I worked on a project to restrict access to or exports of software (and this was software that the US considered to be a munition). It was impossible to control – there were so many ways to beat any restrictions, so many people who could write the code. Even if you criminalized the software and mustered the full panoply of FBI, NSA, and Customs to chase people around, it couldn’t be done. Plus, there are free speech issues and scientists say you’re chilling research by banning research tools. Also, you have to get all your foreign friends to agree not to export, and while we could usually get most of NATO, we could not get many others – all we did was shift production to noncompliant countries. This was a long time ago and it has only got easier since then to produce, distribute, or acquire “dangerous” software.

A ban on software “arms” is unlikely to win support (much less compliance): States have the right to acquire arms and munitions for self-defense. And if we say we’ll only regulate dangerous transfers, the next question is dangerous to whom? Russia, for example, regarded US arms transfers to Israel as destabilizing while we regarded their arms transfers to Iran in the same way. Russia and China might well regard Tor as a weapon and demand that it be regulated.

We might want to start by asking what is it we want to prevent, and then consider which tools might achieve this. Is software an arm? The barriers to production are so low, can “weapons’ development be prevented? How would digital arms trade regulations affect civil liberties and the wonderfulness of the Internet in allegedly creating innovation? What are the prospects for international cooperation? How would you verify compliance? Are export restrictions the best way to manage the risk of conflict? All of these beg the larger question as to whether a “digital arms trade” even exists (unless you count social control software). It might be better to make these fundamental and definitional issues the topic rather than assuming that there are digital arms and that we can control them.

Are Internet surveillance technologies a “weapon?” Not under international law, although they could be “weaponized.” I’d come back to the question at the Conference of what happens if a few countries control software and others don’t, when there is universal demand for the product from buyers that you can’t punish.

It’s a bit ironic that a session entitled “Governance without Government in Cyberspace?” would discuss governance measures that only governments could hope to implement. The larger, implicit question in this discussion is the challenge to “universal values.” Universal is a misnomer, left over from the days when the transatlantic partnership could set global norms without challenge. There is also a growing tension between the inevitable assertion of sovereignty over cyberspace – our discussion of Internet governance doesn’t even have the conceptual framework needed to engage this topic (and many are afraid even to consider one). With the resurgence of authoritarianism, it is the behavior of these states that is the problem, not software. Banning software without changing authoritarian behavior is a meaningless act: these states will acquire or develop programs in secret. Rather than a reactive approach of “controlling” trade, an active approach focused on the main event – overcoming authoritarian behavior – would be better.

About James Andrew Lewis

James Andrew Lewis is a senior fellow and Program Director at the Center for Strategic and International Studies, where he writes on technology, security and the international economy. Before joining CSIS, he served at the Departments of State and Commerce. Lewis has authored more than seventy publications since coming to CSIS and was the Director of CSIS’s Commission on Cybersecurity for the 44th Presidency, whose report has been downloaded more than 50,000 times. Lewis was also the Rapporteur for the UN’s 2010 Group of Government Experts on Information Security. Lewis received a Ph.D. from the University of Chicago; his current research involves the political effect of the Internet, asymmetric warfare, strategic competition, and technological innovation.