International Agreement for Control of Cyber Weapons

Tag: International Law


Written by our Guest Author: Herbert O’Yardley


For reasons that will forever remain unknown, Roche has invited me to make another entry on his soon to be “must read”, viral blog (which if I had a computer and Internet access I might even visit from time to time). So I’ll just say right now that if I were you, I would not read this – and I don’t even know what it’s going to say yet! I just know that it is probably right, and that that is almost certainly a BAD thing. But…..What do I know? I’ve been wrong about everything lately; except the Fed. And you don’t want to get me started on that – although my thoughts from 5-6 years ago may still be on my own blog if you can find it.


For Christmas this year, I bought my Old Man a Chess Set – which was not that easy to find for obvious reasons, like anyone under 35 (or maybe even much older) would rather play some video game or be part of a multiplayer, online gaming platform. Now before we go any further, stop and think about that for a minute. Chess is a very complex game; perhaps the most complex ever created. In fact, I can remember a time – not so long ago – when an IBM computer beating a Grand Master was an international media event heralding the coming of the new “Information Age”. Strategy in Chess has been studied by some of the brightest minds in History, and forms the basis for much Military, Political and Business Strategy, although you might never guess that from the results of so-called “strategies” in those fields. But however complex the strategies in Chess may be, and however sophisticated the tools of analysis, the strategies required in instantaneous, multiplayer “Cybergames” are orders of magnitude more complex. This means that using standard tools like Game Theory to develop and evaluate a possible Cyber Treaty (or Cyber War for that matter) is like using a magnifying glass to study Particle Physics (which I’m sure most of us have tried at some point).

Last Summer, I finally threw away a dozen or so Math books that I had held onto since College. Of course now I know it was a big mistake, but at the time it seemed like the thing to do. Among these were several books on Linear Algebra. Linear Algebra is particularly germane to a discussion of Strategy, War and Treaties because it allows the theoretician to create a set of rules and then study their consequences on a group of predetermined parameters. As such, it forms the basis for Game Theory. Game Theory had limited practical value even in its heyday due to the deterministic nature of the structure and rules of a game on its ultimate outcome. But in a world were even the best players have no idea what they are really doing or the true costs of their actions, where there are no “rules” – only winning and losing, and were the non-rules change at random or the at whim of the strongest players, there is not much room for Theory or Strategy, only the survival of the fittest – or the least fit if you prefer.

Of course, Roche and I have already tried to apply Game Theory to other contexts – this time to Business Strategy – and proposed the ill-fated concept of “Super-Games” – which I think I once said was our ticket to a Nobel Price (Wrong Again.). The Mathematics of Supergames have been explored to a limited extent; but while they are extremely sophisticated, they do little more than expand the structure and length of a game, allowing more complex strategies to be executed. Our approach added several more levels of complexity by allowing the rules to change without notice and players to enter and exit at random. It also added the notion of asymmetry – which allowed certain players to act outside the existing structure of the game, as well as allowing the formation and dissolution of coalitions and other partnerships, and the sharing of information and the use of deception. All of this is of course prevalent in the Business World. We made no claims about being able to formalize the Mathematics behind such a system, but we were able to create a simple set of rules which defined this Supergame, and reach some very tentative conclusions about the role of Strategy under these conditions. The fact that the paper was rejected by at least 24 journals reflects the imagination and insight of the Business World. But I don’t need to tell you that. All you have to do is watch CNBC for a few minutes or read the front page of the Fox Street Journal. Unfortunately, this “MBA Mentality” – as I like to call it – has infected every part of Society and Government, including the Civil Servants (if there still are such things) who would draft and negotiate a Cyber Treaty – or start a Cyber War – which is increasingly probably one and the same thing.


Traditional Theories and Strategies don’t offer much guidance in a World based on Cyber- and Super-Games. This is because the individuals involved in both treaty negotiation and potentially sanctionable behavior are likely to be far more capable of circumventing standard safeguards than previous generations. For actors raised on rapidly changing environments, both the contents and the enforcement mechanisms of any treaty must be based on a new set of principles that is far more complex and flexible than traditional methods to have any chance of success. Particularly in Technology-based environments, capabilities and actions move so quickly that it is literally possible for a treaty to be obsolete before it has even been negotiated. Thus, sanctionable behavior must be defined in a broader, non-specific way, which works against the basic nature of treaty negotiation. Similarly, new mechanisms must be devised to tie parties to sanctions and unwanted outcomes in an immediate and costly way.

At some point Roche and I looked into identifying the “necessary and sufficient” conditions for successful International Treaties based on historical analysis and a review of the literature. To my surprise, this was not a subject of great interest, although a few conditions received some attention, and are probably worth noting. I will mention three which should be useful in the present context: 1) The treaty should include all relevant parties in the negotiations, 2) Violations must be clearly defined and sanctions specified in advance, and 3) All violations and sanctions must be handled in a non-discriminatory way. Although these principles are still “necessary” and useful guidelines, they are clearly not “sufficient” to guarantee a successful Cyber Treaty due the rapid, unpredictable changes endemic in the basic structure and nature of the activities involved. Thus, devising a successful Cyber Treaty will be extremely difficult and require great knowledge and creativity. In other words, just forget about it.

But there is still one Law of Game Theory that’s hard to argue. Make the Rules, and you may have a better chance of winning. But that’s only if you’re smart enough to see clearly several moves in advance. And that’s still not easy, even for the experts. Of course, if all else fails you can always just kill your adversary, or better yet, beat him to death with a hammer or cut off a few of his fingers. Just watch “Casino” again and see what I mean. In any case, it’s probably best not to bet against the House.


Ever once in a while I come up with a good idea, and in the context of a Cyber Treaty here it is. If the use of new Internet and Social Media Technology really is changing the way individuals think and act – and there is no doubt that it has had profound effects – particularly with regard to the rapidly changing, interactive, strategic situations you might find in Cybergames, then it makes sense to let this “new breed” play a key role in structuring a Cyber Treaty – even if they are only 13 years old kids, failing most subjects in school, who couldn’t carry on an intelligent conversation with their favorite Action Hero. (Just remember, these are the Bankers, Doctors, and Lawyers of tomorrow.)  So instead of Governments or International Institutions drafting and negotiating a treaty to limit Cyber Weapons and Warfare, why not let the individuals most familiar with the (un-) realities of Cyberspace create the treaty through an open, interactive platform designed for this purpose. The site could be set up as either a Cybergame or a Wikepedia-like knowledge platform where ideas and actions could be vetted and tested by the community. For example, a game could be developed which closely resembles the actual structure of the global Political Economy, with Nations, National and International Institutions, various types of Infrastructure, and other Economic, Social and Political factors. Players would seek ways to disrupt and destroy other nations, and through their strategies and actions, safeguards could be developed to minimize the results of those activities. Over time it should be possible to identify a set of rules or procedures which would ultimately eliminate the treat of Cyber War, and these principles could form the basis of a future Cyber Treaty.  Of course this has probably already been going on for a long time in a basement somewhere in Virginia……and Moscow, and Beijing, or at a University or Tech company in a town or city near you.


Anyone who has ever read anything I’ve written in recent years knows that I am extremely pessimistic about any sort of remedial action to improve the Sorry State of Man and the World. For me, these activities typically fail to either address the core problems, or provide a lasting solution to even the most superficial aspects of the mess we have created. They may be done in good faith and have the best intentions, but in the end nothing ever changes, and things just seem to get worse. Until we all understand that we are in this (sinking) ship together, no Treaty, Threat or Action is going to stop War, Hate and Stupidity. It will only give one group of idiots a temporary advantage over their rivals, and in the process breed more hate and resentment, causing another round of stupidity which wastes (limited) global resources, human energy and time. We have to do better, as individuals, nations and members of whatever communities we populate. I still believe it’s possible. But it’s getting increasingly difficult to Keep the Faith.

Herbert O. Yardley


Lomonosov University Information Security Institute

Lomonosov University in Moscow is more commonly known as Moscow State University. It is named for Mikhail Vasilyevich Lomonosov (Михаи́л Васи́льевич Ломоно́сов) who lived from 1711 to 1765 and discovered the atmosphere of Venus and the Law of Mass Conservation in chemical reactions.  He was a polymath (πολυμαθής), a person who masters a significant number of different subject areas.

The Information Security Institute (Институт проблем информационной безопасности) has been working on a number of information security issues.  In April of 2015, it held a Forum in Garmisch-Partenkirchen, near Munich.  One of the topics on the agenda was on Proposals on Frameworks for Adaptation of International Law to Conflicts in Cyberspace.  Other discussions focused on critical infrastructure security.  Of interest was a workshop on “Countering the threat of the use of social media for interference in the internal affairs of sovereign states (extremism, radicalization).”

The Information Security Institute managed to put to bring together a number of institutions in previous forms including (1) Lomonosov Moscow State University (LMSU) Institute of Information Security Issues; National Academy of Sciences of Belarus the United Institute of Informatics Problems; Internet Society of Bulgaria; China Association for International Friendly Contact (CAIFC); E-Government Division Ministry of Finance (Israel); Indian Institute of Information Technology in Allahabad; Cybercrime Research Institute (Germany); “MFI SOFT” LLC (Russia); State University of New York (SUNY, USA); Global Cyber Risk LLC CEO (USA); Tokai University (Japan) SPIRIT; EastWest Institute (USA); Defence Research & Development Organization (DRDO), Ministry of Defence, Government of India; PayPal Inc. (USA), Qafqaz University (Azerbaijan); The SecDev Foundation (Canada); Insubria Center on International Security – ICIS (Italy); Institute of Information Security and Cryptology (IIS&C) at the Gumilyov Eurasian National University (Kazakhstan); Institute of Electronics and Telecommunications under Kyrgyz State Technical University (the Kyrgyz Republic).

We are awaiting the results of the discussion on an international convention, or on international law.