Can diplomacy get global cyberwarriors to sheathe their swords?

A man holds up a poster in protest against the Hungarian government for using Pegasus spyware to monitor journalists, opposition leaders, and activists in Budapest.

Marton Monus/Reuters

July 28, 2021

A new arms race has erupted around the world, with implications not just for countries’ security, but their citizens’ fundamental rights too. Unlike the old competition – over missiles and munitions – this one revolves around a powerful, 21st-century weapon: cybertechnology.

And in what could lead to a diplomatic tug of war as well, the Biden administration has begun pressing both Russia and China to agree to practical limitations on this new threat: in effect, a new kind of arms control for a new kind of arms.

That’s the message from a recent series of dramatic developments, culminating in last week’s revelations concerning a piece of Israeli software called Pegasus, which has given governments from Mexico to Morocco, and from Hungary to India, the capability to target, hack into, and take control of individual mobile phones.

Why We Wrote This

Washington would like to see an international treaty limiting the use of cyberwarfare. Russia and China are not keen, but they are just as vulnerable as anyone else. Might that change their minds?

The company behind the spyware, NSO, says it explicitly tells clients that it is to be used only against terrorists, drug dealers, and people-traffickers. But last week’s leaked list of more than 50,000 mobile phone numbers – apparently candidates for Pegasus penetration – left little doubt that some clients are ignoring that caveat.

Vetted by a consortium of major world news organizations, which managed to identify the owners of nearly 1,000 numbers, the list included 85 human-rights activists, nearly 200 journalists, and more than 600 politicians, diplomats, or other officials.

Boston broke a record last year for fewest homicides. It’s on track to do it again.

This aspect of the cyber arms race – heralding the prospect that Pegasus and similar software will become ever more commonplace – is only one part of a larger cyberwarfare struggle.

China, Russia, and the United States are the major players, though other would-be actors, including North Korea and Iran, have been building up their capabilities. Reports in the United Kingdom this week, citing a leaked Iranian security document, suggested the Iranians may be seeking the capacity to target civilian infrastructure with cyberattacks.

Until recently, Russia was the main focus of American and allied concerns.

U.S. intelligence agencies have concluded that Moscow used social media to attempt to influence the past two American elections. This year, U.S. government departments and private companies have suffered a number of cyberstrikes from Russian territory, one of which Washington blamed on Russian state actors.

In May, a Russia-based ransomware group forced the temporary shutdown of one of America’s main oil pipelines, the Colonial, causing fuel shortages in states from Texas to New Jersey.

Why Florida and almost half of US states are enshrining a right to hunt and fish

But last week, the spotlight fell on China.

NATO and European Union allies joined Washington in an unprecedented rebuke for a series of China-based ransomware operations, as well as a major attack they said was sanctioned by China’s Ministry of State Security – hacking into Microsoft’s main email servers. Wendy Sherman, the second most senior figure in the U.S. State Department, reinforced that message in talks this week with Foreign Minister Wang Yi.

Just how much cyberwarfare the United States wages itself is largely shrouded in official secrecy, but Washington is widely believed to have mounted a number of assaults against Iran. And it may have been an American operation that this month shut down the “dark web” sites of Russian ransomware group REvil, responsible for recent attacks on U.S. businesses. 

Still, that could also have been the result of a stern phone call from President Joe Biden earlier this month telling Russian leader Vladimir Putin that he needed to clamp down on Russia-based hackers as a matter of “national security.” That call came only weeks after Mr. Biden’s summit meeting with President Putin, at which he also pushed for Russian cooperation.

The idea that some new form of arms control is needed to set “guardrails” around this new arms race has become a major foreign policy priority for the Biden administration. 

At the summit, Mr. Biden was explicit about what he saw as a necessary first step: a mutually accepted list of key infrastructure and security targets that should be deemed off-limits.

Echoing that approach, a White House statement last week urged China to recognize that its involvement in ransomware and other hacking attacks was “inconsistent with its stated objective of being seen as a responsible leader in the world.”

Russian and Chinese participation in Washington’s drive to establish international cyber-guardrails will be critical to its success. It is still not clear whether they are ready to join in.

Politically, the signs so far point to no. Russia and China have been drawing closer together diplomatically of late, and that’s already having some cyber-effects: Last month they agreed on a joint position on “management of the internet,” including a bid to secure international recognition of their right to “regulate the national segment” of the World Wide Web.

Still, the Pegasus disclosures may give them a powerful practical reason to join cyber-arms-control efforts: the sheer power of the increasingly advanced cyber tools available.

In other words, it’s not just about Facebook meddling or even ransomware attacks. Every electronic device on earth and every mobile phone could ultimately be vulnerable.

China’s and Russia’s, included.