With the emergence of cyber conflict as an increasingly important concern of policymakers, the possibility is sometimes raised that nations could enter into arms control agreements of some kind to reduce the likelihood that such conflict will occur and/or to reduce or limit the damage that any such conflict might inflict. Advocates of such agreements suggest that they would enhance the cybersecurity posture of the United States. Nonetheless, there are many challenges that stand in the way of reaching such agreements, and progress toward such agreements may well be slower than some observers would like.
In the 21st century, information is an essential coin of the realm, and advanced nation-states are increasingly dependent on information and information technology. Private-sector businesses rely on information technology (IT) to plan, manage and conduct their operations, as do government agencies and military forces. Nations thus have strong incentives to reduce threats that might compromise the IT assets on which their private-sector businesses, civilian government agencies and military forces depend.
One approach to threat reduction in cyberspace is for a nation to take unilateral measures to defend those assets. A familiar example drawn from everyday life is the owner of a personal computer who unilaterally chooses to run an anti-virus program on that computer. Threats faced by important IT assets, however, are often much more sophisticated than mere virus-infected email attachments, and the defenses are correspondingly more sophisticated. Still, two points must be made. First, such defenses are deployed against specific technical threats rather than against specific adversaries. Second, these defenses are invariably imperfect: They can reduce threats but cannot eliminate them entirely.