The Nonproliferation Review

ISSN: 1073-6700 (Print) 1746-1766 (Online) Journal homepage: https://www.tandfonline.com/loi/rnpr20

Limiting cyberwarfare: applying arms-control

models to an emerging technology

Erin D. Dumbacher

To cite this article: Erin D. Dumbacher (2018) Limiting cyberwarfare: applying arms-control
models to an emerging technology, The Nonproliferation Review, 25:3-4, 203-222, DOI:
10.1080/10736700.2018.1515152

To link to this article: https://doi.org/10.1080/10736700.2018.1515152

Published online: 11 Oct 2018.

Submit your article to this journal

Article views: 528

View related articles

View Crossmark data

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=rnpr20
NONPROLIFERATION REVIEW
2018, VOL. 25, NOS. 3–4, 203–222
https://doi.org/10.1080/10736700.2018.1515152

Limiting cyberwarfare: applying arms-control models to an

emerging technology
Erin D. Dumbacher

ABSTRACT KEYWORDS
An arms race in cyberspace is underway. US and Western arms control; cyberwarfare;
government efforts to control this process have largely been cyberweapons; dual use;
limited to deterrence and norm development. This article norms; Geneva Protocol;
Biological Weapons
examines an alternative policy option: arms control. To gauge
Convention; Chemical
whether arms-control models offer useful lessons for addressing Weapons Convention;
cyber capabilities, this article compiles a new dataset of verification; civil aviation
predominantly twentieth-century arms-control agreements. It also
evaluates two case studies of negotiated agreements that
regulate dual-use technologies, the 1928 Geneva Protocol
prohibiting chemical- and biological-weapon use and the 1944
Chicago Convention on International Civil Aviation. The analysis
underscores the limits of norm development for emerging
technologies with both civilian and military applications. It finds
lessons for developing verifiable, international cooperation
mechanisms for cyberwarfare in the regulatory model of
international aviation. Conventionally, arms-control agreements
take advantage of transparent tests or estimates of arms. To
restrict cyberwarfare activities, experts and policy makers must
adapt arms-control models to a difficult-to-measure technology at
an advanced stage of development and use. Further investigation
of international regulatory schemes for dual-use technology of
similar diffusion and development to the internet, such as
international civil aviation, is needed.

Despite calls for the cessation of hostilities in the cyber realm, the development and use of
military cyber capabilities continue.1 Over twenty national militaries now have cyber units
preparing for and battling in cyberspace, and the pace of assaults on critical information,
systems, and physical infrastructure is accelerating.2 Economic, physical, and political
losses resulting from cyber attacks are mounting as nation-states enhance their
offensive and defensive cyberwarfare tools and put them to use.3 Modern economies,

CONTACT Erin D. Dumbacher edumbac1@alumni.jh.edu; @erin_dian

1
Cory Bennett, “Lawmakers Notch Win in Fight for Global Cyber Laws,” The Hill, January 3, 2016, <http://thehill.com/
policy/cybersecurity/264522-lawmakers-notch-win-in-fight-for-global-cyber-laws>; Herb Lin, “An Evolving Research
Agenda in Cyber Policy and Security,” <http://cisac.fsi.stanford.edu/content/evolving-research-agenda-cyber-policy-
and-security>.
2
See: US Department of Homeland Security, “Cybersecurity Strategy,” May 17, 2018, p. 2 <www.dhs.gov/publication/dhs-
cybersecurity-strategy>; Dragos, “Industrial Control System Threats,” March 1, 2018, <www.energy.senate.gov/public/
index.cfm/files/serve?File_id=6FC7F7E9-F403-47D5-8EFD-99819B5C4B60>.
3
Although the term remains contested, “cyberwarfare” is defined here as single or multiple computer-network attacks
(CNA) perpetrated by state actors. Practitioners distinguish between CNA and computer-network exploitations (CNE).
© 2018 Middlebury Institute of International Studies at Monterey, James Martin Center for Nonproliferation Studies
204 E.D. DUMBACHER

societies, and national defenses rely on information technologies and connection through
the internet or networks. International trade, electricity production and dissemination,
and even the control of nuclear weapons are dependent on cyberspace.4 Any chance to
halt or slow the proliferation of the technology has passed, and to restrict the many advan-
tages of global interconnection would be highly undesirable. A cyber arms race is underway.
To reduce tensions between nations and limit the chances or consequences of armed
conflict, international arms-control agreements have limited the development and use
of certain weapons. Yet conventional understanding holds that arms-control agreements
provide few useful models for controlling behavior within the anarchic, virtual space of the
internet. Arms-control experts posit that certain basic thresholds for attaining inter-
national agreements have yet to be reached. Information technologists have yet to deter-
mine how parties could share information and reliably identify stealthy attackers.
National-security analysts prefer to maintain offensive options and continue weapons
development rather than agree to limits or begin the long, slow process of developing
international norms that would reduce cyber conflict. Arms control in cyberspace lacks
a constituency. Meanwhile, the use of offensive cyber operations is increasing.5
But by expanding the definition of an international arms-control agreement, the poten-
tial applications of arms control to cyberwarfare become clearer. The internet is not the
first novel technology with both civilian and military applications. Instead of limiting
the potential types of arms-control agreements to commonly recognized forms like redu-
cing nuclear stockpiles or test bans, arms control can be a tool for guiding appropriate
technology applications and demarcating lines between peaceful and military use.
To address the applicability of arms control to cyberwarfare, this article categorizes and
evaluates past arms-control agreements with a historical lens and adopts a mixed-methods
approach to investigating arms-control mechanisms. The findings challenge the conven-
tional wisdom of conflict prevention in cyberspace, that the norms to which nations must
adhere are the optimal, or only, first step toward preventing conflicts in cyberspace today.
The findings do not oppose the notion that cyberspace is currently in anarchy; formal

CNE is the virtual equivalent of espionage—gaining access to information or a system to eavesdrop or steal data. CNA is
the more dangerous form of cyber attack in which a computer or a device connected to it—like an electricity grid or a
weapons system—is harmed, sabotaged, or destroyed. Bruce Schneier, “There’s No Real Difference between Online
Espionage and Online Attack,” The Atlantic, March 6, 2014, <www.theatlantic.com/technology/archive/2014/03/
theres-no-real-difference-between-online-espionage-and-online-attack/284233/>; Brian M. Mazanec, The Evolution of
Cyber War (Lincoln, NE: Potomac Books, 2015), p. 4. For more about the debate om whether “cyberwarfare” fits the Clau-
sewitzian definition of warfare, see: Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies, Vol. 35, No.
1 (2012), pp. 5–32; Thomas G. Mahnken, “Cyber War and Cyber Warfare,” in Kristin Lord and Travis Sharp, eds., America’s
Cyber Future: Security and Prosperity in the Information Age (Washington, DC: CNAS, 2011), Vol. 2, p. 53–62. “Losses” are
defined here as costs to private entities (to pay for incident response and remediation, intellectual property theft, infor-
mation technology investments, etc.), public entities increasing their budgets (to collect and disseminate intelligence
and boost defenses), and political losses (to campaigns, civil society organizations). For more on projected economic
losses, see: US Council of Economic Advisors, “The Cost of Malicious Cyber Activity to the U.S. Economy,” February
2018, <www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.
pdf>.
4
Joseph Nye, “Deterrence and Dissuasion in Cyberspace,” International Security, Vol. 41, No. 3 (2017), pp. 44–71.
5
According to data available in the Council on Foreign Relations’ Cyber Operations Tracker—a database of known nation-
state-sponsored cyber activity since 2005—state-sponsored cyber incidents have increased an average of 53 percent
year on year between 2005 and 2018. See: <www.cfr.org/interactive/cyber-operations>. See also David E. Sanger, “Pen-
tagon Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict,” New York Times, June 17, 2018, <www.
nytimes.com/2018/06/17/us/politics/cyber-command-trump.html>; Michael Sulmeyer, “Military Set for Cyber Attacks
on Foreign Infrastructure,” Belfer Center for Science and International Affairs, April 11, 2018, <www.belfercenter.org/
publication/military-set-cyber-attacks-foreign-infrastructure>.
 NONPROLIFERATION REVIEW 205

“rules of the road” for state behavior are necessary.6 Instead, a more ambitious policy
alternative exists to form binding international agreements and potentially international
organizations to reduce the scale and scope of cyberwarfare. The governance model of
international civil aviation offers lessons for governing conflict in cyberspace. Adopting
a broader definition of arms control could also inform governance and conflict-manage-
ment policies for other emerging technologies.7

Applying arms-control models to cyber

As a technology and its applications emerge—such as those related to nuclear energy,
pharmaceutical innovations, and civil aviation—it brings risks and rewards to its inventors.
Cyberspace is no different. The technology’s emergence invites complicated policy questions
delineating who should procure and retain the peaceful benefits of it. Isolating malicious
activities arising from commercial or peaceful activities—particularly now that the internet
is widespread and in civilian hands—is a common challenge for dual-use technologies.8
Prior studies either have been overly broad or have adopted limited definitions in asses-
sing lessons of arms control for cyber conflict. Most analysts from the information-tech-
nology communities struggle to find relevant models in prior international arms- and
export-control agreements. International-relations analysts posit norm development as
the likeliest manner by which cyberwarfare can be governed, but rarely propose more
ambitious mechanisms or goals toward which norms could develop. One study defined
the inapplicable elements of the 1993 Chemical Weapons Convention (CWC) to cyber.9
Others evaluate the lessons of arms-control agreements by conflating nuclear nonprolifera-
tion with all other methods of international arms control.10 Notable exceptions include a
series of scenarios in which an arms-control regime could govern cyberwarfare, recogniz-
ing that cyber arms control cannot eliminate capacity, or lead to cyber disarmament, but
could “prohibit acts.”11 Proposals for cyber arms control are rare but not outliers. Others
recommend an international organization “that combines the abilities of the International
Atomic Energy Agency (IAEA) with the Antarctic Treaty System.”12
6
Common understanding of definitions and analogies are still lacking globally, but processes are underway. Scholars have
contributed to the debate about definitions and analogies, yet national policies of key governments continue to differ.
For example, perceptions of cyberwar differ among the United States, China, and Russia as well as among the savvy
cyberwarriors of North Korea, Israel, and Iran. Chinese and Russian doctrines define cyberwarfare narrowly as infor-
mation warfare (see: Christopher A. Ford, “The Trouble with Cyber Arms Control,” New Atlantis, No. 29 [2010],
pp. 52–67). Even without universal acceptance of definitions, the United Nations Groups of Governmental Experts’ con-
clusions and the Tallinn Manual (1.0 and 2.0) are initial signs of norms emerging. Unlike the terms and concepts of tech-
nologies whose utility is widely understood by policy makers (e.g., nuclear weapons), the concepts of conflict in
cyberspace are still relatively immature. See: Tim Mauer, “Cyber Norm Emergence at the United Nations,” Belfer
Center for Science and International Affairs, 2011; Ford, “The Trouble with Cyber Arms Control,” pp. 52–67; George Per-
kovich and Ariel Levite, Understanding Cyber Conflict: 14 Analogies (Washington, DC: Georgetown University Press, 2017).
7
Emerging technologies broadly defined are technologies with outstanding potential for impacting society, politics, and
economics. The internet is arguably no longer “emerging,” although applications and uses for the tool are still evolving.
The MIT Technology Review, Scientific American, and the World Economic Forum routinely publish lists of “breakthrough”
or “emerging” technologies forecasted to disrupt common practices.
8
Defined here as technologies with both civilian and military functions.
9
Kenneth Geers, “Cyber Weapons Convention,” Computer Law & Security Review, Vol. 26, No. 5 (2010), pp. 547–51.
10
Joseph Nye, “From Bombs to Bytes: Can Our Nuclear History Inform Our Cyber Future?” Bulletin of the Atomic Scientists,
Vol. 69, No. 5 (2013), pp. 8–14.
11
Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do about It (New York:
Ecco, 2010).
12
Brandon Valeriano and Ryan Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System
(New York: Oxford University Press, 2015).
206 E.D. DUMBACHER

In the twentieth century, the horrific specter of military applications of new technol-
ogies used on civilian populations led opposing parties to negotiate and disarm. Beginning
with the Geneva Conventions after World War I through the post-1945 period, the major
powers negotiated decreases in the quantity, trade of, and regulations upon a number of
dual-use technologies, including chemical, biological, and atomic weapons. Nations agreed
to international agreements to restrict the development and testing, proliferation and
trade, application and use, or conduct of conflict within particular domains like outer
space or Antarctica. In some cases, states agreed to grant international organizations regu-
latory authority or to devise normative agreements to deter use.
The intent of arms-control agreements is to manage weapons proliferation and mini-
mize the potential for and escalation of conflict.13 Most scholars agree that bilateral and
multilateral agreements on antiballistic-missile use and intermediate and strategic
nuclear forces slowly reduced some of the potential threats of a catastrophic nuclear
war.14 When arms control works well, “it reduces uncertainty, creating a predictable secur-
ity environment”; otherwise arms-control efforts can be “largely hortatory,” propaganda
efforts, vague in restrictions, and impose no costs on agreement violators.15
Controls of dual-use technologies have largely been “artifact-centric.” Government
research and development that has created the technologies has also permitted govern-
ments to control or limit access to them, for example through export-control regimes
designed to quell proliferation. 16 Opportunities to weaponize the technology were there-
fore limited. Yet in the information age “it has increasingly been the civilian sector’s
research and development that has provided technology options for military applications.”
Software and hardware are readily available for a range of purposes.17
Some of the contexts that led to modern arms-control agreements do not apply to the
internet today. The widespread civilian use of digital infrastructure makes it difficult to
identify malign actors.18 The very nature of information and communications technol-
ogies makes it difficult to determine what to limit or regulate: “malicious code is
difficult to define.”19 The basic notions of offense versus defense are upended in cyber-
space—offensive capabilities in the form of penetration tests are a basic means for estab-
lishing defensive measures.20 Militaries might consider malevolent code an operational
capability rather than a research-and-development activity of a strategic technology.
Bans are unlikely to take hold: “given the dual-use nature of cyber technology and the
realm itself, a prohibition on research and development of cyberweapons would be
nearly impossible to verify and it is therefore infeasible.”21 That digital offensive

13
Amitav Mallik, Technology and Security in the 21st Century: A Demand-Side Perspective (Oxford: Oxford University Press,
2004), p. 14, <http://catalog.hathitrust.org/Record/004936774>.
14
To take one example, observers of US–Russian relations in 2018 will recall Vladimir Putin’s connection of new nuclear
systems development to US withdrawal from the Anti-Ballistic Missile Treaty, indicating the escalatory risks of an arms-
control agreement’s reversal.
15
Clarke and Knake, Cyber War.
16
Jonathan B. Tucker, Innovation, Dual Use, and Security: Managing the Risks of Emerging Biological and Chemical Technol-
ogies (Cambridge, MA: MIT Press, 2012).
17
Mallik, Technology and Security in the 21st Century.
18
Ford, “The Trouble with Cyber Arms Control.”
19
Kenneth Geers, “Cyber Weapons Convention,” Computer Law & Security Review, Vol. 26, No. 5 (2010), pp. 547–51.
20
Herb Lin, “A Virtual Necessity: Some Modest Steps toward Greater Cybersecurity,” Bulletin of the Atomic Scientists, Vol. 68,
No. 5 (2016), pp. 75–87.
21
James Andrew Lewis and Götz Neuneck, The Cyber Index: International Security Trends and Realities (New York: United
Nations, 2013).
 NONPROLIFERATION REVIEW 207

capabilities are measured in terms of outcomes and exploitation rather than by quantities
and physical characteristics complicates the applicability of some arms-control models
defined as reductions of arsenals.22

De-escalation policies in place

Given the challenges in applying arms-control models to cyberwarfare, recent American
foreign policy has prioritized norm development and deterrence simultaneously.
Groups of governments—notably the Group of 20 (G20), the Group of 7 (G7), and a
United Nations Governmental Group of Experts—have promoted confidence-building
mechanisms, and norms “show clear signs” of “slowly emerging.”23 Fifty-four states
have ratified the 2001 Budapest Convention on Cybercrime, though Russia and China
are not among them. International legal frameworks for applying the laws of armed
conflict to cyberspace, such as the Tallinn Manual, are more advanced but serve as
guides for international legal policy making rather than as actionable agreements
among states.24 Bilateral agreements and some crisis-management mechanisms now
exist, such as the US–Russia hotline for information attacks and the bilateral Xi–
Obama understanding,25 but states have yet to initiate formal multilateral negotiations
beyond definitional and normative agreements on principles—that is, about how,
whether, or when to act upon those principles.
Developing international norms is the preferred “vehicle for advancing the stability
and safety of cyberspace.”26 Developing “taboos” is expected to “become relevant to”
the twin policy of deterrence.27 But “cyberspace increasingly resembles nothing so
much as the old American Wild West with no real sheriff.”28 By practicing a deterrence
policy, “old paradigms focused on power politics … are applied to emergent tactics and
technologies with little consideration of how the new tactic might result in different
means and ends.”29 The widespread use of the internet by malicious, non-state
actors limits the potential for nuclear deterrence and détente policy to translate, imply-
ing a strict definition of cyberwarfare as a catastrophic, kinetic attack.30 Although the
United States did not issue a formal “no first use” policy of nuclear weapons, the
22
Lin, “A Virtual Necessity,” 2016.
23
For example, the most recent G7 meeting communiqué calls for responsible state behavior. See, in particular, point 42 in
“G7 Foreign Ministers’ Communiqué,” Charlevoix, Canada, April 23, 2018, <https://g7.gc.ca/en/g7-presidency/themes/
building-peaceful-secure-world/g7-ministerial-meeting/g7-foreign-ministers-joint-communique/>. See also Mauer,
“Cyber Norm Emergence at the United Nations.”
24
Lewis and Neuneck, The Cyber Index. The Tallinn Manual, now in its second edition, evaluates the applicability of international
law to cyberspace and is intended as a resource for legal advisors involved in cyber issues. The drafting process was facili-
tated by the NATO Cooperative Cyber Defense Centre of Excellene in Tallinn, Estonia. Michael N. Schmitt, Tallinn Manual 2.0
on the International Law Applicable to Cyber Operations, 2nd edn. (Cambridge: Cambridge University Press, 2017).
25
Remarks by President Obama and President Xi of the People’s Republic of China in Joint Press Conference, White House
Press Office, September, 25, 2015. <https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/remarks-
president-obama-and-president-xi-peoples-republic-china-joint>.
26
Martha Finnemore and Duncan B. Hollis, “Constructing Norms for Global Cybersecurity,” American Journal of International
Law, Vol. 110, No. 3 (2016), pp. 425–79. <http://www.jstor.org/stable/10.5305/amerjintelaw.110.3.0425>.
27
Joseph Nye, “Deterrence and Dissuasion in Cyberspace,” International Security, Vol. 41, No. 3 (2017), pp. 44–71; Mazanec,
The Evolution of Cyber War.
28
Richard Haass, “Why the World Needs to Police the Growing Anarchy of Cyberspace,” Fortune, February 7, 2017, <http://
fortune.com/2017/02/07/how-to-guard-against-cyber-hacks/>.
29
Valeriano and Maness, Cyber War versus Cyber Realities.
30
Nye, “From Bombs to Bytes”; Stephen J. Cimbala, “Nuclear Deterrence in Cyber-ia,” Air & Space Power Journal, Vol. 30, No.
3 (2016), pp. 54–63.
208 E.D. DUMBACHER

“taboo evolved.”31 Deterrence policies assume a threshold point of “enormous strategic

and political significance,” which does not apply to a cyberspace full of daily, often
unnoticed, attacks.32 After the apparent failure of American deterrence against
alleged Russian information warfare in the 2016 US election and the coopting of
American-made offensive tools into global attacks, scholars have grown disillusioned
with cyberwarfare deterrence and have started to call for clarification of red lines
and recognition that failure to act is itself a choice.33
Critics see little potential for major cyber powers—such as the United States, Russia,
China, Iran, and North Korea among others—to agree to constraints upon their arsenals
or offensive behavior.34 To discuss controls of weapons, a state must first acknowledge
some aspects of the technologies within their arsenal. Some scholars and policy makers
doubt the effectiveness of treaties; states must be willing to cease restricted activities
then convince partners of their adherence.35 The United States, Russia, and China have
“endorsed cyber norms as a vehicle for promoting ‘information security.’” Some norms
already exist and have emerged alongside the technology. Cyberspace is not a “blank
slate” and “already has a robust and diverse array of norms” such as national laws and pro-
fessional standards governing it, all “in various stages of development and diffusion.”
Norms to constrain cyberwarfare have yet to pass from norm emergence to norm accep-
tance, partially due to the distinctions between constraining or regulatory norms limiting
behavior and those permitting behavior.36 Both international norms and confidence-
building measures are required to promote a peaceful, secure, and free internet.37 The
State Department has resisted proscribing governance structures for cyber. “To sum up
the US position in Tolkienian terms: ‘We don’t need a new treaty,’ and ‘We don’t need
one ring to rule them all.’”38
If among major powers cyberwarfare is currently within the period of unstable peace
—in the early stage of conflict after the point of rising tensions but before confrontation
prompts a crisis—preventive diplomacy could be “especially operative,” however.39 If
current trends continue, “emergence and early development of constraining norms
will be challenged and may not occur at all” as a result of the major powers’ inability
to see strong controls as being in their self-interest.40 Interdependence could create
positive externalities or shared benefits.41 Some scholars and business leaders prefer

31
Nye, “Deterrence and Dissuasion in Cyberspace.”
32
Herb Lin, “Governance of Information Technology and Cyber Weapons,” in Elisa D. Harris, ed., Governance of Dual-Use
Technologies: Theory and Practice (Cambridge, MA: American Academy of Arts & Sciences, 2016).
33
Susan Hennessey, “Deterring Cyberattacks: How to Reduce Vulnerability,” Foreign Affairs, Vol. 96 (2017), p. 39.
34
Mazanec, The Evolution of Cyber War.
35
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity;” Jack Goldsmith, “Can We Stop the Global Cyber
Arms Race?” Washington Post, February 1, 2010, <www.washingtonpost.com/wpdyn/content/article/2010/01/31/
AR2010013101834.html>
36
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity,” pp. 427, 437; see also pp. 425–79.
37
Christopher M.E. Painter, Coordinator for Cyber Issues US Department of State, Testimony before US House of Represen-
tatives House of Representatives Committee on Oversight and Government Reform Subcommittee on Information Secur-
ity and National Security, Hearing on “Digital Acts of War: Evolving the Cybersecurity Conversation,” 114th Cong., 2nd
sess., July 13, 2016.
38
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity.”
39
Michael S. Lund, Preventing Violent Conflicts: A Strategy for Preventive Diplomacy. (Washington, DC: United States Institute
of Peace Press. 1996); Jozef Goldblat, Arms Control: A Guide to Negotiations and Agreements (Oslo: PRIO, 1994).
40
Mazanec, The Evolution of Cyber War.
41
Valeriano and Maness, Cyber War versus Cyber Realities; James Wood Forsyth, “What Great Powers Make It: International
Order and the Logic of Cooperation in Cyberspace,” Strategic Studies Quarterly (Spring 2013), pp. 93–113.
 NONPROLIFERATION REVIEW 209

treaty-based models that would “prevent cyberspace from becoming the default platform
for states seeking to settle conflicts outside the reach of customary international law and
diplomacy.”42 Once in place, an agreement has normative power; binding international
obligations are followed more often than not.43 Parties to a verified arms-control agree-
ment could expect counterparts to notice and respond if they were caught undermining
the agreement. Technology companies are starting to band together to promote ideas
like a Geneva Convention for cyberspace and principles of cybersecurity protection
for users everywhere.44 Thus the question arises: are more ambitious models than
norm development available for limiting cyberwarfare? The interconnected infrastruc-
ture of civil aviation may present a more apt analogy to cyberwarfare than, for
example, nuclear nonproliferation.45

Assessing arms-control models: methodology and criteria

To inform whether arms-control models hold lessons for de-escalation in cyberspace, the
research analyzed an original dataset of international agreements and focused-comparison
case studies. The selection of cases follows the most-similar-systems design approach, ana-
lyzing restrictions on similar types of technologies (dual-use) but distinct verification
methods (preventive, regulatory).46
First, descriptive analysis lists twentieth-century arms- and export-control agreements
of dual-use technologies and classifies their verification schemes, taking a broad approach
to the definition of an international arms-control agreement, incorporating: agreements
conventionally considered an arms or export control, a weapons restriction (e.g., Wasse-
naar Arrangement, 1968 Treaty on the Non-Proliferation of Nuclear Weapons [NPT]), a
prohibition on military activities within particular territories (e.g., the 1967 Outer Space
Treaty), as well as permissions granted for transnational activities (e.g., the 1992 Treaty
on the Open Skies). The research collected a small-n set of agreements as well as data
on the type of verification methods employed, the technologies controlled, the nation-
state participants, and the durability of the controls.
In its second phase, the research examines two cases of international agreements to
control dual-use technologies. Performance indicators of the arms- or export-control
regime are outcome variables.47 Agreements are categorized by the verification method
42
Rex Hughes, “A Treaty for Cyberspace,” International Affairs, Vol. 86 (2013), pp. 523–41.
43
Richard Felix Staar, ed., Arms Control: Myth versus Reality (Stanford, CA: Hoover Institution Press, 1984).
44
Cyber Tech Accord, <https://cybertechaccord.org/accord/>, David Sanger, “Tech Firms Sign ‘Digital Geneva Accord’ Not
to Aid Governments in Cyberwar,” New York Times, April 17, 2018, <www.nytimes.com/2018/04/17/us/politics/tech-
companies-cybersecurity-accord.html> , Brad Smith, “The Need for a Digital Geneva Convention,” February 14, 2017,
<https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/>
45
David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (New York: Crown, 2018); Seymour E.
Goodman, “Critical Information Infrastructure Protection,” in Centre of Excellence Defence Against Terrorism, ed.,
Responses to Cyber Terrorism (Amsterdam: IOS Press: 2008), pp. 24–33.
46
Daniel Druckman, “Comparative Case Study Approaches,” in Doing Research (Thousand Oaks, CA: SAGE, 2005), pp. 208–
26. Distinct verification methods serve as the independent variables of concern.
47
The question of how to measure agreement effectiveness is contentious. Past studies on the performance of verification
models have compared compliance records with the precise language of the international agreement. But parties are
likely to only agree to that which they plan to achieve. If viewed from the perspective of standards setting, then, an
agreement’s longevity is an indicator of effectiveness. The mere existence of an agreement does not alter behavior,
however. Accusations of violations in the absence of third-party observers are “he-said/she-said” battles with each
party countering the other. It is rare that an impartial, third party arbitrates amongst states and determines whether
a signatory has violated an agreement. Sometimes the agreements afford this privilege to an international body
210 E.D. DUMBACHER

they adopt, either preventative or regulatory. To isolate these factors, the analysis notes the
type of technology application,48 the number of participating nations, and the phase of tech-
nology development and diffusion.49 The analysis tests the hypothesis that, to limit conflict
escalation mediated by a dual-use technology, international agreements with regulatory
mechanisms are more sustainable than those with preventative approaches.

Sample of arms-control agreements

Applying a set of decision rules to the units of analysis (international agreements) gener-
ated a sample of thirty-three arms-control agreements.50 An arms-control agreement was
included within the sample if it met the following criteria:

. ratified treaty or agreement as determined by the UN Disarmament Treaty database

or another source of similar repute with updated lists of signatories;51
. two out of three major powers as parties: the United States, the Soviet Union/Russian
Federation, or the People’s Republic of China;52
. not principally a confidence-building measure such as the Organization for Security
and Cooperation in Europe’s Codes of Conduct or the 1975 Helsinki Final Act; and
. final, rather than a draft agreement.53

The sample included agreements that permit cross-border activities, such as the inter-
national postal system, or restrict activities in domains, such as the weaponization of
outer space or Antarctica. The author collected five types of data for each unit of analysis:
(1) prohibition type; (2) agreement scope; (3) agreement type; (4) agreement verification
mechanism; and (5) durability of the agreement, one measure of effectiveness. The key
explanatory variables described the verification scheme of the agreement and agreement
durability serves as the dependent variable.54 The analysis of the agreements makes
clear important distinctions between the stage of weapons development or use and veri-
fication approaches. More than half of the agreements with preventive approaches
include no verification mechanism for assuring compliance; others rely upon national
law enforcement. Four stages of technology diffusion emerge: the point of development,
the point of export or trade, the point of application, or a restriction on the territory to
be impacted (Figure 1). Two agreements grant permissions for access with regulatory

(e.g., IAEA), but these organizations rarely render final judgments opposing a major power. These complications make
measuring agreement effectiveness more art than science. For the purposes of this research, the agreement’s longevity
serves as an imperfect proxy for an agreement’s effectiveness.
48
Distinctions include military-only applications, dual use within cooperating countries at the time of international agree-
ment, or dual use after the agreement in cooperating countries.
49
Phases include “development and testing,” “export or trade,” “application and use,” “access granted,” or “territorial impact.”
50
Due to the small size and nature of the sample, most sophisticated analytical techniques beyond descriptive statistics
were not viable.
51
Principal data sources critical to the quantitative analysis include the treaties and agreements databases of the following
organizations: United Nations Office for Disarmament Affairs: <http://disarmament.un.org/treaties/>; Nuclear Threat
Initiative: <www.nti.org/learn/treaties-and-regimes/treaties/>; Arms Control Association Fact Sheets: <www.
armscontrol.org/factsheets>; US Department of State Bureau of International Security and Non-proliferation: <www.
state.gov/t/isn/c18882.htm>.
52
This qualification distinguished between numbers of similar international agreements. For example, the Outer Space
Treaty was included in the analysis but not the Moon and Celestial Bodies Agreement.
53
This qualifier led to inclusion of SALT (Strategic Arms Limitations Talks) I but not SALT II.
54
The author can provide the original dataset upon request.
 NONPROLIFERATION REVIEW 211

Figure 1. Verification methods by stage of weapon development, use, or impact.

verification (e.g., Treaty of Bern, creating the International Postal Union). Agreements
that limit weapons development or testing and/or application and use (ten out of
thirty-three) are largely verifiable with a regulatory approach. Fewer agreements govern
export and trade or preserve a particular territory (e.g., Antarctica).
Quantitative-restrictions agreements include strong regulatory models but tend to
restrict the development or testing of an emerging technology; these are often bilateral
treaties that prevent testing, development, or deployment of a weapons category. National
technical means, inspections and on-site monitoring, and information exchange assure the
two parties that their opponent is complying with the agreement.
Restrictions on dual-use technologies predominantly employ preventative measures,
some of which are one step in a broader set of measures to prevent weapons use. Other
international agreements incorporate regulatory schemes to limit development, export,
or—most often—application and use of a dual-use technology. In two cases, an inter-
national organization helps to regulate the agreement (such as the IAEA’s role in the
NPT or the International Civil Aviation Organization established by the 1944 Chicago
Convention on International Civil Aviation). All regulatory schemes of dual-use technol-
ogies involve an international organization or information exchange among the signatories.
Most dual-use technology agreements are multilateral. Only one of the fifteen inter-
national agreements governing dual-use technologies is bilateral—the 1976 Peaceful
Nuclear Explosions Treaty (PNET). All but four hold as signatories the three nation-
states of interest: the United States, China, and Russia. Only six agreements within
the sample control dual-use technologies and involve regulatory schemes: PNET; the
1997 Joint Convention on the Safety of Spent Fuel Management and on the Safety
of Radioactive Waste Management; the Chicago Convention on International Civil
212 E.D. DUMBACHER

Aviation; CWC; NPT; and the 1996 Comprehensive Nuclear-Test-Ban Treaty. Only the
PNET, a bilateral treaty, includes fewer than seventy-five signatory states. International
agreements that regulate dual-use technologies, when enacted, have historically regu-
lated application and use of a technology and relied upon national technical means
and/or an international organization or governing body to verify compliance (see
Table 1).

Table 1. Regulatory agreements and verification methods

Agreements with Regulatory Models Regulatory or Verification Methods
National International
Dual-Use Agreements with Principal Stage Technical Information Organization/
Regulatory Regimes of Restriction Means Inspection Exchange Governing Body
Peaceful Nuclear Explosions Application and ✓ ✓ ✓
Treaty use
Safety of Spent Fuel Application and ✓ ✓ ✓
Management and on the use
Safety of Radioactive Waste
Management
Convention on International Application and ✓
Civil Aviation use
Chemical Weapons Application and ✓ ✓ ✓ ✓
Convention use
Treaty on the Non- Export or trade ✓
proliferation of Nuclear
Weapons
Comprehensive Nuclear-Test- Development or ✓ ✓ ✓ ✓
Ban Treaty test
Total 4 3 4 5

Evaluating preventative and regulatory agreements through case studies

The case-study approach follows most-similar-systems design and compares two inter-
national agreements governing dual-use technologies. Each case study reviews an inter-
national agreement curtailing the use of a dual-use technology, the scope of its controls,
the method of verification, the effectiveness of the agreement, and potential lessons for
limiting cyberwarfare.55
The 1925 Geneva Protocol for the Prohibition of the Use in War of Asphyxiating, Poi-
sonous or Other Gases, and of Bacteriological Methods of Warfare (“Geneva Protocol”)
prohibits use of chemical and biological weapons in conflict but takes a preventative,
norm-setting approach rather than establishing a regime to assure compliance. The Con-
vention on International Civil Aviation (“Chicago Convention”) is a multilateral agreement
that relies upon an international organization to verify member-state compliance. The first
case study presents an example of a preventative means for verifying agreements. The
second case study focuses on regulatory methods of verifying the agreements. Each has
been in force for more than seventy years and limits malicious activities using a dual-use

55
This analysis incorporates the generally accepted challenges of internet security, such as the notion that penetration
testing is a method of securing information technology and requires similar activities and technological prowess as a
cyber attack. It also assumes that the application-and-use stage of the technology is the most relevant due to the
degree of proliferation of information technology and the lack of transparent testing or territorial divides.
 NONPROLIFERATION REVIEW 213

technology. The means of regulating compliance—preventive norm development or regu-

lation through an international body—differ and serve as the primary independent variable.
The results demonstrate the limits of preventative and voluntary compliance
methods (“norm setting”) and the limits of multilateral management through inter-
national organizations. The variation in these methods presents lessons and possibili-
ties to apply to cyberwarfare. In particular, the preventative approach of the Geneva
Protocol sets precedents for norm development in cyberspace while the Chicago Con-
vention outlines how international, multilateral regulation can distinguish military
activities from civilian.

Case study 1: Geneva Protocol

After witnessing lethal and dangerous chemical-weapons use during World War I, the US
and French governments proposed restrictions on agents like chlorine and mustard gas to
the Geneva Conference for International Arms Traffic in 1925. Poland proposed further
restrictions to biological weapons, resulting in the Geneva Protocol.56 The Protocol
came into force in 1928 and took a preventative approach; civilized nations were called
to comply with the Protocol’s restrictions, with no verification mechanisms or penalties
for noncompliance. Later conventions sought to remedy this omission.

Scope of controls
The Geneva Protocol bans chemical (or “gas”) and biological (or “germ”) warfare. Nego-
tiated under the auspices of the League of Nations, it prohibits only application and use of
the technology; the latter-day CWC and 1972 Biological and Toxin Weapons Convention
ban the production, stockpiling, and trade of such weapons. Delegates to the 1925 Con-
ference for the Supervision of International Trade in Arms and Ammunition in Geneva
built on prior agreements: the Hague Declaration of 1899 (regarding expanding bullets)
and the Treaty of Versailles (which officially ended World War I) of 1919. The Protocol
bans the use in war of “asphyxiating, poisonous or other gases, and of all analogous liquids,
materials or devices.” The document’s broad language specifies wartime application of
chemical and biological weapons against an opponent, thereby distinguishing between
civilian (peaceful) and military uses of chemicals and biological materials.

Verification method
The Geneva Protocol does not include a verification mechanism. Instead, it serves as a pre-
ventive agreement to which the signatories accede upon ratification. The Protocol relies
upon customary international law: “this prohibition shall be universally accepted as a
part of International Law, binding alike the conscience and the practice of nations.”57
There is no regulatory mechanism within the Protocol; instead, it outlines norms to
which signatory states must adhere. The foundational documents upon which the
56
Alex Spelling, “Driven to Tears: Britain, CS Tear Gas, and the Geneva Protocol, 1969–1975.” Diplomacy & Statecraft, Vol. 27,
No. 4 (2016), pp. 701–725.
57
United Nations Office for Disarmament Affairs, United Nations Disarmament Treaty Database, <http://disarmament.un.
org/treaties/>
214 E.D. DUMBACHER

authors drafted the Protocol rely upon “civilized” nations to adhere to the bans and
uphold the ideal of a “civilized world.”58 Compliance with the Protocol is voluntary.
The Protocol was customary international law by the time the United States considered
ratification of the treaty during the Richard M. Nixon administration, nearly fifty years
after it was first signed and came into effect. The Geneva Protocol outlined a norm
without binding legal restraints.

Effectiveness of the agreement

The gap between nation-state actions and the Protocol’s ambitions became evident later in
the twentieth century, however. The United States did not ratify the Protocol until a dom-
estic debate about the utility of chemical weapons came to an end in 1975. By then, US
foreign policy aligned with the Protocol’s norms and clarifications of the treaty’s reach
defined whether the United States could continue to use tear gas (chloroacetophenone,
used to disperse crowds and in policing situations) or anti-plant agents (such as Agent
Orange, a tactical weapon used to clear forests in Vietnam).59 After the Iran–Iraq War
in the 1980s, states negotiated and agreed to a new multinational CWC banning the devel-
opment and trade of chemical weapons.60 The Biological and Toxin Weapons Convention
(BWC) of 1972 similarly prohibits the development, trade, and stockpiling of biological
agents and toxins. These conventions include more enhanced verification mechanisms;
the BWC is a preventative agreement but provides for confidence-building measures
and the CWC provides for verification through national technical means, inspections,
information exchange, and an international organization.61 An additional arms-control
agreement was necessary to fill the gaps of the Protocol.62
It was not just the omission of a verification structure that the Geneva Protocol lacked:
the definitions of the banned activities and weapons were overly broad. The lengthier
CWC and BWC are more sophisticated in their definitions and aggressive in their con-
trols. Since “one reason for the ambiguous language could be to ensure that the Protocol
and its progeny would apply to broader international situations as they arose,” the benefit
of time permitted the drafters of the CWC—working in the 1990s—to anticipate more
potential uses of chemicals in conflict consistent with the preferences of major powers
(e.g., American use of tear gas).63 The result was a longer, more precise list of prohibitions
in the international agreement.
One aspect of the CWC negotiations demonstrates a deficiency in the Geneva Protocol.
A central opponent and driving force that led the United States to delay its ratification of
the Protocol by five decades was the chief of the US Army Chemical Warfare Service,
General Amos Fries. Fries rallied a coalition of chemical producers, veterans, and the
American Chemical Society to oppose US ratification. Presumably to avoid a similar
fate for the CWC, the director of the US Arms Control and Disarmament Agency
58
Catherine Joyce, “Dulce et Decorum: The Unique Perception of Chemical Warfare and the Enforcement of the Geneva Pro-
tocol in the 21st Century,” Pacific McGeorge Global Business & Development Law Journal, Vol. 28, No. 2 (2014), pp. 331–357.
59
Matthew Meselson, “Gas Warfare and the Geneva Protocol of 1925,” Bulletin of Atomic Scientists , Vol. 28, No. 2, (1972),
pp. 33–37.
60
Joyce, “Dulce et Decorum.”
61
NTI Database; Joyce, “Dulce et Decorum.”
62
Key among the Protocol’s gaps was a verification mechanism, ultimately established under the CWC.
63
Joyce, “Dulce et Decorum.”
 NONPROLIFERATION REVIEW 215

requested advice and guidance from the chemical industry, beginning in 1978.64 Once
negotiated, the CWC included a regulatory verification scheme and an international
organization with the capabilities to inspect and monitor implementation, the Organiz-
ation for the Prohibition of Chemical Weapons. The United States ratified the CWC
four years after signing, in 1997. Without the involvement of the chemical industry or
interested parties in the 1920s, the Americans at the Geneva Conference failed to incor-
porate vested interests into the language of the Geneva Protocol.
The CWC and BWC built upon the Geneva Protocol. The Protocol was one part of a
broader “norm cascade” in prohibiting the use of chemical and biological weapons.65 Its
longevity is therefore difficult to disaggregate from the international agreements that came
before it and followed it.66 The need for the later agreements, however, indicates
deficiencies. Alone it could not achieve its aims. The Protocol’s central ambitions
remain in force through the CWC and BWC, yet its preventative and norm-setting
approach was insufficient to dissuade major powers—like Germany during World War
II and the Soviet Union during the Cold War—from significant chemical-weapons devel-
opment.67 States parties avoided use of the weapons against one another during the war,
largely complying with the prohibitions of the Geneva Protocol.68

Applying the model to cyber

The Geneva Protocol offers three lessons in applying its mechanisms to emerging tech-
nologies. First, the absence of feedback from industry and key interests created chal-
lenges for US ratification. By the time the Protocol was negotiated, vested interests
had already been established and were in the process of developing applications for
the technology. It is not surprising that industry opposed agreements that would
stymie applications of the technology. The involvement of industry in the agreement
design process may have contributed to the inclusion of a robust regulatory verification
mechanism in the CWC. The Geneva Protocol process shows that any international
agreement restricting use of an emerging technology would benefit from acknowledge-
ment of the parties developing applications for the technology, whether in the private
sector or in armed forces.
Secondly, the Geneva Protocol presents lessons for norm development in controlling
dual-use technologies. The Protocol, the Hague Declaration before it, and the CWC
and BWC after it show that the development of an international norm can occur with
time. The Geneva Protocol banned use of weapons while the latter agreements ban use
in addition to development, trade, and stockpiling. Norm development may be more
rapid when curtailing use than for other phases of technology development.69
64
Mazanec, The Evolution of Cyber War.
65
Mazanec, The Evolution of Cyber War, p. 39.
66
International-relations theorists borrow the term “norm cascade” from studies of behavioral research or behavioral-
decision theory to imply a “large-scale behavioral shift.” See: Cass R. Sunstein, “Behavioral Analysis of Law,” University
of Chicago Law Review, Vol. 64 (1997), pp. 1175–95; Martha Finnemore and Kathryn Sikkink, “International Norm
Dynamics and Political Change,” International Organization, Vol. 52, (1998) pp. 887–917.
67
Milton Leitenberg and Raymond A. Zilinskas with Jens H. Kuhn, The Soviet Biological Weapons Program: A History (Cam-
bridge, MA: Harvard University Press, 2012).
68
States did act in violation of the Geneva Protocol’s universality prohibition. See: Richard MacKay Price, The Chemical
Weapons Taboo (Ithaca, NY: Cornell University Press, 1997), pp. 100–33.
69
Mazanec, The Evolution of Cyber War.
216 E.D. DUMBACHER

But the Protocol alone illustrates the limits of a single, preventative international agree-
ment. Even with the CWC in place, the normative power of the Geneva Protocol and the
CWC “did not stop either Saddam Hussein or Bashar al-Assad from using chemical
weapons against his own citizens, but they did have an effect on the perceptions of the
costs and benefits of their actions.”70 The Protocol’s lack of a verification mechanism
leads to further questions about the viability of stand-alone, preventative international
agreements. Must preventative agreements be a part of a broader set of international con-
trols, evolving over time, to achieve their aims?

Case study 2: Convention on International Civil Aviation

The Chicago Convention on International Civil Aviation (and subsequent modifications)
is understood to be neither a disarmament agreement nor an export-control mechanism.
The dual-use nature of aviation technologies necessitated division of civilian and military
uses in the eyes of the negotiators in Chicago. The primary verification method for regulat-
ing the agreement is a standards-setting and operational-guidance organization, the Inter-
national Civil Aeronautics Organization (ICAO). Given the longevity and scope of the
agreement and the engagement of state signatories to adapt the agreement to technological,
political, and economic developments, the Chicago Convention is a promising example of
an international agreement for a dual-use technology with applications for cyberspace.

Scope of controls
Signed in 1944, the Chicago Convention prescribed freedoms to states and their airlines to
fly through the airspace of one another and to land in a country for refueling and main-
tenance.71 Additional assemblies and commitments in Bermuda, Beijing, and Montréal
among others created a regulatory regime for international air travel which both protects
states’ rights to restrict military activity above their territories (land and sea) and provides
protections for civilian travel to assure military activities in the air cannot infringe upon it.
The ICAO structure includes an assembly of member-state representatives, a council with
governing powers, and a secretariat with career staff who process and verify compliance
with safety and operational standards for airlines from 190 signatory states. National gov-
ernments are expected to identify a domestic civil-aviation authority with responsibility
for implementing the standards among domestic carriers. The Chicago Convention set
up a dynamic means of organizing international cooperation, leading to nineteen
annexes and an estimated 12,000 standards for international civil aviation.72

Verification method
The Chicago Convention takes a multilateral approach to governing civilian air travel. Civil
aviation requires “some international rationalization of the degree to which [activities] can
70
Nye, “Deterrence and Dissuasion in Cyberspace.”
71
Christer Jönsson, “Sphere of Flying: The Politics of International Aviation,” International Organization, Vol. 35, No. 2
(1981), pp. 273–302.
72
“The History of ICAO and the Chicago Convention,” United Nations Aviation, <www.icao.int/about-icao/History/Pages/
default.aspx>
 NONPROLIFERATION REVIEW 217

be carried out by individual nation-states without the activities of one state preventing the
exploitation of the same activities by other states.”73 ICAO staff perform data-collection
functions in addition to standards-setting work and help to minimize or eliminate disrup-
tions (in economic terms, negative externalities) that could infringe upon the vibrant inter-
national air-travel market. These include basic or advanced safety standards, information
alerts and operational notices (e.g., warnings of closed airspace above conflict zones), and
coordination to improve navigation efficiency. In addition to technical standards, the Con-
vention also outlines market-management responsibilities for the organization.
ICAO’s functions are the core verification method of the convention. The organization
has the authority to “make regulations on technical matters” governing “operational and
safety matters in international air transport.”74 The standards do not merely “reflect the
lowest achievable denominator acceptable to most states.” New ICAO member states
have worked to align national practices and legal regimes with ICAO expectations. At
times, states have been slow to notify ICAO of their compliance, allowable due to the
lack of standard enforcement procedures. Yet, in 2007, eighty-seven contracting states
had disclosed and shared their safety audit reports with ICAO for publication.75 The Mon-
tréal Conference in 1997 enhanced ICAO’s auditing powers, permitting the technical,
non-political staff to conduct oversight through “regular, mandatory, systematic and har-
monized safety audits” among all contracting states.76 ICAO’s scope has expanded on the
grounds of enhancing safety and uniformity.
The states party to the agreement maintain the option to observe and call out noncom-
pliance. For example, a frustrated US civil aviation authority, the Federal Aviation Admin-
istration (FAA), decided to act unilaterally in 1992 to identify and publicize the names of
nations whose airlines do not meet ICAO standards. With the consent and cooperation of
the participating states, a civil aviation authority can conduct on-site visits and review the
domestic regulatory schemes. The American FAA categorizes states into two groups: those
which comply with ICAO standards and those which do not. The airline flag carriers in the
latter category lose their permission to serve in the American market.77 The FAA’s actions
constitute a de facto compliance regime. While the convention provides for verification of
compliance with ICAO standards, there is no formal, multilateral mechanism for ensuring
compliance. As a result, many scholars do not consider the Convention to be a strong
regulatory body.78

Effectiveness of the agreement

International-relations scholars debate whether the Convention is truly multilateral or
simply an example of hegemonic, mercantilist activity on the part of the United
States and United Kingdom, which dominated civilian aviation capacities in 1944.79
73
Allan McKnight, “International Regulation of Science and Technology,” International Journal, Vol. 25, No. 4 (1970),
pp. 745–53.
74
Abram Chayes and Antonia Handler Chayes, “On Compliance,” International Organization, Vol. 47, No. 2 (1993), pp. 175–
205.
75
Michael Milde, International Air Law and ICAO (Utrecht: Eleven International, 2008).
76
ICAO Resolution A32-11.
77
Milde, International Air Law and ICAO.
78
Jönsson, “Sphere of Flying.”
79
Baldev Raj Nayar, “Regimes, Power, and International Aviation,” International Organization, Vol. 49, No. 1 (1995), pp. 139–
70.
218 E.D. DUMBACHER

In the Chicago negotiations, the United States fought for low regulation (“open skies”)
while British Commonwealth countries sought government involvement.80 The Inter-
national Air Transport Association (IATA), established under ICAO auspices,
became a venue for states to assert control over the aviation market by setting fare
prices and establishing regulations.81 These activities support the assertion that the
Convention features active state intervention rather than a “declining importance
and centrality of states.”82 But most agree that the Convention has standardized air
navigation practices by setting international norms and provides generally secure and
conflict-free civilian air transport.
The Chicago Convention and the subsequent expanded ICAO authority have not
solved all challenges for civilian air travel. On occasion, violent conflict in the form of
international terrorism (e.g., September 11, 2001) or civil war (e.g., separatism in
Ukraine) has impeded the peaceful flow of international, civilian travelers across
state lines. In 2010 in Beijing, seventy-seven contracting states adopted international
legal instruments to “suppress unlawful acts relating to civil aviation” and to
criminalize sabotage and hijacking and the “unlawful transport of biological, chemical,
and nuclear weapons.”83 Additional agreements beyond the original Chicago Con-
vention and the authority of ICAO were required for multilateral restrictions to,
for example, prevent non-state actors using (hijacking) or influencing aviation
(an errant anti-aircraft missile targeting civilian aircraft) as a means of violence.
Now, the Chicago Convention framework provides protections for civilian flights
from military activities, but the convention’s structure does not fully limit one
state’s ability to infringe the rights of other states.
The longevity and the evolution of the civil-aviation agreement are significant. Core
tenets of the original agreement remain intact after seventy-four years in force. The
major world powers of interest—the United States, China, and Russia—are active par-
ticipants in ICAO. The number of participants has blossomed from the fifty-two signa-
tories to 190 participating states. The convention established a platform for ongoing
negotiations and consensus rule making, which state parties have opted to use over
time to solve technical and market-management functions. Such expansions of authority
and function are consistent with the “mission creep” common to some international
organizations, but the Chicago Convention was unusually broad in its ambitions and
delegation of cooperative authority to the organization. Although ICAO holds limited
legal authority, it derives support for its actions from delegations (of contracting
states), expertise, and in some instances moral and values-based principles (e.g., safety
and security of civilian travelers).84 Such mechanisms have filled a functional gap
between national regulatory schemes and brought consistency and high standards to
civil aviation.

80
Waqar H. Zaidi, “‘Aviation Will Either Destroy or Save Our Civilization’: Proposals for the International Control of Aviation,”
Journal of Contemporary History, Vol. 46, No. 1 (2011), pp. 150–78.
81
“Opening Wider,” The Economist, March 8, 2001. <http://www.economist.com/node/525733>
82
Jönsson, “Sphere of Flying.”
83
ICAO, “Diplomatic Conference Adopts Beijing Convention and Protocol,” press release, 2010, <https://www.icao.int/
Newsroom/Pages/diplomatic-conference-adopts-beijing-convention-and-protocol.aspx>
84
Michael Barnett and Martha Finnemore, Rules for the World: International Organizations in Global Politics (Ithaca, NY:
Cornell University Press, 2004).
 NONPROLIFERATION REVIEW 219

Applying the model to cyber

The Chicago Convention’s verification model offers a promising, if complex and incom-
plete, example of what international cooperation could look like to restrict malicious
actions in cyberspace. Some, though not all, of the ICAO model could be transferable
to governing behavior using the internet. The Chicago Convention’s isolation and protec-
tion of civilian services from military activities provides a useful example. The approach of
a technical organization to set standards, manage information, and offer supporting capa-
bilities to newcomers could not only provide increased security on the internet but also
enable global economic competition.
Most importantly, the Chicago Convention and ICAO carefully isolate civilian appli-
cations of aviation from military ones, delegating enforcement authority to national gov-
ernments. Demarcations of military vessels or activity are not as clear in cyberspace as the
paint color or design of an airplane. Yet the ICAO technical staff started with a small
mandate to set some international standards and expanded its scope over time alongside
the growth of the aviation market. The dynamic, standards-setting approach and the
ICAO structure that allows states to amend or annex agreements to improve safety,
provide for incident response, or disseminate data and security alerts could improve the
safety and security of global internet use.
A regulatory framework like the Chicago Convention is imperfect and leaves compli-
ance responsibilities to state parties, yet the cooperation mechanisms it creates could fill
gaps in governing cyber activities. Civil-aviation incidents and accidents are possible
and have occurred.85 For example, in the aftermath of the 2014 Malaysian Airlines
MH-17 accident, the Chicago Convention governed how the accident investigation
could occur and who would staff it. ICAO sent inspectors to eastern Ukraine, alongside
Dutch and other national representatives. The resulting recommendations called for
ICAO to set additional standards and encourage more extensive use of existing report-
ing mechanisms.86 The Chicago Convention and ICAO offer the structures and non-
partisan expertise that states need to call upon in a crisis. Annex 17 of the Chicago Con-
vention, for example, calls on countries “to establish and implement procedures to share
with other Contracting States threat information that applies to the aviation security
interests of those States.”87 Such threat-information sharing and rapid-response investi-
gative teams could help protect civilian use of the internet as computer viruses and
malware spread seemingly indiscriminately and there is no trusted, international, non-
governmental arbiter of incident assessment and investigation outside of a few top
cybersecurity firms.
Incorporating industry views and preferences into the Chicago Convention assured
that the international cooperation mechanism among states solved not only political

85
There is a rich body of literature on the terrorism threat to the governance of civil aviation.
86
A Dutch investigation of the MH-17 accident, which concluded that a Buk missile shot down the civilian jet over the
Ukrainian Donetsk region as part of ongoing armed conflict, made a number of precise recommendations to ICAO.
Among them was encouragement of states party to share information about the risks of flying over conflict zones.
See: “Investigation Crash MH17, 17 July 2014,” Dutch Safety Board, <https://www.onderzoeksraad.nl/en/onderzoek/
2049/investigation-crash-mh17-17-july-2014/publicatie/1701/following-up-the-recommendations-in-the-mh17-report-
takes-time?s=DC6AD889E456EA9011C03F4C47168EABDF7B9328#fasen>
87
“Response from ICAO to Safety Recommendations Arising from Investigation of MH17 B-777 Accident on 11 July 2014,”
Dutch Safety Board, p. A-2, <https://www.onderzoeksraad.nl/uploads/phase-docs/1006/0d6843a1a0fdreactie-icao-
mh17-14122015.pdf?s=2004DD94C6CA97577ECD00AF517379FD6F7F5971>.
220 E.D. DUMBACHER

problems but also economic challenges. While the Chicago Convention mitigated some
economic risks like pre-empting free ridership, its structure permitted oligopolistic behav-
ior among airlines.88 Applying the model to cyberspace requires deeper investigation of
questions of political economy than is possible in this analysis, but the importance of
the private sector in international cooperation relating to cyberspace cannot be under-
stated. Some major technology firms stand ready to support governmental negotiations
of appropriate rules for isolating military and civilian activities online.89 What remains
to be seen is whether technology firms will be comfortable with international-level regu-
lation of thorny issues like customer privacy and data protection in the same way that the
Chicago Convention permits.90 ICAO extends to new signatories and newcomers to civil
aviation its expertise in technology-informed standards setting that helps states adopt best
practices and adjust domestic regulations quickly. In this way, ICAO fills functional gaps
between national regulations that facilitate safe civilian air transport. Regulations in most
countries to govern the security of information and operational technology systems are
still in their infancy.
The longevity, evolution, and flexibility of the Chicago Convention’s multilateral
coordination mechanism assures freedom of civilian aviation—one half of the “dual-use”
aspiration—and warrants consideration as a model for de-escalating conflict in cyberspace.

Limits to preventative models

A mixed-methods approach to finding elements of arms-control verification methods
that could be applied to de-escalating conflict in cyberspace shows the limits of a preven-
tative or norm-driven approach to managing an unstable peace. Two approaches to ver-
ifying arms-control models of technology application and use —preventative and
regulatory—were evaluated. The analysis finds that policy makers interested in inter-
national cooperation should look for models that control or govern application and
use cyber technologies, rather than restrict proliferation or testing, defying general senti-
ments about the applicability of arms control to cyberwarfare.91 The analysis offers an
example, in the form of international aviation governance and the Chicago Convention,
of an alternative means of cooperation.
The case study of the Geneva Protocol illustrates the limitations of a single, preventative
agreement. As one step in a broader norm cascade, such measures can be sustainable, but,
alone, preventative agreements rely upon signatory states to self-regulate. Isolated agree-
ments can be part of broader norm cascade but fail to establish substantive and sustainable
behavioral change on their own. Preventative agreements beg the question of whether a
rule is a rule at all if it stands without cost when broken. The later development of the
88
Hannah E. Cline, “Hijacking Open Skies: The Line between Tough Competition and Unfair Advantage in the International
Aviation Market,” Journal of Air Law & Commerce, Vol. 529, No. 81 (2016), pp. 532–33, <https://scholar.smu.edu/jalc/
vol81/iss3/5>.
89
David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (New York: Crown, 2018), pp. 306–07.
90
Interpretations and rules for privacy, for example, already differ among Western states in part due to technology-industry
preferences. To take one example, the European Union’s General Data Protection Regulation (GDPR) has required US and
other technology companies to comply with more extensive privacy restrictions on customer data. US regulations are
more minimal than European ones.
91
Some models of international cooperation to protect territories, such as the outer-space and Antarctic regimes, could
also have applications for cyber. Scholars could explore which “areas” of the internet could be designated as peaceful
with sufficient transparency and clarity of “borders” to verify compliance.
 NONPROLIFERATION REVIEW 221

CWC demonstrates that international policy makers found the Geneva Protocol insuffi-
cient but that it served as a useful norm-setting mechanism.
For a technology still developing and diffusing, the Chicago Convention is a potential
model for conflict prevention in cyberspace. ICAO, which serves as the principal verifica-
tion mechanism, offers a flexible forum for relevant stakeholders—including private indus-
try—to take part in establishing rules and expectations. The conventions and charters that
followed the original convention negotiations installed limits and separation between mili-
tary and civilian applications of aviation, evolving to form a sophisticated regime with
international standards for safety and efficiency in the civilian aviation industry. Such a
flexible regulatory regime that engages the private sector could serve as a model for
restricting cyberwarfare and indeed other emerging technologies.92

Reimagining arms control for cyberspace

Beyond norm development and with few modern examples of controls on technologies
similar to the internet, arms-control experts should look for creative approaches to
curbing cyberwarfare. Although some of the most prevalent disarmament, nonproliferation,
or arms-reduction approaches are inapplicable to cyberwarfare, aspects of long-standing fra-
meworks and agreements could be applied to a future control regime that isolates combative
from peaceful uses of the internet and devises international information and standards-
sharing mechanisms.
The number of arms-control agreements that both incorporate limits upon develop-
ment and testing of weapons and include prescriptive regulatory regimes helps to
explain why, at first, an analyst may see few applications of arms-control agreements to
cyberspace: the comparisons seem inadequate to a technology already pervasive in civilian
and military affairs. As applied to a pervasive, dual-use technology like the internet, “arti-
fact-centric” control mechanisms fall short; multilateral approaches including inter-
national organizations and multiparty information exchange may be more effective.
The commercial incentives to eliminate externalities and ensure the safety of civil aviation
were high in the mid twentieth century, just as costs of cyber incidents to the private sector
and consumers are intensifying today.
The scope of this article is limited to assessing existing international agreements and
their potential applications, leaving to other researchers technical questions of authentica-
tion and attribution for future verification of compliance with a cyber-arms-control agree-
ment and questions of how to restrict non-state actors in cyberspace, among others. This
research also does not address the ways states or third parties could bring relevant parties
to the negotiating table (e.g., mutually hurting stalemates or enticing opportunities) nor
does it address the negotiation process itself. What kind of political conditions might
trigger negotiations among the major powers is an important consideration, especially
in the absence of a UN-led process for cyber norm development and amidst active disin-
formation and offensive cyber campaigns? Further research could investigate the appro-
priate incentives and tactics to bring major powers to the negotiation table—a mutually
enticing opportunity to come to negotiate similar to the steps that led to the Chicago

92
These characteristics may also be relevant to other dual-use emerging technologies such as artificial intelligence
and nanotechnology.
222 E.D. DUMBACHER

Convention in 1944. Research could also explore incentives that may lead states to make
their cyber capabilities more transparent, both offensive and defensive, as a basis for build-
ing trust among parties. Few bilateral agreements exist between the three major powers in
cyberwarfare—the United States, China, and Russia. In-depth analysis of compliance with
bilateral measures, as well as what prompted them, is ripe for investigation.
Policy makers have already sought to develop norms and confidence-building mechan-
isms, but those efforts have yet to yield notable outcomes. To reduce tensions and slow the
current arms race in cyberspace, states must look beyond conventional, artifact-based
arms- and export-control agreements yet also need not limit their ambitions to developing
norms. Arms-control experts must consider which aspects of their models and toolkits are
most applicable to a technology already economically essential and global. Policy makers
should join with private-sector leaders to promote the lofty objective to limit conflict in
cyberspace. The Chicago Convention supported the secure growth of international civil
aviation; a “Silicon Valley Convention” could support secure growth and use of the internet.