Stuxnet was widely perceived as a paradigm shift in international affairs by demonstrating the political potential of cyberweapons, which, like all weapons, aim to change the behaviour of an adversary. The reputed subsequent online publication of portions of the Stuxnet code sparked fears of proliferation to non-state actors including terrorists, and the possibility of an inter-state cyber “arms race.” Stuxnet also reinvigorated a long-running discussion about if cyberweapons should be regulated and which parties might be capable of doing so. Early authors on the topic pointed out that non-state use of cyberweapons might be subject to criminal law, and state use by international humanitarian law, but that any regime would be of limited use without significant international commitments to monitoring, verification, compliance and enforcement. States would also be resistant to cyber arms control measures if they restricted their capacity to respond to aggression, by states or non-state actors, although they might help promote norms around offensive cyberweapons use.
Subsequent analyses have tended to default to one of two frames in discussing the regulation of cyberweapons. The first is arms control, in which historical experiences with nuclear, biological and chemical weapons serve as resources for thinking through how arms control mechanisms might be applied to cyberweapons. The second frame concerns the criminalization of cyberweapons, drawing on the evolution of the Council of Europe Convention on Cybercrime (2001), discussed in greater detail below. In both frames, there is a presumption towards globally binding legal mechanisms administered by a central, hierarchical authority and supported by leading powers, the absence of either portending the likely failure of attempts to regulate or prohibit cyberweapons. What is missing from this literature is an attempt to look at cyberweapons governance “in the round”, understood as a concern with what currently exists, rather than what might be future optimal solutions. Specifically, the cyberweapons literature, in its concern with legal and institutional regimes, does not address the importance of global governance frameworks for understanding international politics.
Emerging at the end of the Cold War and cognisant of the growing potency of globalization, “global governance” represented an interdisciplinary concern with international order in a post-bipolar world. In International Relations (IR), this translated into understanding order as having foundations other than traditional political-legal authority, including the roles of transnational and non-state actors, and in finding positive solutions to transnational problems. As Coen and Pegram (2015) observe, recent IR global governance scholarship has moved beyond a narrow focus on multilateral institutions and great powers to incorporate the agency of diverse actors and constituencies. One analytical framework emerging from this work is that of “global governance architectures”.
A “global governance architecture” is “the overarching system of public and private institutions, principles, norms, regulations, decision-making procedures and organizations that are valid or active in a given issue area of world politics”. This framework is narrower in scope than “order”, which speaks to the organization of international relations in general, but broader than “regime”, which tends towards a focus on institutions. Global governance architectures consist of vertically fragmented arrangements of multilevel governance (subnational, national, international, supranational) and horizontally fragmented multipolar governance structures of state and non-state actors. The making and implementation of rules is located at multiple points in this matrix, although interlinkages between the various layers and poles of authority and practice are necessary to translate rules and policies from one locus to another. The potential utility of this analytical framework to global cyberweapons governance is currently unexplored. As a first step, the following section identifies existing attempts to regulate cyberweapons in the fields of cyberwarfare, cybercrime, and export controls on dual-use technologies. Each field of activity attempts to regulate a different aspect of cyberweapons acquisition or use. Cyberwarfare is concerned with the use of cyberweapons in war; cybercrime with the acquisition and use of information technologies that can be used in the prosecution of crime by non-state actors; export controls aim to prevent transfer and proliferation of dual-use technologies that can be used to develop or facilitate cyber weapons use by state and non-state actors.
This article was excerpted from Cyberweapons: an emerging global governance architecture.