1 Introduction

In recent years, much has been written about cyberspace, its increasing militarization and its relevance in conflicts and combat. The ongoing war in Ukraine presents a concrete case of an open military conflict that includes this digital domain. It also shows that despite the popular scholarly perception of a cyberwar that instantly brings down a state to its knees, military attacks in cyberspace can easily fail or be miscalculated and that a strongly decentralized IT infrastructure can withstand attempts to destroy a country’s IT capabilities. While there is still much to analyze and learn from the war in Ukraine and the role of cyberspace in it, and even though it is very likely that military actors will draw their conclusions from mistakes and failures, one thing has become very clear: Cyberspace, beyond its relevance for civilian and commercial purposes, is also a military domain. However, it is strongly influenced by factors that exceed traditional national jurisdiction and military power, such as by non-state actors entering a conflict, attacking each other’s IT systems, or even fighting each other in cyberspace, or international commercial actors providing support for IT and communications infrastructures.

A look at the past shows that arms control has been a successful means to respond to the security challenges of armament processes regarding different kinds of weapons and to contain or stop arms races, hence, significantly contributing to security and stability worldwide (Reinhold and Reuter 2019). Curbing the proliferation of weapons, as well as reducing those already in existence, is therefore one of the most important concerns of the international community (Müller 2005). Despite the urgency emphasized by experts (Hansel and Silomon 2021; Dittrich and Boening 2017; Altmann 2019; Dunn 2005; Denning 2001; Maybaum and Tölle 2016; Litwak and King 2015), little progress has been made regarding arms control measures in cyberspace. Although increasingly established, at least in the normative field, so far these are mere declarations of intent or possible diplomatic measures in response to a cyberattack. However, approaches that attempt to address the complex matter of IT hard- and software, dual-use, and the question of what constitutes a cyberweapon (e.g., Reinhold and Reuter 2021) are diverse, but so far lack a common internationally agreed definition.

This article focuses on the debate regarding the challenges faced in establishing arms control in the domain of cyberspace, which include, e.g., dual-use, proliferation, constant technological progress, the importance of the private sector, difficulties in defining and verifying the weapon, and difficulties in attributing attacks. By employing a literature review as well as qualitative expert interviews, this study specifically aims to answer the following research question: What are the current challenges for establishing arms control for cyberspace according to expert knowledge and to what extent do these align with the challenges discussed in the literature?

Since arms control represents an important instrument of foreign and security policy, this article aims to contribute to the interdisciplinary discourse on how international security in cyberspace could be maximized. Ruhmann (2010, translated by the author) emphasizes that “reality today requires new ways of thinking as well as recourse to usable known approaches”. Following this idea, this article adds to the ongoing discourse on the research and development of cyber arms control. Based on related work (chapter 2), the methodology used in this paper is presented in chapter 3. Subsequently, in chapter 4 the results of the expert interviews are presented regarding their perception of the challenges for arms control in cyberspace. The following discussion (chapter 5) is the core of this work and aims to answer the second part of the research question, to what extent expert knowledge and literature align regarding the challenges for arms control in cyberspace. Further, recommendations for academia and policymakers are presented before identifying the limitations of this study and considering starting points for future research. Finally, a conclusion is drawn in chapter 6.

2 Theoretical Perspective: Related Work

The present absence of treaty-based arms control in cyberspace can be explained by a number of factors, which will be discussed further in the following. This overview summarizes the current state of the art and explains why establishing arms control in cyberspace is very difficult for several reasons.Footnote 1

2.1 Lack of a Definition for the Term Cyberweapon

A fundamental challenge for establishing arms control in cyberspace is the lack of clear, uniform definitions of key terms, such as cyberweapon (Litwak and King 2015; Reinhold 2020). The conventional definition of a weapon does not apply with respect to a cyberweapon (Arimatsu 2012; Czosseck and Podis 2012). Traditionally, a weapon describes an instrument of offensive or defensive combat, that is, a “device designed to kill, injure, disable or temporarily incapacitate people or destroy, damage, disable or temporarily incapacitate property or material” (Air Force 2018, p. 13–14). While this definition of a weapon is applicable to kinetic weapons, it fails to capture the essence of a cyberweapon, which, unlike kinetic weapons, is in most cases not designed to produce a kinetic result that could possibly lead to one of the outcomes described in this definition (Air Force 2018, p. 13–14). Hence, a cyberweapon becomes a weapon only through the attack capability of a malicious code in combination with a specific vulnerability within an IT software or hardware product as well as the intended result or effect of a code (Arimatsu 2012). Much more decisive in this context is therefore for what purpose and with what intention such tools are used (Reinhold 2020). Additionally, it is not possible to differentiate between offensive and defensive weapons in the case of cyberweapons (Reinhold and Reuter 2019). Another perspective, suggested for example in the Tallinn Manual (Schmitt 2013), is to compare the actual effect triggered with the effects and impacts of physical weapons towards the loss of life or significant damage to objects. However, this approach is not suitable to classify and regulate malicious code prior to its actual usage. Due to the lack of clear definitions, the specificity required for legal regulations is lacking and significantly complicates the discussion of the topic (Arimatsu 2012; Lewis 2010b), especially as it is unclear what part of the malicious code should be regulated; either the knowledge and illicit trade with such knowledge, the code itself that exploits such knowledge to break into IT systems and circumvent IT security measures, or the actual payload which triggers the impact. Although a few approaches exist that try to focus on technical aspects of hard- and software to define a cyberweapon (Reinhold and Reuter 2021), so far, no internationally accepted perspective exists, and thus it is not clear what should be discussed or negotiated at all (Geers 2010).

2.2 Dual-Use-Dilemma

Another aspect complicating the search for appropriate cyberspace arms control is the dual-use factor by which cyberweapons are characterized (Altmann 2019; Reinhold 2020). For example, a computer, a USB stick, or software can be used for both civilian and military purposes (Meyer 2014; Lewis 2010b) and even the knowledge about a security vulnerability is already an essential part of code that can be used to improve IT security as well as for an unauthorized intrusion into third-party IT systems. Therefore, no clear line can be drawn between these different use scenarios, which is why the products cannot be banned in principle in the context of arms control (Reinhold 2020). While dual-use has played a role in arms control treaties in the past, the dual-use nature of cyberweapons takes on a completely different dimension, as cyberweapons can be used in various ways (e.g., to destroy, degrade, exploit, control, deceive, or alter a target object). Therefore, the term dual-use can be misleading (Arimatsu 2012; Reinhold 2020). Moreover, many instruments that could potentially be used as cyberweapons are also instruments for building a cyber defense or cyberespionage (Reinhold 2020).

2.3 Verification

Verification of arms control measures is one of the most central challenges for arms control in cyberspace (Lewis 2010a; Denning 2001; Arimatsu 2012; Altmann 2019; Dunn 2005; Maybaum and Tölle 2016). One aspect concerns the previously described dual-use nature of cyberweapons: It is impossible to control the basic materials for building a cyberweapon because the technologies required to do so are either commercial or can be easily derived from widely available commercial products. Thus, it is not possible to distinguish the intended purpose of these systems based on their technical characteristics (Lewis 2010b). Furthermore, cyber armament is happening covertly (Altmann 2019). Unlike, for example, tanks or missiles, cyberweapons are not visible as physical objects and can easily – or even must – be kept secret. Further, they are globally available, which means that it is not possible to limit weapons or capabilities numerically or spatially, as has been the case with weapons systems in the past (Altmann 2019; Dunn 2005; Reinhold 2020). Additionally, due to their characteristics, cyberweapons (almost) cannot be detected by inspection teams or technical sensors (Maybaum and Tölle 2016). And even if a cyberweapon was discovered, it would be impossible to eliminate all copies of it because cyberweapons or their components can be duplicated very quickly and inexpensively without the need for physical materials or special operating facilities (Libicki 2009; Altmann 2019; Dunn 2005), thereby preventing its non-proliferation. Hence, cyberweapons can be stored on computers and hard drives all over the world, e.g. even in locations under the jurisdiction of states that are not a party to any arms control treaty for cyberweapons and thus serve as “safe havens” (Dunn 2005). Consequently, a geographical assignment of the data itself, or where it is stored or further processed, as well as the associated assignment to a specific national sovereignty and jurisdiction is difficult (Reinhold 2020).

Considering these aspects, verification of malicious tools that are used in the cyberspace would require an extremely high level of interference, to which few if any states would agree (Denning 2001). Moreover, it could be difficult because of the risk that states will be reluctant to share information about their capabilities in cyberspace, given the blurred line between capabilities that can be used as cyberweapons and those used for cyberespionage, which is generally not considered an act of war (Lewis 2010a). In addition, intelligence agencies can use the same cyberweapons as armed forces, hackers, or criminals (Altmann 2019; Meyer 2014; Arimatsu 2012; Libicki 2009; Czosseck and Podis 2012).

2.4 Further Technological Progress and Role of the Private Sector

Adding to the previous challenges, tools for cyberattacks are changing very rapidly, which in turn makes monitoring compliance with treaties difficult (Denning 2001; Dunn 2005). This results in the fact that the development of new weapons and technologies, such as cyberweapons, have outpaced regulatory efforts (Gillis 2017). Moreover, Geers (2010) highlights the difficulty of controlling an ever-growing quantity. He nevertheless emphasizes that these are technical challenges that may be solvable with increasing research in this area. In addition, due to the previously described dual-use factor, states do not have sole control over the means used as weapons, but non-state actors also have ownership and operational rights in this domain. Consequently, for an arms control treaty to be effective, actors from the private sector must be involved and should be committed to such an endeavor (Arimatsu 2012). As cyberweapons arms control could also have a strong impact in the form of high additional effort, cost, or bureaucratic overhead to implement and perform controls (Denning 2001) that could hinder the IT security industry, including stakeholders from the industrial sector is also adviced. Besides these, cyberspace is also a place of individuals or non-state groups that have expressed power within this domain, either in the field of cybercrime, political or ideological hacking, or in the context of state conflicts (Sigholm 2013), thus providing a further challenge to the ongoing debates.

2.5 Political Will

The political will is crucial for establishing arms control measures (Maybaum and Tölle 2016; Dunn 2005; Arimatsu 2012; Reinhold and Reuter 2019). Due to the borderless nature of cyberspace, it is a prerequisite that many states participate in such a regime (Maybaum and Tölle 2016). However, there are several reasons why states could be reluctant to participate in such an arms control regime. First, there is the risk that authoritarian states (e.g., Russia, China) may want to preserve patriotic hackers as a political tool and continue to have the ability to control politically threatening internet content that would be protected under the freedom of expression in democratic states (Litwak and King 2015). Moreover, states could be opposed to any treaty that restricts the development of offensive cyberweapons, believing that it would also limit their ability to adequately build up their cyber defense (Dunn 2005; Denning 2001; Czosseck and Podis 2012). Since it is not possible to build a strong defense without knowing what kind of attacks are possible and what vulnerabilities could be exploited, many states would find their cyber defense hampered by cyber arms control that would limit research into attack methods and tools. Furthermore, there are concerns about whether a regime would be wanted by states considering the cost-benefit calculation of cyber arms control since the cost of enforcing and monitoring a global ban may be higher than the expected reduction in risk (Arimatsu 2012). All this is made even more complex by geopolitical tensions, mistrust, and divergent interests which complicate negotiations on international cooperation (not just) in this area (Hansel and Silomon 2021).

2.6 Necessity for new Approaches

The overall view of these challenges to arms control in this domain discussed in the scientific literature gives the impression that arms control is failing in face of the realities of cyberspace (Reinhold 2020). Consequently, new forms of transparency and verification are needed specifically for cyberspace, as well as qualitative rather than quantitative arms control. It seems that the conventional methods of arms control to ensure transparency and verification have had their day against the backdrop of cyberspace (Altmann 2019; Ruhmann 2015). Therefore, several researchers conclude that cyber arms control will not be possible (e.g., Maybaum and Tölle 2016). At the same time, despite all these challenges, other authors (Altmann 2019; Dunn 2005; Denning 2001; Maybaum and Tölle 2016; Litwak and King 2015; Meyer 2014) emphasize that arms control in cyberspace is urgently needed. Moreover, international understanding of the danger of uncontrolled militarization of cyberspace is increasing (Reinhold and Reuter 2019). General media has also been addressing the issue for several years with, e.g., articles in the New York Times (2015) and The Economist (2010) advocating for cyber arms control.

In 2014, Meyer argued that cyberspace had not yet become an active battleground for cyberwar at that time, but he stressed the possibility that this could change soon. This can currently be observed regarding the Russian war on Ukraine, where cyber measures play an important part in Russia’s hybrid toolkit (Tidy 2022). In the spirit of Meyer (2014), to face these challenges, now is the time to adopt an arms control approach to cybersecurity as a measure for conflict prevention and mitigation. In doing so, he points to experience showing that preventive strategies regarding new threats have proven to be a more efficient and effective means of combating them than attempts to retroactively contain threats that have already emerged. He points out that to do so, lessons should be learned from the past and the extensive experience of arms control. According to him, the inventory of previous arms control models is extensive and flexible enough to meet the specific challenges of cyberspace.

2.7 Research Gap

As discussed in the previous sections, the new (military) domain – cyberspace – is an unstable environment without explicit agreements among states, which “invites miscalculation, misinterpretation, and inadvertent escalation of conflict” (Lewis 2013, p. 1). The increasing risks in cyberspace pose a challenge to civil, political, and military security and stability. Hence, cyber operations have the potential to threaten international peace and security. However, the domain lacks clear and binding agreements due to complex challenges. Therefore, it is necessary to clearly identify these challenges to further analyze which instruments or measurements are most effective to change this. To satisfy this need for clarification, this study does not rely solely on the literature presented above, but aims to take a more holistic approach by incorporating the opinions and experiences of various experts in the field.

3 Methodolgy

In the following, the methodology employed in this study is described in more detail. First, the data collection, the choice of interview partners, and how the interviews were conducted will be explained. Second, the method of the qualitative content analysis is presented, which was chosen to evaluate the collected data.

3.1 Data Collection

There are policy areas that are discussed little in the broader public, but predominantly in small expert circles – security policy, especially cybersecurity or arms control, is such a policy area (Geis 2019). This is because much information is sensitive and secret and not intended for the public. Furthermore, security policy topics are very far away from the experience horizon of the general population (Biehl and Jacobs 2014). Even in parliamentary circles, security policy is considered an expert issue (Rüger 2012). Thus, the chosen topic of the paper represents an expert topic, i.e., a field that is not easily accessible and for which specific knowledge is required. Therefore, to answer the research question and to generate specific knowledge, experts in this field were relevant points of contact in the context of this article to collect data. The selection of interview partners was based on their expertise relevant to answering the research question (Meuser and Nagel 2009), evaluated based on their publications or by personal experience with the experts. This includes experts, such as researchers, from different fields of arms control and cybersecurity, and individuals involved in policy processes related to these topics. The inclusion of individuals from these fields was intended to ensure the necessary interdisciplinary lens of the topic and to ensure the broadest possible consideration and inclusion of diverse perspectives. In total, we conducted 10 interviews in December 2021 and January 2022 with experts from Germany, the U.S., and Switzerland, covering a broad range of experts. The interviews were conducted based on a semi-structured guideline that was created based on the qualitative literature analysis of the challenges for arms control in cyberspace presented in chapter 2Footnote 2. The guideline serves to provide a certain framework for the interviews and the data obtained from them (Mayer 2013). It ensured a clear thematic focus within the interviews as well as the thematization of all important aspects. Further, it allowed for a certain degree of comparability (Kruse 2015). At the same time, the semi-structured nature of the guideline allowed to ask follow-up or ad hoc questions and to change the order of the questions during the interviews.

Although the sample is rather small, with 10 interviews, we are confident that our methodology has allowed us to include a broad and diverse range of different expert views, a perspective that is backed up by research like that of Caine (2016). The interviews were individual guided interviews conducted face-to-face online. The audio recordings of the interviews were subsequently transcribed in verbally smoothed form, as only the content of what was said was relevant to answering the research question, not para- or nonverbal expressions. Therefore, the spoken language was converted into written language, following the transcription rules according to Kuckartz (2018). To encourage an open and candid conversation, the interviews were anonymized during transcription and evaluated anonymously. Consequently, no data that could be linked to participants, e.g., names or institutions, were disclosed as part of the evaluation.

3.2 Data Evaluation

To evaluate the knowledge generated through the interviews in a structured way, a qualitative content analysis was conducted, using Mayring (2015) as a basis for orientation. Additionally, Gläser and Laudel (2010), who build on Mayring’s approaches, were considered in the context of this work to increase openness and flexibility in dealing with the material. The procedure is rule-guided and thus comprehensible as well as verifiable. Further, it is theory-guided, as theoretical preliminary considerations form the basis for the evaluation criteria (Mayring and Fenzl 2019).

To analyze the material, a category system was formed deductively from theory, which was further defined in a coding guide resulting from the qualitative literature analysis so that systematic links were made to the state of research. At the same time, the openness of the qualitative approach was used, which meant that further categories and codes could be inductively added from the material during the coding process to ensure that characteristics that did not fit into the predefined search grid were also considered in the analysis. Thus, the category system was formed on the basis of the interrelationship between theory and data, while maintaining the tension between theory and data. For this purpose, 13 codes were derived from the theory in advance. Moreover, six codes were added during the coding process. In total, all codes were used except for three that were too broad, hence, more specific codes were a better fitFootnote 3.

The interview transcripts were evaluated by searching for relevant information using the codes as an analysis grid, assigning this information to the categories, and thus extracting information from the texts in a systematic procedure and presenting the content structure. During the qualitative content analysis, all interview transcripts were examined, whereby the order in which the transcripts were examined was irrelevant to the analysis. The direction of the analysis was determined by the research question. Therefore, the information in the transcripts was of interest, not the person who expressed it. The material was analyzed in a structured manner so that the focus of the analysis was particularly on filtering out certain aspects of the material that were relevant to answering the research question and were identified in advance through the qualitative literature analysis. Single words may have been coded as the smallest text component (= coding unit), as these may be important keywords or key terms, up to the entire answer to a question as the largest text component (= context unit). Multiple coding of individual text passages was possible. The results and interpretations were compiled against the background of the research question (Mayring and Fenzl 2019). The text analysis software MAXQDA was used to code the interviews. Due to the limited scope of the study, it was not possible to test the analysis regarding the content-analytical quality criteria according to Mayring, such as intercoder reliability, whereby a second person is consulted and codes the material (Mayring 2015).

4 Empirical Findings

In the following, the results of the qualitative analysis of the expert interviews on the challenges to establishing arms control in cyberspace are presented. The analysis aims to critically reflect the findings from the literature analysis and to identify core challenges for further discussion.

4.1 Lack of a Definition for the Term Cyberweapon

The lack of suitable definitions emerged as a central challenge during the interviews and was mentioned by more than half of the experts interviewed. One expert emphasized: “I don’t think we can actually quantify or define what in fact is a cyber-weapon. Is it a computer or a malicious code or what is it? I think that is the first issue”. With uncertainty on how such a weapon or instrument of attack could be defined in the first place, some experts concluded that this is an unsolvable problem or agreed that it is not solvable at present: “The main challenge is, that there is no clear definition of what a cyberweapon even is. It is not something that we can specify or define to the point”. Notably, some of the experts stated to be critical of the term cyberweapon or even went so far as to say that, in their view, a cyberweapon as such does not even exist:

First of all, I have a problem with the word ‘cyberweapon’. Because a weapon for me is defined in some form a kinetic use of energies. I don’t necessarily have that with a cyberweapon, whatever that is then. It’s just a script. […] For me, there are no cyberweapons in that sense. There are exploits, there are vulnerabilities, there is exploitable information technology that can only lead to a kinetic cascade effect in the aggregate, not necessarily.

The question of how to define a cyberweapon is particularly relevant because it also depends on what would consequently be controlled by international arms control treaties and frameworks. This is complicated by the fact that there are numerous ways to carry out a cyberattack, including DDoS attacks, attacks based on zero-day vulnerabilities, or computer worms. This leads to the fact that cyberweapons are not covered by the classic definition of a weapon:

In the case of cyberweapons, the mechanism of action is of course not as direct as in the case of conventional or nuclear weapons, because the cyberweapon does not act against humans, but against machines or against control systems. Nevertheless, we have already had experiences where we can see that the effect of a cyberweapon can also be equated with a conventional weapon. So, whenever it’s about sabotaging or destroying critical infrastructure.

One of the experts also pointed out that the discussion about cyberweapons covers a very broad spectrum, which also makes it difficult to find suitable definitions. For example, a cyberweapon can be used for espionage, which would be largely legitimate, or to cripple critical infrastructure, which could in the worst-case scenario cost human lives due to cascading effects. Notably, another expert highlighted that it is not impossible to find suitable definitions. He emphasized that it is “extremely challenging because we can hardly say on the basis of a technical specification what is good and what is bad.” Consequently, finding suitable definitions is complicated by the dual-use aspect prevalent in cyberspace.

4.2 Dual-Use Dilemma

The dual-use dilemma that prevails for IT soft- and hardware presents another frequently mentioned challenge. For example, some experts noted that the basis of cyberweapons are codes and software that can be used for different purposes: “One of the big challenges is that, yes, cyberweapons are not declared as such, but they are software that by definition can be put to different purposes”.

In this context, techniques that are used for an attack can at the same time serve the legitimate purpose of securing national infrastructures and thus form an important tool for maximizing national cybersecurity: “[in cyberspace], it can be that no matter what it is, a ready-made software or just a piece of code or the knowledge around an exploit, that can become a weapon or just a useful tool to administer or improve anything”.

The dual-use factor thus not only describes both civilian and military applications, but also includes offensive, defensive, scientific, and industrial application. In particular, the lack of distinction between the militarization of cyberspace, such as the development of cyberweapons, and cyber tools used and developed for espionage purposes poses a major challenge in the eyes of some experts. This was particularly emphasized as both cases basically rely on the same soft- and hardware tools as well as the same expert knowledge of vulnerabilities and how to exploit them. This aspect therefore also complicates verification in this area. Moreover, these attack tools can be used by a variety of actors, such as hacktivists, making cyberweapons very easy to spread.

4.3 Verification

Finding suitable verification mechanisms to establish arms control in cyberspace is an extremely difficult, but at the same time essential challenge. One of the experts working on this topic in a political institution emphasized: “This is always held against us, about ‘we can’t verify this, so it’s not going to do any good’”.

For example, cyberweapons cannot be quantified. Accordingly, it is not possible to count weapons or ban an entire category of weapons, as it has been the case with arms control agreements in the past. Nor do they require large industrial facilities, etc., to produce them; a laptop alone can do the job, as one expert stated: “this kind of simple, countable, measurable, clear, unambiguous verification we probably won’t get in these fields.” Additionally, it is possible to infinitely replicate cyberweapons and send them all over the world without cost. Even unintentional proliferation can play a role in this domain, which means that even attackers themselves can never be sure that their capabilities will not be reused or expanded by others: “With code; just because you delete it of a device, it does not really mean it is gone – most likely it is probably somewhere else, on either some forms of backup system or the internet.” This aspect also exacerbates the challenges of establishing suitable verification mechanisms as they would have to be extremely intrusive. Thus, challenges concerning privacy confidentiality, proprietary information, and privacy information could arise. Against this background, the challenge arises that states would likely be unwilling to participate in verification mechanisms in this area, since they would also have to provide insights into their cyber defenses for verification purposes. Thus, the danger could be seen that these insights could be misused to spy on vulnerabilities. As highlighted above, the issue of verification is further strongly related to the challenge of missing definitions, according to which it is unclear what should be verified in the first place.

4.4 Further Technological Progress and Role of the Private Sector

Another challenge that was expressed by the experts on establishing arms control in cyberspace is the ongoing technological progress. Enormous momentum continues not only in military terms, but also technical developments of cyberspace and its infrastructure in general. It is hard to predict where this development will go, when it will end, or when it will slow down:

While the cyber sector, not only in the military sense, but also in the whole IT development, is still characterized by an enormous dynamic and it is not yet foreseeable where the whole thing will go. This makes it much more difficult, I believe, to develop such in-built arms control mechanisms in such a phase, where things are still very much in development, and it is not yet possible to foresee everything that is still to come. I think the great challenge in arms control is always to develop arms control policy steps when the development of this technology or type of weapon is still in full swing and is therefore very dynamic.Footnote 4

Additionally, some countries like Russia or China are showing strong interest and initial activities in decoupling from the so-far common technological developments in this domain or to pursue own developments with national led interest like, e.g., the NewIPFootnote 5 (Godehardt and Voelsen 2020). In such a phase, it is extremely difficult to establish arms control mechanisms that have a stabilizing or limiting effect, as states simply have no interest in doing so either to sustain current national advantages or to gain an advantage. Related to this is the fact that the code of a cyberweapon is usually based on ongoing software developments that are extended and adapted for a specific target and task and therefore evolve very easily and quickly. Accordingly, the possibility of variation is extremely high, and that future cyberweapons will always be (somewhat) different from past cyberweapons. This complicates any kind of regulation for arms control and verification measures that are based on technical features of a malicious software tool.

Due to the discussed dual-use factor, as well as the aspect that most of the relevant cyberspace infrastructure is privately owned, the private sector needs to play a relevant role in establishing arms control, especially for the implementation of verification measures for controlling and enforcing agreements that – even if not yet developed – usually need some kind of technical measures or adjustments to existing systems (Reinhold and Reuter 2019b). Moreover, the private sector is the primary provider for most data and information like the knowledge of vulnerabilities but also threat information and threat hunting know-how:

Basically, the infrastructure is mostly privately owned. That means that even when we talk about the distribution of cyberweapons, e.g. malware, it is not released through state means, but through private infrastructures. And we have to work together with the private actors, the owners of the infrastructure, the telecommunication providers, also with the cybersecurity companies, who have to find their role in this, in order to control the use of such software. All these would also have to be involved in the verification mechanism.Footnote 6

Finally, the private sector would be strongly affected by regulation measures and their requirements need to be considered as not to jeopardize further development in the area of IT security.

4.5 Political Will

Another challenge that the experts considered to be central is political will. The experts pointed to the close connection between this and the dynamics already described, which are currently shaping cyberspace. Although there have been some small steps towards a common understanding, especially regarding the validity of international law norms in cyberspace that have been confirmed by the UN Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security - UN GGE (Datzer und Schulze 2021) and the UNODAFootnote 7 Open ended working group on security of and in the use of information and communications technologies - OEWG (UNODA 2022), according to some experts, states are currently still in the discovery phase as to what advantages and opportunities cyberspace could offer to them. As a result, states are just beginning to perceive cyber tools as strategically valuable and have diverging interest, even between states that otherwise share common values and interests, like within the EU (Wisotzki and Mutschler 2021):

Countries are still in the exploration mode, where they’re trying to understand what the boundaries are, what is doable, where is their offense advantage, where the defensive. Governments are not going to want to give up because either they are becoming really useful to them in the future or they’re afraid that their competitors will cheat and lie […]. Or if they sign the treaty they’ll still cheat and they’ll get some huge advantage from having a cyberweapons capability that you won’t have if you’re complying with the treaty and therefore, you’ll be at a big disadvantage.

The many possible use cases of cyber instruments already described are considered highly relevant and worthwhile for states, as they do not want to forego the associated advantages, and especially espionage activities tend to become unexpected norm setters for state behavior in this domain (Georgieva 2019). This can be seen, for example, in the fact that cyber tools are already being widely used by various states for these purposes and that companies that buy and trade the knowledge of vulnerabilities in IT hardware and software are growing, with a focusing on state actors and agencies as their primary customers. Furthermore, states would probably not consent to any agreement that does not include either functioning or overly intrusive verification mechanisms – the mistrust that other states would not comply with such a ban is currently too great, and the fear of accepting disadvantages vis-à-vis competitors prevails. Furthermore, the overall geo-political situation makes progress seem a distant prospect.

Finally, a last challenge in this context is that cyberweapons can be used by a variety of actors. As described earlier, they are not exclusively in the hands of a state. Accordingly, a variety of actors are relevant for the restriction of the use of cyberweapons but probably not addressable as arms control agreements are concluded exclusively between states.

4.6 Further Remarks from the Interviews

An important result of the analysis is that political challenges, such as the lack of interest on the part of states to agree to such a convention, and the lack of relevant definitions were coded much more frequently than other challenges. Thus, these two challenges can be identified as particularly central according to the experts interviewed. In addition, the dual-use dilemma and the difficulty of finding suitable verification mechanisms were highlighted in the interviews. At the same time, however, it is interesting to note that the experts weighted certain challenges differently. For example, one expert named the lack of suitable definitions and verification mechanisms as the most central challenge, while another focused particularly on political will as a challenge. It is also noteworthy that the role of the private sector was primarily discussed by experts working in a political institution. These differences show that it is important to speak with experts from different relevant fields about this topic, as this allows different perspectives to be incorporated into the analysis.

5 Discussion

5.1 Discussion of the Results

In general, the main challenges identified through the literature review in the theoretical part (in chapter 2)Footnote 8 were also discussed by the experts interviewed. However, a differentiation can be observed in the weighting of the individual challenges. It is noticeable that the lack of political will is seen by the experts interviewed as a more central challenge than is the case in the academic literature. In some cases, statements even contradict each other: Geers, for example, analyzed in 2010 whether the mechanisms of the Chemical Weapons Convention could be applied or transferred to cyberspace. As a result of this analysis, he emphasized that he saw the cyber threat and the danger that terrorists could use this sphere to achieve their goals as an opportunity strong enough to build political consensus. At the same time, it is critical to note that not only more than a decade has passed since Geer’s analysis, but much of the academic literature used in this paper was published between 2001 and 2016. However, these are works that have been cited more frequently and are more relevant in this sense than others. Based on this, two interesting aspects can be observed: On the one hand, this suggests that the political climate with regard to international cooperation has deteriorated. This coincides with the frequent description of geopolitical tensions and a crisis of multilateralism in recent years, which complicate international cooperation (Brühl 2019; Munich Security Conference 2019; Neuneck 2018), as well as the crisis of arms control often mentioned in academic literature (Becker et al. 2008, Meier 2020; Daase et al. 2019; Nassauer 2008).

At the same time, a key finding of the analysis is that the experts interviewed differentiated between the individual challenges in similar contexts: For example, challenges such as the lack of suitable definitions or political will were often mentioned when the experts were asked about the main challenges for cyber arms control. Only when it came to questions regarding an actual implementation of arms control measures did further challenges come up in connection with the difficulties of establishing suitable verification mechanisms or difficulties, which were discussed against the background of the dual-use factor. Thus, the challenges can be divided into structural challenges, which are caused by the structure of cyberspace, and procedural challenges, which become relevant in the actual process of establishing cyber arms control (see Figure 1).

Fig. 1
figure 1

Classification of challenges into structural (left) and process-related (right) challenges. Source: Own illustration

The procedural challenges are particularly relevant to answer the question of whether cyberspace can benefit from mechanisms established within the domain of chemical weapons. In addition, these procedural challenges also raise the question of whether they could also be solved by technical solutions or if certain problems lie beyond technical possibilities. Another related finding of the analysis is that the experts’ assessments of whether and which challenges can be overcome differ greatly in some cases.

It should also be noted that challenges were often not explicitly named but were roughly paraphrased or described by the experts. In addition, some of the challenges became somewhat blurred in the conversation. For example, the challenge of the lack of definitions was not always explicitly mentioned, but was described during questions regarding the dual-use nature of cyberspace. This illustrates how closely interrelated the individual challenges often are: The issue of verification, for example, is strongly related to the challenge of missing definitions, since without specific and consistent definitions it is unclear what should be verified at all. Also, the discussion of the results shows that several challenging aspects were often subsumed under a given term, which makes finding solutions even more difficult.

At the same time, however, this also shows that individual aspects can be discussed against the background of various different overarching categories: For example, the dual-use factor of cyber instruments is in itself a major challenge for establishing arms control mechanisms in cyberspace. At the same time, it also makes it difficult to find suitable definitions or appropriate verification mechanisms.

5.2 Interpretation

The analysis leads to the conclusion that, according to the literature and the experts, neither the control of a cyberweapon nor any other technological regulation for cyberspace will work. Instead, the focus must be on banning certain actions, since the experts do not see any chance for verification mechanisms, especially because of the high level of intrusion that would be required. This is in line with Roßner’s (2017) concern that these very control measures, which are supposed to compensate for a lack of trust, may in turn trigger mistrust, as actors may fear that they are being spied on by weapons inspectors.

The analysis suggests that traditional measures of arms control cannot be transferred from one area to the area of cyberweapons. Instead, it is necessary to create new alternative and creative solutions for the domain. Considering this, the analysis shows that one possible solution could be to define and sanction not the weapon itself, but rather certain uses of the tools that could be prohibited, an approach that has, e.g., also been expressed by Hansel et al. (2018) based on the experiences with preventive arms control methods. Such an approach could help to overcome the challenges highlighted by the lack of definitions, the dual-use dilemma, as well as continued technological development. Thus, the criticism expressed in the literature by Roßner (2017) that existing treaties are often tied to technical characteristics of specific types of weapons, which makes them blind to new types of weapons due to low levels of abstraction would be overcome. This would also allow agreements to be made independently of the pace of development of the area. Such a behavioral regulatory approach has already been used to create norms for responsible behavior in cyberspace (Datzer and Schulze 2021). Nevertheless, considering what is politically feasible, the analysis shows that the challenge of a lack of political will still poses a major problem for implementing binding rules. This result can therefore be discussed against the background that for years many experts have been writing about a crisis in arms control (Becker et al. 2008; Meier 2020; Daase et al. 2019; Nassauer 2008) triggered by the crisis of multilateralism (Brühl 2019; Munich Security Conference 2019; Neuneck 2018). Hence, an expert expressed the idea that right now, he only sees soft law options in the normative realm as a possibility. Moreover, it must be considered that a vacuum in international law could arise in the period between the negotiation of a cyber agreement and its entry into force, which means that this phase of negotiation, the goal of which is to increase security, could give rise to a phase of uncertainty. Another objection is that a potential arms control negotiation would, like any arms control agreement, result in an intergovernmental treaty between states regarding their military capabilities (Reinhold 2020). Such a treaty-based approach has its limitations, especially regarding the mentioned role of non-state actors that can – at best – only be addressed indirectly via national legislation, law enforcement and by fostering and strengthening the due diligence principle of state responsibility. Nevertheless, this paper concludes that an intergovernmental agreement regarding cyberspace would still represent a security gain, especially since states are the main source of danger in cyberspace because they primarily have the capabilities as well as resources for large-scale cyberattacks (Lewis 2013). Such binding rules could also lead to fewer states accepting non-state groups carrying out such attacks on their territory and thus no longer being considered safe havens.

The analysis confirms that the experience of a threat has a strong influence on the will to negotiate. The experts assumed that experiences such as devastating cyberattacks would change the willingness of relevant actors to reach agreements. The motivation for the establishment of an agreement would therefore be a changed perception of danger. This is in line with Roßner (2017) arguing that a major shortcoming of arms control agreements is that such treaties are often discussed only after major damage has already been done by the relevant weapons, and thus agreements of this type often come too late. Likewise, this result confirms the assessment of Maybaum and Tölle (2016) that a common policy is possible when civil societies recognize an imminent threat beyond national borders. Even though the strategic utility of cyberweapons is not to be underestimated (CCDCOE 2022), the cost-benefit considerations of regulating cyberweapons are currently to the detriment of an agreement. This makes it difficult to develop political will for an agreement. However, the analysis also shows that the perception of the strategic value of certain instruments can change over time. An important finding is also that it is entirely possible to overcome technical challenges over time through research. This is in line with Geers (2010) emphasizing that technical challenges may be solvable with increasing research in this area. For example, attribution – the forensic and political process of collecting secure knowledge about the origin of a cyberattack – was considered a much bigger, if not unsolvable, problem about 10 years ago, but is now performed regularly and thus represents an important tool for arms control to determine the use of a certain cyberweapon and its origin. Regarding further technical challenges of a cyber arms verification, it cannot be ruled out that solutions for this might be found in the future.

In 2010, Lewis emphasized that we were still in the very early stages of thinking about how to create cybersecurity as a global community. Moreover, Meyer wrote in 2014 that it may be too early to establish arms control treaties for cyber instruments, given the challenges that currently remain. The analysis leads to the conclusion that we are still in this early stage:

“The big challenge in arms control is always to develop arms control policy steps when the development in the field of this technology or type of weapon, genre of weapon is still in full swing and therefore with great dynamics.” Nevertheless, cybersecurity is gaining relevance, albeit slowly: “As far as cyber is concerned, I would think that the concern of states and societies, their vulnerability, recognizing that, that’s just happening now. That’s basically a consequence of the digital transformation. What other consequences this has, including security policy consequences, when a society is digitally transformed is only now slowly becoming clear.”

Overall, the analysis shows that little has changed in terms of arms control challenges in cyberspace since Meyer’s observation in 2014. Nevertheless, the idea or goal of cyber arms control should not be dismissed prematurely. Therefore, more research is needed because arms control still represents a successful project of the past and thus an important instrument of international relations to create more security.

5.3 Limitations and Future Work

Finally, some limitations regarding this work should be mentioned. Although the selection of experts was based on theory-based research, it was also dependent on the availability and willingness to be interviewed. Also, most interviewees had a background in political science, and only few in science or technology. This is relevant given the interdisciplinarity required to address questions in this domain. This lack of technical expertise possibly leads to misperceptions of technical limitations of cyberspace and the reproduction of techno-pessimistic perspectives. It should also be critically noted that more men than women and exclusively persons from the Global North were interviewed. Moreover, individual opinions were collected, which is why generalization is not possible and the results neither represent an expert consensus nor did we aim for comparability and prioritization of challenges, for which a questionnaire would have been necessary in contrast to our open-ended question approach. Additionally, due to the small circle of experts working on arms control in cyberspace, there was to some extent overlap between the literature we used to illustrate the relevance of the research topic and the expert interviews.Footnote 9 In this context, there is also the threat of circular reasoning, as the researchers we interviewed are presumably also aware of the limited research available. Nevertheless, as the results show a differentiated range of highlighted challenges and problems, we believe that our chosen approach helps to mitigate this threat. In addition, it should be noted that the interviews were conducted before the outbreak of the Russian war of aggression against Ukraine. It is unclear whether these events have changed certain perceptions.

This article contributes to the question of whether lessons can be learned from combining academic and practical perspectives on establishing arms control. Much more research is needed to comprehensively discuss which paths are useful and viable for enhancing cybersecurity and which are not. To do so, even more diverse perspectives on the topic should be included. More attention should be paid to both the technical perspective and the potential impact of cyberattacks. In addition, various relevant stakeholders, including policymakers as well as the private sector, should have their say and be able to contribute perspectives and expertise in a multistakeholder approach.

6 Conclusion

Cyberspace represents the fifth space of warfare and is becoming increasingly relevant in conflicts. Thus, cyber capabilities are coming into focus in security policy thinking, e.g., through a corresponding emphasis in state military strategies. This raises the question of how to foster cybersecurity globally. This article examined the challenges for arms control in cyberspace from a theoretical perspective and, in a further step, critically reflected on them by drawing on the expertise of various experts in this domain.

The analysis revealed the following: Cyber arms control is confronted with a multitude of challenges. The challenges described in the research literature coincide with those described by the experts interviewed. The main difficulties are the lack of political will, of definitions, and of verification capabilities, as well as the dual-use nature of cyberspace. Other challenges include the multitude of stakeholders involved beyond states.

The analysis suggests that a broad definitional approach is advisable for cyberspace. It makes sense to regulate behaviors and outcomes rather than the technology itself and to use such an approach to define the weapon or the prohibited use thereof. The analysis also shows that a reliable attribution mechanism, which involves technical as well as political dimensions, is necessary for such an agreement. It must be certain that violations are detected to publicly communicate the misconduct, trigger possible non-compliance consequences of the regulatory regime, or otherwise deal with it either politically, economically, or even militarily (Saalbach 2019; Broeders et al. 2020). Such a mechanism would need to be independent and credible. However, this is precisely where an opportunity arises, as the analysis shows that cyberattacks have often been reliably attributed in the recent past. Technical challenges have thus already been successfully overcome. It is now urgent to translate the processes initiated under the UN GGE and the OEWG into binding regulations – as unrealistic as this may sound in view of the current world situation.