If you read much of anything about cybersecurity, then you know the name Robert Graham. He may be the world’s premier expert in “white hat” digital security procedures, so I take him seriously when he says a new arms control agreement may make the world safer for the bad guys.
Good and evil [digital security] products are often indistinguishable from each other. The best way to secure your stuff is for you to attack yourself.
That means things like bug bounties that encourage people to find 0-days in your software so that you can fix them before hackers (or the NSA) exploit them. That means scanning tools that hunt for any exploitable conditions in your computers, to find those bugs before hackers do. Likewise, companies use surveillance tools on their own networks (like intrusion prevention systems) to monitor activity and find hackers.
Thus, while Wassenaar [arms control agreement] targets evil products, they inadvertently catch the bulk of defensive products in their rules as well.
Not all arms control agreements are bad of course, but there are dangers. The Washington Naval Treaty of 1922 limited the sizes of the Royal Navy, the US Navy, and the Japanese Imperial Navy absolutely and relative to one another. Japan’s navy was kept the smallest of the three bigs (France and Italy were minor signatories), and the rationale (IIRC) was that Japan’s needs were purely defensive — a smaller navy would suffice.
But really the upshot of it all was that as soon as Japan decided to break the treaty, she didn’t have that far to go to catch up with the US and Britain. Had the US and UK navies been built according to our needs, rather than limited by treaty, Japan with her tiny industrial base could never have been in a position to catch up.
The Reagan-Gorbachev Intermediate Nuclear Forces treaty may prove to be another sad example. It seemed like a great idea at the time — I was certainly in favor of it — to eliminate the medium-range nuclear missiles which dotted the NATO and Warsaw Pact maps. Their mere presence was destabilizing, since they had short enough flight times to tempt a worried power into making a surprise nuclear attack. We agree to scrap ours, they agreed to scrap theirs, and we both agreed never to build any more of them.
But of course now there’s good evidence, and has been for a couple of years, that Russia is cheating by improperly classifying an IRBM as an ICBM. Congress has demanded a report (a report!), but that looks to be about as much as we’re going to do about it, unless by some miracle Congress and the White House agree to fast-track Pershing III procurement and deployment.
If Wassenaar ends up handcuffing the white hats just like the Washington Naval Treaty and the INF agreement did, then we’re in some serious real world trouble.