In September 2019 I participated at the interdisciplinary conference ‚Science, Peace, Security‘ in Darmstadt. There, I held a talk on cyber-arms control and presented a paper presenting a draft idea of an International Vulnerability Equities Process and a 0-day vulnerability emissions trading regime. I looked at the current state of research on cyber-arms control regimes and pretty much every paper said, arms control is not working. I compared the different regime approaches that have been taken by others and present my findings. Based on this the idea was: if traditional arms control models do not fit to the the digital domain, lets consider other regime types that deal with negative emissions – 0-days technically are negative emissions of industrialized software production – and see what we can learn from this. The other idea was to international the local Vulnerabilities Equities Processes that pop up in the US, UK, Germany, China and other countries. If governments start to limit their offensive cyber-capabilities by selecting certain 0-days for exploitation, and report others to vendors for disclosure, what could an internationalized mechanic for this look like? While I am doubtful about the incentive structure of a regime, this could at least serve as a confidence building measure to restrict the most damaging cyber-attacks. Since this is pretty much research in progress and a wild idea, I invite comments on my paper, hence the RFC or Request for Comments in the title. You can find the full paper in the conference proceedings here. You can either drop me a note in the comments below or send me an email to percepticon[at]protonmail.com.
Further Reading
- Dumbacher, E. D. (2018): Limiting cyberwarfare. Applying arms-control models to an emerging technology. In: The Nonproliferation Review 25 (3-4), S. 203–222. DOI: 10.1080/10736700.2018.1515152.
- Fidler, M. (2015): Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis. In: Journal of law and Policy for the Information Society 11 (2). https://pa- pers.ssrn.com/sol3/papers.cfm?abstract_id=2706199
- Ford, C. (2010): The Trouble with Cyber Arms Control. In: The New Atlantis Fall. https://www.thenewatlantis.com/docLib/20110301_TNA29Ford.pdf.
- Geers, K. (2010): Cyber Weapons Convention. In: Computer Law & Security Review 26 (5), S. 547–551. DOI: 10.1016/j.clsr.2010.07.005.
- Ruhrmann, I. (2015): Neue Ansätze für die Rüstungskontrolle bei Cyber-Konlfikten. In: Douglas Cunningham, Petra Hofstedt, Klaus Meer, Ingo Schmitt (Hg.): Informatik 2015. Lecture No- tes in Informatics. Bonn: Gesellschaft für Informatik.
- Nye, J. (2015): The World Needs an Arms-control Treaty for Cybersecurity. Belfer Center for Science and International Affairs. https://www.belfercenter.org/pub-lication/world-needs-arms-control-treaty-cybersecurity.
- Reinhold, T.; Reuter, C. (2019): Arms Control and its Applicability to Cyberspace. In: Christian Reuter (Hg.): Information Technology for Peace and Security. Wiesbaden: Springer Fachmedien Wiesbaden, S. 207–231
- Tikk, E. (2017): Cyber-Arms Control without arms? In: Tommi Koivula und Karariina Simonen (Hg.): Arms control in Europe. Regimes, trends and threats. Helsinki: National Defence University (National Defence University Series 1, Research publications, No. 16).
- Schulze, M./Reinhold T, (2018), Wannacry about the Tragedy of the Commons? Game-Theory and the Failure of Global Vulnerability Disclosure, Proceedings of the 17th European Conference on Cyber Warfare and Security, Oslo. (Link)
- See also my publications