Professional Documents
Culture Documents
Erin D. Dumbacher
To cite this article: Erin D. Dumbacher (2018) Limiting cyberwarfare: applying arms-control
models to an emerging technology, The Nonproliferation Review, 25:3-4, 203-222, DOI:
10.1080/10736700.2018.1515152
ABSTRACT KEYWORDS
An arms race in cyberspace is underway. US and Western arms control; cyberwarfare;
government efforts to control this process have largely been cyberweapons; dual use;
limited to deterrence and norm development. This article norms; Geneva Protocol;
Biological Weapons
examines an alternative policy option: arms control. To gauge
Convention; Chemical
whether arms-control models offer useful lessons for addressing Weapons Convention;
cyber capabilities, this article compiles a new dataset of verification; civil aviation
predominantly twentieth-century arms-control agreements. It also
evaluates two case studies of negotiated agreements that
regulate dual-use technologies, the 1928 Geneva Protocol
prohibiting chemical- and biological-weapon use and the 1944
Chicago Convention on International Civil Aviation. The analysis
underscores the limits of norm development for emerging
technologies with both civilian and military applications. It finds
lessons for developing verifiable, international cooperation
mechanisms for cyberwarfare in the regulatory model of
international aviation. Conventionally, arms-control agreements
take advantage of transparent tests or estimates of arms. To
restrict cyberwarfare activities, experts and policy makers must
adapt arms-control models to a difficult-to-measure technology at
an advanced stage of development and use. Further investigation
of international regulatory schemes for dual-use technology of
similar diffusion and development to the internet, such as
international civil aviation, is needed.
Despite calls for the cessation of hostilities in the cyber realm, the development and use of
military cyber capabilities continue.1 Over twenty national militaries now have cyber units
preparing for and battling in cyberspace, and the pace of assaults on critical information,
systems, and physical infrastructure is accelerating.2 Economic, physical, and political
losses resulting from cyber attacks are mounting as nation-states enhance their
offensive and defensive cyberwarfare tools and put them to use.3 Modern economies,
societies, and national defenses rely on information technologies and connection through
the internet or networks. International trade, electricity production and dissemination,
and even the control of nuclear weapons are dependent on cyberspace.4 Any chance to
halt or slow the proliferation of the technology has passed, and to restrict the many advan-
tages of global interconnection would be highly undesirable. A cyber arms race is underway.
To reduce tensions between nations and limit the chances or consequences of armed
conflict, international arms-control agreements have limited the development and use
of certain weapons. Yet conventional understanding holds that arms-control agreements
provide few useful models for controlling behavior within the anarchic, virtual space of the
internet. Arms-control experts posit that certain basic thresholds for attaining inter-
national agreements have yet to be reached. Information technologists have yet to deter-
mine how parties could share information and reliably identify stealthy attackers.
National-security analysts prefer to maintain offensive options and continue weapons
development rather than agree to limits or begin the long, slow process of developing
international norms that would reduce cyber conflict. Arms control in cyberspace lacks
a constituency. Meanwhile, the use of offensive cyber operations is increasing.5
But by expanding the definition of an international arms-control agreement, the poten-
tial applications of arms control to cyberwarfare become clearer. The internet is not the
first novel technology with both civilian and military applications. Instead of limiting
the potential types of arms-control agreements to commonly recognized forms like redu-
cing nuclear stockpiles or test bans, arms control can be a tool for guiding appropriate
technology applications and demarcating lines between peaceful and military use.
To address the applicability of arms control to cyberwarfare, this article categorizes and
evaluates past arms-control agreements with a historical lens and adopts a mixed-methods
approach to investigating arms-control mechanisms. The findings challenge the conven-
tional wisdom of conflict prevention in cyberspace, that the norms to which nations must
adhere are the optimal, or only, first step toward preventing conflicts in cyberspace today.
The findings do not oppose the notion that cyberspace is currently in anarchy; formal
CNE is the virtual equivalent of espionage—gaining access to information or a system to eavesdrop or steal data. CNA is
the more dangerous form of cyber attack in which a computer or a device connected to it—like an electricity grid or a
weapons system—is harmed, sabotaged, or destroyed. Bruce Schneier, “There’s No Real Difference between Online
Espionage and Online Attack,” The Atlantic, March 6, 2014, <www.theatlantic.com/technology/archive/2014/03/
theres-no-real-difference-between-online-espionage-and-online-attack/284233/>; Brian M. Mazanec, The Evolution of
Cyber War (Lincoln, NE: Potomac Books, 2015), p. 4. For more about the debate om whether “cyberwarfare” fits the Clau-
sewitzian definition of warfare, see: Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies, Vol. 35, No.
1 (2012), pp. 5–32; Thomas G. Mahnken, “Cyber War and Cyber Warfare,” in Kristin Lord and Travis Sharp, eds., America’s
Cyber Future: Security and Prosperity in the Information Age (Washington, DC: CNAS, 2011), Vol. 2, p. 53–62. “Losses” are
defined here as costs to private entities (to pay for incident response and remediation, intellectual property theft, infor-
mation technology investments, etc.), public entities increasing their budgets (to collect and disseminate intelligence
and boost defenses), and political losses (to campaigns, civil society organizations). For more on projected economic
losses, see: US Council of Economic Advisors, “The Cost of Malicious Cyber Activity to the U.S. Economy,” February
2018, <www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.
pdf>.
4
Joseph Nye, “Deterrence and Dissuasion in Cyberspace,” International Security, Vol. 41, No. 3 (2017), pp. 44–71.
5
According to data available in the Council on Foreign Relations’ Cyber Operations Tracker—a database of known nation-
state-sponsored cyber activity since 2005—state-sponsored cyber incidents have increased an average of 53 percent
year on year between 2005 and 2018. See: <www.cfr.org/interactive/cyber-operations>. See also David E. Sanger, “Pen-
tagon Puts Cyberwarriors on the Offensive, Increasing the Risk of Conflict,” New York Times, June 17, 2018, <www.
nytimes.com/2018/06/17/us/politics/cyber-command-trump.html>; Michael Sulmeyer, “Military Set for Cyber Attacks
on Foreign Infrastructure,” Belfer Center for Science and International Affairs, April 11, 2018, <www.belfercenter.org/
publication/military-set-cyber-attacks-foreign-infrastructure>.
NONPROLIFERATION REVIEW 205
“rules of the road” for state behavior are necessary.6 Instead, a more ambitious policy
alternative exists to form binding international agreements and potentially international
organizations to reduce the scale and scope of cyberwarfare. The governance model of
international civil aviation offers lessons for governing conflict in cyberspace. Adopting
a broader definition of arms control could also inform governance and conflict-manage-
ment policies for other emerging technologies.7
In the twentieth century, the horrific specter of military applications of new technol-
ogies used on civilian populations led opposing parties to negotiate and disarm. Beginning
with the Geneva Conventions after World War I through the post-1945 period, the major
powers negotiated decreases in the quantity, trade of, and regulations upon a number of
dual-use technologies, including chemical, biological, and atomic weapons. Nations agreed
to international agreements to restrict the development and testing, proliferation and
trade, application and use, or conduct of conflict within particular domains like outer
space or Antarctica. In some cases, states agreed to grant international organizations regu-
latory authority or to devise normative agreements to deter use.
The intent of arms-control agreements is to manage weapons proliferation and mini-
mize the potential for and escalation of conflict.13 Most scholars agree that bilateral and
multilateral agreements on antiballistic-missile use and intermediate and strategic
nuclear forces slowly reduced some of the potential threats of a catastrophic nuclear
war.14 When arms control works well, “it reduces uncertainty, creating a predictable secur-
ity environment”; otherwise arms-control efforts can be “largely hortatory,” propaganda
efforts, vague in restrictions, and impose no costs on agreement violators.15
Controls of dual-use technologies have largely been “artifact-centric.” Government
research and development that has created the technologies has also permitted govern-
ments to control or limit access to them, for example through export-control regimes
designed to quell proliferation. 16 Opportunities to weaponize the technology were there-
fore limited. Yet in the information age “it has increasingly been the civilian sector’s
research and development that has provided technology options for military applications.”
Software and hardware are readily available for a range of purposes.17
Some of the contexts that led to modern arms-control agreements do not apply to the
internet today. The widespread civilian use of digital infrastructure makes it difficult to
identify malign actors.18 The very nature of information and communications technol-
ogies makes it difficult to determine what to limit or regulate: “malicious code is
difficult to define.”19 The basic notions of offense versus defense are upended in cyber-
space—offensive capabilities in the form of penetration tests are a basic means for estab-
lishing defensive measures.20 Militaries might consider malevolent code an operational
capability rather than a research-and-development activity of a strategic technology.
Bans are unlikely to take hold: “given the dual-use nature of cyber technology and the
realm itself, a prohibition on research and development of cyberweapons would be
nearly impossible to verify and it is therefore infeasible.”21 That digital offensive
13
Amitav Mallik, Technology and Security in the 21st Century: A Demand-Side Perspective (Oxford: Oxford University Press,
2004), p. 14, <http://catalog.hathitrust.org/Record/004936774>.
14
To take one example, observers of US–Russian relations in 2018 will recall Vladimir Putin’s connection of new nuclear
systems development to US withdrawal from the Anti-Ballistic Missile Treaty, indicating the escalatory risks of an arms-
control agreement’s reversal.
15
Clarke and Knake, Cyber War.
16
Jonathan B. Tucker, Innovation, Dual Use, and Security: Managing the Risks of Emerging Biological and Chemical Technol-
ogies (Cambridge, MA: MIT Press, 2012).
17
Mallik, Technology and Security in the 21st Century.
18
Ford, “The Trouble with Cyber Arms Control.”
19
Kenneth Geers, “Cyber Weapons Convention,” Computer Law & Security Review, Vol. 26, No. 5 (2010), pp. 547–51.
20
Herb Lin, “A Virtual Necessity: Some Modest Steps toward Greater Cybersecurity,” Bulletin of the Atomic Scientists, Vol. 68,
No. 5 (2016), pp. 75–87.
21
James Andrew Lewis and Götz Neuneck, The Cyber Index: International Security Trends and Realities (New York: United
Nations, 2013).
NONPROLIFERATION REVIEW 207
capabilities are measured in terms of outcomes and exploitation rather than by quantities
and physical characteristics complicates the applicability of some arms-control models
defined as reductions of arsenals.22
31
Nye, “Deterrence and Dissuasion in Cyberspace.”
32
Herb Lin, “Governance of Information Technology and Cyber Weapons,” in Elisa D. Harris, ed., Governance of Dual-Use
Technologies: Theory and Practice (Cambridge, MA: American Academy of Arts & Sciences, 2016).
33
Susan Hennessey, “Deterring Cyberattacks: How to Reduce Vulnerability,” Foreign Affairs, Vol. 96 (2017), p. 39.
34
Mazanec, The Evolution of Cyber War.
35
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity;” Jack Goldsmith, “Can We Stop the Global Cyber
Arms Race?” Washington Post, February 1, 2010, <www.washingtonpost.com/wpdyn/content/article/2010/01/31/
AR2010013101834.html>
36
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity,” pp. 427, 437; see also pp. 425–79.
37
Christopher M.E. Painter, Coordinator for Cyber Issues US Department of State, Testimony before US House of Represen-
tatives House of Representatives Committee on Oversight and Government Reform Subcommittee on Information Secur-
ity and National Security, Hearing on “Digital Acts of War: Evolving the Cybersecurity Conversation,” 114th Cong., 2nd
sess., July 13, 2016.
38
Finnemore and Hollis, “Constructing Norms for Global Cybersecurity.”
39
Michael S. Lund, Preventing Violent Conflicts: A Strategy for Preventive Diplomacy. (Washington, DC: United States Institute
of Peace Press. 1996); Jozef Goldblat, Arms Control: A Guide to Negotiations and Agreements (Oslo: PRIO, 1994).
40
Mazanec, The Evolution of Cyber War.
41
Valeriano and Maness, Cyber War versus Cyber Realities; James Wood Forsyth, “What Great Powers Make It: International
Order and the Logic of Cooperation in Cyberspace,” Strategic Studies Quarterly (Spring 2013), pp. 93–113.
NONPROLIFERATION REVIEW 209
treaty-based models that would “prevent cyberspace from becoming the default platform
for states seeking to settle conflicts outside the reach of customary international law and
diplomacy.”42 Once in place, an agreement has normative power; binding international
obligations are followed more often than not.43 Parties to a verified arms-control agree-
ment could expect counterparts to notice and respond if they were caught undermining
the agreement. Technology companies are starting to band together to promote ideas
like a Geneva Convention for cyberspace and principles of cybersecurity protection
for users everywhere.44 Thus the question arises: are more ambitious models than
norm development available for limiting cyberwarfare? The interconnected infrastruc-
ture of civil aviation may present a more apt analogy to cyberwarfare than, for
example, nuclear nonproliferation.45
they adopt, either preventative or regulatory. To isolate these factors, the analysis notes the
type of technology application,48 the number of participating nations, and the phase of tech-
nology development and diffusion.49 The analysis tests the hypothesis that, to limit conflict
escalation mediated by a dual-use technology, international agreements with regulatory
mechanisms are more sustainable than those with preventative approaches.
The sample included agreements that permit cross-border activities, such as the inter-
national postal system, or restrict activities in domains, such as the weaponization of
outer space or Antarctica. The author collected five types of data for each unit of analysis:
(1) prohibition type; (2) agreement scope; (3) agreement type; (4) agreement verification
mechanism; and (5) durability of the agreement, one measure of effectiveness. The key
explanatory variables described the verification scheme of the agreement and agreement
durability serves as the dependent variable.54 The analysis of the agreements makes
clear important distinctions between the stage of weapons development or use and veri-
fication approaches. More than half of the agreements with preventive approaches
include no verification mechanism for assuring compliance; others rely upon national
law enforcement. Four stages of technology diffusion emerge: the point of development,
the point of export or trade, the point of application, or a restriction on the territory to
be impacted (Figure 1). Two agreements grant permissions for access with regulatory
(e.g., IAEA), but these organizations rarely render final judgments opposing a major power. These complications make
measuring agreement effectiveness more art than science. For the purposes of this research, the agreement’s longevity
serves as an imperfect proxy for an agreement’s effectiveness.
48
Distinctions include military-only applications, dual use within cooperating countries at the time of international agree-
ment, or dual use after the agreement in cooperating countries.
49
Phases include “development and testing,” “export or trade,” “application and use,” “access granted,” or “territorial impact.”
50
Due to the small size and nature of the sample, most sophisticated analytical techniques beyond descriptive statistics
were not viable.
51
Principal data sources critical to the quantitative analysis include the treaties and agreements databases of the following
organizations: United Nations Office for Disarmament Affairs: <http://disarmament.un.org/treaties/>; Nuclear Threat
Initiative: <www.nti.org/learn/treaties-and-regimes/treaties/>; Arms Control Association Fact Sheets: <www.
armscontrol.org/factsheets>; US Department of State Bureau of International Security and Non-proliferation: <www.
state.gov/t/isn/c18882.htm>.
52
This qualification distinguished between numbers of similar international agreements. For example, the Outer Space
Treaty was included in the analysis but not the Moon and Celestial Bodies Agreement.
53
This qualifier led to inclusion of SALT (Strategic Arms Limitations Talks) I but not SALT II.
54
The author can provide the original dataset upon request.
NONPROLIFERATION REVIEW 211
verification (e.g., Treaty of Bern, creating the International Postal Union). Agreements
that limit weapons development or testing and/or application and use (ten out of
thirty-three) are largely verifiable with a regulatory approach. Fewer agreements govern
export and trade or preserve a particular territory (e.g., Antarctica).
Quantitative-restrictions agreements include strong regulatory models but tend to
restrict the development or testing of an emerging technology; these are often bilateral
treaties that prevent testing, development, or deployment of a weapons category. National
technical means, inspections and on-site monitoring, and information exchange assure the
two parties that their opponent is complying with the agreement.
Restrictions on dual-use technologies predominantly employ preventative measures,
some of which are one step in a broader set of measures to prevent weapons use. Other
international agreements incorporate regulatory schemes to limit development, export,
or—most often—application and use of a dual-use technology. In two cases, an inter-
national organization helps to regulate the agreement (such as the IAEA’s role in the
NPT or the International Civil Aviation Organization established by the 1944 Chicago
Convention on International Civil Aviation). All regulatory schemes of dual-use technol-
ogies involve an international organization or information exchange among the signatories.
Most dual-use technology agreements are multilateral. Only one of the fifteen inter-
national agreements governing dual-use technologies is bilateral—the 1976 Peaceful
Nuclear Explosions Treaty (PNET). All but four hold as signatories the three nation-
states of interest: the United States, China, and Russia. Only six agreements within
the sample control dual-use technologies and involve regulatory schemes: PNET; the
1997 Joint Convention on the Safety of Spent Fuel Management and on the Safety
of Radioactive Waste Management; the Chicago Convention on International Civil
212 E.D. DUMBACHER
Aviation; CWC; NPT; and the 1996 Comprehensive Nuclear-Test-Ban Treaty. Only the
PNET, a bilateral treaty, includes fewer than seventy-five signatory states. International
agreements that regulate dual-use technologies, when enacted, have historically regu-
lated application and use of a technology and relied upon national technical means
and/or an international organization or governing body to verify compliance (see
Table 1).
55
This analysis incorporates the generally accepted challenges of internet security, such as the notion that penetration
testing is a method of securing information technology and requires similar activities and technological prowess as a
cyber attack. It also assumes that the application-and-use stage of the technology is the most relevant due to the
degree of proliferation of information technology and the lack of transparent testing or territorial divides.
NONPROLIFERATION REVIEW 213
Scope of controls
The Geneva Protocol bans chemical (or “gas”) and biological (or “germ”) warfare. Nego-
tiated under the auspices of the League of Nations, it prohibits only application and use of
the technology; the latter-day CWC and 1972 Biological and Toxin Weapons Convention
ban the production, stockpiling, and trade of such weapons. Delegates to the 1925 Con-
ference for the Supervision of International Trade in Arms and Ammunition in Geneva
built on prior agreements: the Hague Declaration of 1899 (regarding expanding bullets)
and the Treaty of Versailles (which officially ended World War I) of 1919. The Protocol
bans the use in war of “asphyxiating, poisonous or other gases, and of all analogous liquids,
materials or devices.” The document’s broad language specifies wartime application of
chemical and biological weapons against an opponent, thereby distinguishing between
civilian (peaceful) and military uses of chemicals and biological materials.
Verification method
The Geneva Protocol does not include a verification mechanism. Instead, it serves as a pre-
ventive agreement to which the signatories accede upon ratification. The Protocol relies
upon customary international law: “this prohibition shall be universally accepted as a
part of International Law, binding alike the conscience and the practice of nations.”57
There is no regulatory mechanism within the Protocol; instead, it outlines norms to
which signatory states must adhere. The foundational documents upon which the
56
Alex Spelling, “Driven to Tears: Britain, CS Tear Gas, and the Geneva Protocol, 1969–1975.” Diplomacy & Statecraft, Vol. 27,
No. 4 (2016), pp. 701–725.
57
United Nations Office for Disarmament Affairs, United Nations Disarmament Treaty Database, <http://disarmament.un.
org/treaties/>
214 E.D. DUMBACHER
authors drafted the Protocol rely upon “civilized” nations to adhere to the bans and
uphold the ideal of a “civilized world.”58 Compliance with the Protocol is voluntary.
The Protocol was customary international law by the time the United States considered
ratification of the treaty during the Richard M. Nixon administration, nearly fifty years
after it was first signed and came into effect. The Geneva Protocol outlined a norm
without binding legal restraints.
requested advice and guidance from the chemical industry, beginning in 1978.64 Once
negotiated, the CWC included a regulatory verification scheme and an international
organization with the capabilities to inspect and monitor implementation, the Organiz-
ation for the Prohibition of Chemical Weapons. The United States ratified the CWC
four years after signing, in 1997. Without the involvement of the chemical industry or
interested parties in the 1920s, the Americans at the Geneva Conference failed to incor-
porate vested interests into the language of the Geneva Protocol.
The CWC and BWC built upon the Geneva Protocol. The Protocol was one part of a
broader “norm cascade” in prohibiting the use of chemical and biological weapons.65 Its
longevity is therefore difficult to disaggregate from the international agreements that came
before it and followed it.66 The need for the later agreements, however, indicates
deficiencies. Alone it could not achieve its aims. The Protocol’s central ambitions
remain in force through the CWC and BWC, yet its preventative and norm-setting
approach was insufficient to dissuade major powers—like Germany during World War
II and the Soviet Union during the Cold War—from significant chemical-weapons devel-
opment.67 States parties avoided use of the weapons against one another during the war,
largely complying with the prohibitions of the Geneva Protocol.68
But the Protocol alone illustrates the limits of a single, preventative international agree-
ment. Even with the CWC in place, the normative power of the Geneva Protocol and the
CWC “did not stop either Saddam Hussein or Bashar al-Assad from using chemical
weapons against his own citizens, but they did have an effect on the perceptions of the
costs and benefits of their actions.”70 The Protocol’s lack of a verification mechanism
leads to further questions about the viability of stand-alone, preventative international
agreements. Must preventative agreements be a part of a broader set of international con-
trols, evolving over time, to achieve their aims?
Scope of controls
Signed in 1944, the Chicago Convention prescribed freedoms to states and their airlines to
fly through the airspace of one another and to land in a country for refueling and main-
tenance.71 Additional assemblies and commitments in Bermuda, Beijing, and Montréal
among others created a regulatory regime for international air travel which both protects
states’ rights to restrict military activity above their territories (land and sea) and provides
protections for civilian travel to assure military activities in the air cannot infringe upon it.
The ICAO structure includes an assembly of member-state representatives, a council with
governing powers, and a secretariat with career staff who process and verify compliance
with safety and operational standards for airlines from 190 signatory states. National gov-
ernments are expected to identify a domestic civil-aviation authority with responsibility
for implementing the standards among domestic carriers. The Chicago Convention set
up a dynamic means of organizing international cooperation, leading to nineteen
annexes and an estimated 12,000 standards for international civil aviation.72
Verification method
The Chicago Convention takes a multilateral approach to governing civilian air travel. Civil
aviation requires “some international rationalization of the degree to which [activities] can
70
Nye, “Deterrence and Dissuasion in Cyberspace.”
71
Christer Jönsson, “Sphere of Flying: The Politics of International Aviation,” International Organization, Vol. 35, No. 2
(1981), pp. 273–302.
72
“The History of ICAO and the Chicago Convention,” United Nations Aviation, <www.icao.int/about-icao/History/Pages/
default.aspx>
NONPROLIFERATION REVIEW 217
be carried out by individual nation-states without the activities of one state preventing the
exploitation of the same activities by other states.”73 ICAO staff perform data-collection
functions in addition to standards-setting work and help to minimize or eliminate disrup-
tions (in economic terms, negative externalities) that could infringe upon the vibrant inter-
national air-travel market. These include basic or advanced safety standards, information
alerts and operational notices (e.g., warnings of closed airspace above conflict zones), and
coordination to improve navigation efficiency. In addition to technical standards, the Con-
vention also outlines market-management responsibilities for the organization.
ICAO’s functions are the core verification method of the convention. The organization
has the authority to “make regulations on technical matters” governing “operational and
safety matters in international air transport.”74 The standards do not merely “reflect the
lowest achievable denominator acceptable to most states.” New ICAO member states
have worked to align national practices and legal regimes with ICAO expectations. At
times, states have been slow to notify ICAO of their compliance, allowable due to the
lack of standard enforcement procedures. Yet, in 2007, eighty-seven contracting states
had disclosed and shared their safety audit reports with ICAO for publication.75 The Mon-
tréal Conference in 1997 enhanced ICAO’s auditing powers, permitting the technical,
non-political staff to conduct oversight through “regular, mandatory, systematic and har-
monized safety audits” among all contracting states.76 ICAO’s scope has expanded on the
grounds of enhancing safety and uniformity.
The states party to the agreement maintain the option to observe and call out noncom-
pliance. For example, a frustrated US civil aviation authority, the Federal Aviation Admin-
istration (FAA), decided to act unilaterally in 1992 to identify and publicize the names of
nations whose airlines do not meet ICAO standards. With the consent and cooperation of
the participating states, a civil aviation authority can conduct on-site visits and review the
domestic regulatory schemes. The American FAA categorizes states into two groups: those
which comply with ICAO standards and those which do not. The airline flag carriers in the
latter category lose their permission to serve in the American market.77 The FAA’s actions
constitute a de facto compliance regime. While the convention provides for verification of
compliance with ICAO standards, there is no formal, multilateral mechanism for ensuring
compliance. As a result, many scholars do not consider the Convention to be a strong
regulatory body.78
In the Chicago negotiations, the United States fought for low regulation (“open skies”)
while British Commonwealth countries sought government involvement.80 The Inter-
national Air Transport Association (IATA), established under ICAO auspices,
became a venue for states to assert control over the aviation market by setting fare
prices and establishing regulations.81 These activities support the assertion that the
Convention features active state intervention rather than a “declining importance
and centrality of states.”82 But most agree that the Convention has standardized air
navigation practices by setting international norms and provides generally secure and
conflict-free civilian air transport.
The Chicago Convention and the subsequent expanded ICAO authority have not
solved all challenges for civilian air travel. On occasion, violent conflict in the form of
international terrorism (e.g., September 11, 2001) or civil war (e.g., separatism in
Ukraine) has impeded the peaceful flow of international, civilian travelers across
state lines. In 2010 in Beijing, seventy-seven contracting states adopted international
legal instruments to “suppress unlawful acts relating to civil aviation” and to
criminalize sabotage and hijacking and the “unlawful transport of biological, chemical,
and nuclear weapons.”83 Additional agreements beyond the original Chicago Con-
vention and the authority of ICAO were required for multilateral restrictions to,
for example, prevent non-state actors using (hijacking) or influencing aviation
(an errant anti-aircraft missile targeting civilian aircraft) as a means of violence.
Now, the Chicago Convention framework provides protections for civilian flights
from military activities, but the convention’s structure does not fully limit one
state’s ability to infringe the rights of other states.
The longevity and the evolution of the civil-aviation agreement are significant. Core
tenets of the original agreement remain intact after seventy-four years in force. The
major world powers of interest—the United States, China, and Russia—are active par-
ticipants in ICAO. The number of participants has blossomed from the fifty-two signa-
tories to 190 participating states. The convention established a platform for ongoing
negotiations and consensus rule making, which state parties have opted to use over
time to solve technical and market-management functions. Such expansions of authority
and function are consistent with the “mission creep” common to some international
organizations, but the Chicago Convention was unusually broad in its ambitions and
delegation of cooperative authority to the organization. Although ICAO holds limited
legal authority, it derives support for its actions from delegations (of contracting
states), expertise, and in some instances moral and values-based principles (e.g., safety
and security of civilian travelers).84 Such mechanisms have filled a functional gap
between national regulatory schemes and brought consistency and high standards to
civil aviation.
80
Waqar H. Zaidi, “‘Aviation Will Either Destroy or Save Our Civilization’: Proposals for the International Control of Aviation,”
Journal of Contemporary History, Vol. 46, No. 1 (2011), pp. 150–78.
81
“Opening Wider,” The Economist, March 8, 2001. <http://www.economist.com/node/525733>
82
Jönsson, “Sphere of Flying.”
83
ICAO, “Diplomatic Conference Adopts Beijing Convention and Protocol,” press release, 2010, <https://www.icao.int/
Newsroom/Pages/diplomatic-conference-adopts-beijing-convention-and-protocol.aspx>
84
Michael Barnett and Martha Finnemore, Rules for the World: International Organizations in Global Politics (Ithaca, NY:
Cornell University Press, 2004).
NONPROLIFERATION REVIEW 219
85
There is a rich body of literature on the terrorism threat to the governance of civil aviation.
86
A Dutch investigation of the MH-17 accident, which concluded that a Buk missile shot down the civilian jet over the
Ukrainian Donetsk region as part of ongoing armed conflict, made a number of precise recommendations to ICAO.
Among them was encouragement of states party to share information about the risks of flying over conflict zones.
See: “Investigation Crash MH17, 17 July 2014,” Dutch Safety Board, <https://www.onderzoeksraad.nl/en/onderzoek/
2049/investigation-crash-mh17-17-july-2014/publicatie/1701/following-up-the-recommendations-in-the-mh17-report-
takes-time?s=DC6AD889E456EA9011C03F4C47168EABDF7B9328#fasen>
87
“Response from ICAO to Safety Recommendations Arising from Investigation of MH17 B-777 Accident on 11 July 2014,”
Dutch Safety Board, p. A-2, <https://www.onderzoeksraad.nl/uploads/phase-docs/1006/0d6843a1a0fdreactie-icao-
mh17-14122015.pdf?s=2004DD94C6CA97577ECD00AF517379FD6F7F5971>.
220 E.D. DUMBACHER
problems but also economic challenges. While the Chicago Convention mitigated some
economic risks like pre-empting free ridership, its structure permitted oligopolistic behav-
ior among airlines.88 Applying the model to cyberspace requires deeper investigation of
questions of political economy than is possible in this analysis, but the importance of
the private sector in international cooperation relating to cyberspace cannot be under-
stated. Some major technology firms stand ready to support governmental negotiations
of appropriate rules for isolating military and civilian activities online.89 What remains
to be seen is whether technology firms will be comfortable with international-level regu-
lation of thorny issues like customer privacy and data protection in the same way that the
Chicago Convention permits.90 ICAO extends to new signatories and newcomers to civil
aviation its expertise in technology-informed standards setting that helps states adopt best
practices and adjust domestic regulations quickly. In this way, ICAO fills functional gaps
between national regulations that facilitate safe civilian air transport. Regulations in most
countries to govern the security of information and operational technology systems are
still in their infancy.
The longevity, evolution, and flexibility of the Chicago Convention’s multilateral
coordination mechanism assures freedom of civilian aviation—one half of the “dual-use”
aspiration—and warrants consideration as a model for de-escalating conflict in cyberspace.
CWC demonstrates that international policy makers found the Geneva Protocol insuffi-
cient but that it served as a useful norm-setting mechanism.
For a technology still developing and diffusing, the Chicago Convention is a potential
model for conflict prevention in cyberspace. ICAO, which serves as the principal verifica-
tion mechanism, offers a flexible forum for relevant stakeholders—including private indus-
try—to take part in establishing rules and expectations. The conventions and charters that
followed the original convention negotiations installed limits and separation between mili-
tary and civilian applications of aviation, evolving to form a sophisticated regime with
international standards for safety and efficiency in the civilian aviation industry. Such a
flexible regulatory regime that engages the private sector could serve as a model for
restricting cyberwarfare and indeed other emerging technologies.92
92
These characteristics may also be relevant to other dual-use emerging technologies such as artificial intelligence
and nanotechnology.
222 E.D. DUMBACHER
Convention in 1944. Research could also explore incentives that may lead states to make
their cyber capabilities more transparent, both offensive and defensive, as a basis for build-
ing trust among parties. Few bilateral agreements exist between the three major powers in
cyberwarfare—the United States, China, and Russia. In-depth analysis of compliance with
bilateral measures, as well as what prompted them, is ripe for investigation.
Policy makers have already sought to develop norms and confidence-building mechan-
isms, but those efforts have yet to yield notable outcomes. To reduce tensions and slow the
current arms race in cyberspace, states must look beyond conventional, artifact-based
arms- and export-control agreements yet also need not limit their ambitions to developing
norms. Arms-control experts must consider which aspects of their models and toolkits are
most applicable to a technology already economically essential and global. Policy makers
should join with private-sector leaders to promote the lofty objective to limit conflict in
cyberspace. The Chicago Convention supported the secure growth of international civil
aviation; a “Silicon Valley Convention” could support secure growth and use of the internet.