A good friend once said to me that many arms control proposals are as useful as opening umbrellas in a subway station in case it rains pink elephants.
So it is a shame that the otherwise sensible Bruce Schneier calls for states to open umbrellas in a subway station when he writes in the Financial Times:
Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed. Enforcement will be difficult, but that’s not a reason not to try. It’s not too late to reverse the cyber arms race currently under way.
I do not doubt Schneier's sincerity on this matter, but just as the problem of attribution makes it difficult to identify culprit and motive, so the anonymity of cyberspace means that any cyber arms limitation treaty will lack the crucial 'trust but verify' component. States will not be able to trust a treaty that they are simply unable to verify, and because of this such a treaty will not happen until technology allows the significant ability to verify an agreement. We're just not there yet.
There are other reasons to be wary of calls for a cyber arms control, or even disarmament, treaty.
First, arms control in any guise (nuclear weapons, conventional forces) tends to only happen successfully when it is least needed - in other words, when peace breaks out. When arms control is most needed it is impossible because the political antagonism at root of the arms competition between states is rarely conducive to the diplomatic legwork required for arms control. Peace breaks out because the political animus has been resolved, not because arms control has succeeded. This is what Colin S. Gray refers to as the paradox of arms control in his book House of Cards: Why Arms Control Must Fail (Cornell University Press, 1992).
Second, even if diplomacy could thrive, arms control agreements never survive the changing context of the strategic environment. They are either rendered moot by strategic irrelevancy stemming from peacable relations or, worse, by the rise of an anti-status quo power(s) that seek to redefine their place in the world by force of arms. In other words, even if a cyber arms control treaty were to be successfully negotiated it would not survive long when the geopolitical order collapses, and thus the treaty will not achieve what it set out to do in the first place.
Third, cyber weapons and other capabilities are too useful to states and other actors because they can be used stealthily and with a large measure of plausible deniability. Unlike nuclear weapons, states can and do contemplate the use of cyber weapons. This is not to say that the indiscriminate and uncontrolled use of cyber weapons is inevitable. A number of factors ranging from the nature of the political objective to be achieved through to the inherent workings of friction will mitigate any use of cyber weapons.
Last, the proposed cyber arms control treaties out there are hardly in the interests of Western democratic states. As NPR's Tom Gjelten points out in a fine essay in the latest edition of World Affairs Journal:
While peace accords and disarmament agreements are attractive, however, democracies have reason to proceed cautiously in this area, precisely because of differences in the way cyber “attacks” are being defined in international forums. Russia, which for more than a decade has been promoting a global cyber arms control agreement, would like to criminalize what Soviet diplomats once called “ideological aggression,” and China and allied governments, especially in the Middle East and Africa, share this view. Indeed, the idea of a cyber arms accord has been interpreted in some countries as justifying expanded governmental control over the Internet. If diplomats are not careful, one by-product of a push to regulate state-on-state cyber conflict could be a new effort to subject Internet activity to political scrutiny.
It would be perverse to aid the political aims of authoritarian regimes in the name of what will only be an elusive cyber peace.