.cfr.org/blog/why-are-there-no-cyber-arms-control-agreements.
12
Rheinhold, Thomas, Helene Pleil and Christian Reuter, “Challenges for Cyber Arms Control: A Qualitative Expert Interview Study,” Zeitschrift für Außen- und Sicherheitspolitik, 9 August 2023, p. 292, https://doi.org/10.1007/s12399-023-00960-w.
13
Altmann, Jürgen, “Confidence and Security Building Measures for Cyber Forces: IT Applications and Infrastructures in Conflicts, Crises, War, and Peace,” in Information Technology for Peace and Security (pp.185-203), DOI:10.1007/978-3-658-25652-4_9, March 2019.
14
Dahinden, M., “Can Arms Control and Disarmament contribute to a secure Cyberspace?” ICT4Peace, January 2023, p.9. 9. See also, Erica D. Borghard and Shawn W. Lonergan, “Why Are There No Cyber Arms Control Agreements?” Council on Foreign Relations, January 16, 2018, https://www.cfr.org/blog/why-are-there-no-cyber-arms-control-agreements.
15
Mueller, Milton, “A Global Cyber-Attribution Organization – Thinking it through,” Georgia Tech: Internet Governance Project, 4 June 2017, https://www.internetgovernance.org/2017/06/04/a-global-cyber-attribution-org/.
16
Barbieri et al., p.21.
17
Meyer, Paul, “Cyber-Security Through Arms Control,” The RUSI Journal, 156:2, 22-27, DOI:10.1080/03071847.2011.576471, p.22.
18
See, for example, Mette Eilstrup-Sangiovanni, “Why the World Needs an International Cyberwar Convention,” in Philosophy & Technology 31, no. 3, September 1, 2018; Nye, “From bombs to bytes: Can our nuclear history inform our cyber future?” Bulletin of the Atomic Scientists, Volume 69, Issue 5, September/October 2013, p.X; and Robert S. Litwak & Meg King, Arms Control in Cyberspace, Wilson Center, 2015; and Futter, “What does cyber arms control look like?” p.4.
19
Nye, Joseph, “From bombs to bytes: Can our nuclear history inform our cyber future?” Bulletin of the Atomic Scientists, Volume 69, Issue 5, September/October 2013, p.14.
20
Dahinden, “Can Arms Control and Disarmament contribute to a secure Cyberspace?”
21
Meyer, “Cyber-Security Through Arms Control,” p.25; Erica D. Borghard and Shawn W. Lonergan, “Why Are There No Cyber Arms Control Agreements?”, Council on Foreign Relations, January 16, 2018, https://www.cfr.org/blog/why-are-there-no-cyber-arms-control-agreements.
22
Allison Pytlak, “Programming action: observations from small arms control for cyber peace,” Reaching Critical Will, 2021.
23
Author’s email correspondence with a peer reviewer.
24
Futter, “What does cyber arms control look like?”
25
Meyer, “Cyber-Security Through Arms Control.”
26
Rheinhold, Pleil and Reuter, “Challenges for Cyber Arms Control.”
27
For more on the Arms Trade Treaty, visit https://thearmstradetreaty.org.
28
“Treaty Status,” Arms Trade Treaty, https://thearmstradetreaty.org/treaty-status.html?templateId=209883.
29
“Treaty Text,” Arms Trade Treaty, https://thearmstradetreaty.org/treaty-text.html?templateId=209884.
30
“Reporting Requirements,” Arms Trade Treaty, https://www.thearmstradetreaty.org/reporting.html.
31
https://www.stimson.org/wp-content/files/file-attachments/ATT-BAP-GoodPractice-WEB3.pdf.
32
The tools include a Ratification Checklist, Implementation Checklist and Assistance Assessment, the ATT-BAP Baseline Assessment Survey, guidance for completing initial and annual reports, and numerous analytical reports.
33
“The ATT Baseline Assessment Project: Identifying Good Practice and Implementation Measures,” The Stimson Center, August 2015. https://thearmstradetreaty.org/hyper-images/file/ATT_Financial%20Rules_EN/ATT_Financial%20Rules_EN.pdf.
34
“Why we need a global Arms Trade Treaty,” Oxfam International, https://www.oxfam.org/en/why-we-need-global-arms-trade-treaty.
35
Some of the more contentious issues included the Treaty’s scope, in particular whether to include ammunition; imprecise terminology, including around legal principles and too low of a threshold for prohibitions; and exemptions for defence cooperation. For more see, “Finishing the job: Delivering a bullet-proof ATT,” Oxfam International, https://www.oxfam.de/system/files/finishingthejob-1-_format.pdf and Whall, et al., “GETTING IT RIGHT The pieces that matter for the Arms Trade Treaty,” (Oxford: Oxfam GB, March 2013), https://controlarms.org/wp-content/uploads/2018/03/bp169-getting-it-right-arms-trade-treaty-120313-en1.pdf
36
Bolton, Matthew, et al., “The Arms Trade Treaty from a Global Civil Society Perspective: Introducing Global Policy’s Special Section,” Global Policy, 2014, 5. 10.1111/1758-5899.12171. https://www.researchgate.net/publication/266621561_The_Arms_Trade_Treaty_from_a_Global_Civil_Society_Perspective_Introducing_Global_Policy’s_Special_Section.
37
“Dealing in Double Standards: How Arms Sales to Saudi Arabia are Causing Human Suffering in Yemen,” ATT Monitor, 2016, https://attmonitor.org/en/arms-transfers-to-saudi-arabia/; and “Violating the Arms Trade Treaty: Arms Exports to Saudi Arabia and the Humanitarian Crisis in Yemen,” PRIF, January 2018, https://www.jstor.org/stable/resrep14282.
38
Stohl, Rachel, “Why is the Biden Administration Still Silent on Arms Trade Treaty?” The Stimson Center, 27 April 2022, https://www.stimson.org/2022/why-is-the-biden-administration-still-silent-on-arms-trade-treaty/.
39
“Looking Back to Move Forward: Evaluating Five Years of ATT Annual Reporting,” ATT Monitor, 2021, https://attmonitor.org/en/looking-back-to-move-forward/.
40
“Voluntary Trust Fund (VTF),” Arms Trade Treaty, https://thearmstradetreaty.org/voluntary.html.
41
“The ATT Needs and Resources Matching Database,” Arms Trade Treaty, https://database.thearmstradetreaty.org/.
42
The United States blacklisted NSO Group in 2021, a notorious producer of surveillance software, or spyware. Also in 2021, the European Union (EU) amended its regulatory framework on export control, the Dual-Use Regulation. The Regulation contains a new category, “cyber-surveillance items”, for which a new regulatory framework applies. In this new framework, human rights considerations play an important role. In 2023, the US released an executive order prohibiting the government from using commercial spyware that poses risks to national security. This issue is also being taken up through the Pall Mall Process, launched in early 2024.
43
Feldstein, Steven and Brian (Chun Hey) Kot, “Why Does the Global Spyware Industry Continue to Thrive? Trends, Explanations, and Responses” Carnegie, 14 March 2023, https://carnegieendowment.org/2023/03/14/why-does-global-spyware-industry-continue-to-thrive-trends-explanations-and-responses-pub-89229; and “Global: ‘Predator Files’ investigation reveals catastrophic failure to regulate surveillance trade,” Amnesty International, 5 October 2023, https://securitylab.amnesty.org/latest/2023/10/global-predator-files-investigation-reveals-catastrophic-failure-to-regulate-surveillance-trade/.
44
“Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies,” Wassenaar Arrangement Secretariat, WA-DOC (19) PUB 007, December 2019, https://www.wassenaar.org/app/uploads/2021/12/Public-Docs-Vol-I-Founding-Documents.pdf
45
“The Wassenaar Arrangement,” Center for Arms Control and Non-Proliferation, https://armscontrolcenter.org/wp-content/uploads/2023/03/Wassenaar-Arrangement-Fact-Sheet.pdf.
46
“About Us,” The Wassenaar Arrangement, https://www.wassenaar.org/about-us/#faq.
47
Ibid.
48
These are available at “Best Practices and Guidelines,” The Wassenaar Arrangement, https://www.wassenaar.org/best-practices/.
49
“The Wassenaar Arrangement,” Center for Arms Control and Non-Proliferation.
50
“The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies,” Wassenaar Arrangement Secretariat, January 2006, p.6, https://inecip.org/wp-content/uploads/Acuerdo-Wassenaar.pdf.
51
See White House statement made on February 17, 1995, in CRS Report 95-639, Conventional Arms Transfers: President Clinton’s Policy Directive, by [author name scrubbed] (pdf), pp. 8-10.
52
Ibid.
53
“Best Practices for Effective Enforcement,” The Wassenaar Arrangement, 1 December 2000, https://www.wassenaar.org/app/uploads/2016/01/05Best-Practices-for-Effective-Enforcement.pdf.
54
“The Wassenaar Arrangement,” Center for Arms Control and Non-Proliferation, https://armscontrolcenter.org/wp-content/uploads/2023/03/Wassenaar-Arrangement-Fact-Sheet.pdf.
55
Rosenblatt, Daniel, “Israel’s Civilian Dual-Use Export Control List for 2021,” Lexology, 3 January 2021, https://www.lexology.com/library/detail.aspx?g=daeb1913-4702-4e5f-bb45-35ba170d621d.
56
Ruohonen, Jukka and Kai Kimppa, “Updating the Wassenaar Debate Once Again: Surveillance, Intrusion Software, and Ambiguity,” (2019), p.6.
57
See White House statement made on February 17, 1995, in CRS Report 95-639, Conventional Arms Transfers: President Clinton’s Policy Directive, by [author name scrubbed] (pdf), pp. 8-10.
58
“Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies,” Wassenaar Arrangement Secretariat, WA-DOC (19) PUB 007, December 2019, https://www.wassenaar.org/app/uploads/2021/12/Public-Docs-Vol-I-Founding-Documents.pdf.
59
See “CSET to host Under Secretary of Commerce Alan Estevez,” CSET, filmed December 2022, 1:04:20 to 1:04:54, https://www.youtube.com/watch?v=WClaOr4wZMMDesp; and “Arms Export Policy,” House of Representatives of the States General of the Netherlands, 8 March 2023, https://www-tweedekamer-nl.translate.goog/kamerstukken/brieven_regering/detail?id=2023Z04037&did=2023D09406&_x_tr_sl=de&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp.
60
Lewis, Austin, “The Effectiveness of the Wassenaar Arrangement as the Non-Proliferation Regime for Conventional Weapons,” (PhD diss., Stanford University, 2015) https://stacks.stanford.edu/file/druid:mz349xm4602/The%20Effectiveness%20of%20the%20Wassenaar%20Arrangement%20as%20the%20Non-proliferation%20Regime%20for%20Conventional%20Weapons%20-%20Austin%20Lewis.pdf.
61
Ruohonen and Kimppa, pp. 7-8; “Overview per Country,” Crypto Law Survey, http://www.cryptolaw.org/cls2.htm.
62
Ruohonen and Kimppa.
63
Korzak, Elaine, “Export Controls: The Wassenaar experience and its lessons for international regulation of cyber tools,” in Routledge Handbook of International Cybersecurity, ed. (2020), https://www.taylorfrancis.com/chapters/edit/10.4324/9781351038904-31/export-controls-elaine-korzak.
64
“Wassenaar
Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies,” Wassenaar Arrangement Secretariat, December 2022, p 47, https://www.wassenaar.org/app/uploads/2022/12/Public-Docs-Vol-IV-Background-Docs-and-Plenary-related-and-other-Statements-Dec.-2022.pdf.
65
Korzak, “Export Controls.”
66
See, for example: Stevenson, Alastair, “A tiny change to this obscure arms dealing agreement could kill the cyber security industry,” Business Insider, 22 July 2015, https://www.businessinsider.com/the-wassenaar-arrangement-cyber-weapons-proposal-will-kill-international-security-research-2015-7; and Zetter, Kim, “Why an Arms Control Pact Has Security Experts Up in Arms,” Wired, 24 June 2015, https://www.wired.com/2015/06/arms-control-pact-security-experts-arms/.
67
Bromley, Mark, “Export Controls, Human Security and Cyber-Surveillance Technology: Examining the Proposed Changes to the EU Dual-use Regulation,” SIPRI, 2017, pp. 10-11, https://www.nonproliferation.eu/wp-content/uploads/2019/11/sipri1712_bromley.pdf.
68
Moussouris, Katie, “Serious progress made on the Wassenaar Arrangement for global cybersecurity” The Hill, 17 December 2017, https://thehill.com/opinion/cybersecurity/365352-serious-progress-made-on-the-wassenaar-arrangement-for-global/.
69
Bromley, Mark, “Export controls and cyber-surveillance tools: Five suggestions for the Summit for Democracy,” SIPRI, 8 March 2024, https://www.sipri.org/commentary/2024/export-controls-cyber-surveillance-summit-democracy.
70
An illustrative corollary comes from the Biological and Toxin Weapons Convention, which forbids research into the development of biological weapons but allows research for “protective purposes”. A program to develop a biological warfare agent is practically identical with research on protection yet the difference is the intention behind it, which cannot be verified by existing arms control verification instruments.
71
Herr and Rosenzweig, “Cyber Weapons and Export Control.”
72
Riecke, “Unmasking the term “dual use” in EU spyware export control.”