Published by The Lawfare Institute
in Cooperation With
Editor’s Note: New technologies are emerging at a dizzying pace, and arms control agreements cannot seem to keep up. My Brookings colleague Amy Nelson examines how the increased speed of technological change is creating holes in existing arms control agreements and how policymakers might better respond as the speed of change continues to grow.
Until recently, arms control—the system of agreements, organizations and processes to regulate certain types of weapons—has proved an effective tool for threats from conventional and nuclear technologies. Today, however, arms control is suffering from a spate of major violations, suspensions and withdrawals.
But it is not only state behavior that is undermining arms control. The regimes are being disrupted by the rapid pace of technological change in three key ways. First, industrially advanced nations (and aspiring ones) are accelerating the rate of development for innovations. New technologies are emerging too quickly for working group members—typically a combination of technologists and diplomats—to keep control lists current with emerging threats. Second, the technologies underlying existing weapons, platforms and systems—from the schematics for how they’re made to the software that makes them run—are being digitized, and newer technologies are emerging in digital formats that circumvent existing regulation. Third, the combination of accelerated innovation and digitization is contributing to the digital diffusion of technologies that augment the risk of proliferation and enable states to maintain latent military capabilities.
Existing arms control regimes are failing to adapt to these technological shifts. If arms control, already embattled by compliance violations and withdrawals, is to meet the moment, states need to muster the political will to address its challenges and shore up the existing nonproliferation architecture from the bottom up.
The Atrophying of Modern Arms Control
Arms control systems have emerged over time as states have collectively built out regulatory regimes and modernized their lists of controlled technologies. The nuclear nonproliferation system has been a successful product of this process. Nuclear arms control began with the 1968 Treaty on the Non-Proliferation of Nuclear Weapons (NPT), a multilateral treaty that works to control the spread of nuclear weapons and weapons technology, promote the peaceful use of nuclear energy via international cooperation, and advance the goal of nuclear disarmament. Following the NPT’s entry into force, several countries with nuclear technology established the Zangger Committee to improve on existing nuclear nonproliferation procedures and practices and fulfill the NPT’s Article III.2 requirement for member states to adopt export controls over material and equipment that could be used to create special fissionable material—that is, the source material for a nuclear bomb. The goal was to provide best practices for export controls designed to keep nuclear precursor items and materials out of the hands of potentially nefarious actors. After India conducted its first nuclear test in 1974, the Nuclear Suppliers Group (NSG) was created by nuclear supplier countries to prevent the export of dual-use technologies—technologies that could be used both for peaceful civilian purposes and for the manufacture of a nuclear bomb—so that they could not be used to develop nuclear weapons. However, the NSG did not keep up with the development of new dual-use technologies, only modernizing its control list in the early 1990s in response to Iran’s exploitation of unregulated technology to support its nascent nuclear program.
A similar story can be told about conventional arms and technologies. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was established in 1996 with the goal of preventing destabilizing accumulations of conventional weapons through the transfer of conventional arms and dual-use goods, as well as preventing the diversion or secondary sale of conventional weapons. This multilateral export control regime serves its function by establishing standards for implementation in domestic export controls on conventional arms and sensitive dual-use technologies by its member states. The regime was originally established as the Coordinating Committee for Multilateral Export Controls to prevent the dangerous buildup of conventional arms and to embargo Warsaw Pact countries. But the agreement evolved to emphasize regional and global security in its second iteration in 1996, focusing on conventional arms like battle tanks, armored combat vehicles and helicopters, as well as dual-use technologies like radar, sensors and lasers.
An effort to further broaden the regime in 2013 included the modernization of the Wassenaar Arrangement’s control list to include network-penetration software that countries can use to monitor networks and surveil network communications. This effort was fraught because of the dual-use nature of the software, which could at once be used to monitor a state’s own computer networks to prevent unwanted intrusion and also be misused by a surveilling state, for example, to monitor its citizens’ online activity. The proposed controls were aimed at preventing oppressive regimes from using this intrusion software to spy on their own citizens or to launch a cyberattack, but the controls were undermined by overly broad language that targeted “cybersecurity items,” which included dual-use software that could be used for monitoring systems and providing security patches—essentially, for spying on a population of network users and improving cybersecurity. Stakeholders, including actors from the private sector, objected in the strongest possible terms. Much of their opposition stemmed from concerns that the controls would inhibit the sharing of threat intelligence with peer companies and would limit “bug bounty” programs that pay researchers (often abroad) to identify potential vulnerabilities in their systems. The U.S. government ultimately initiated a do-over, and controls were successfully negotiated. But the experience of updating the Wassenaar Arrangement has become emblematic of the kinds of problems contemporary dual-use technologies that originate in the private sector wreak on arms control systems.
This atrophying of control lists has reinforced a broader trend of eroding arms control and its norms as a result of violations, suspensions and withdrawals from legally binding arms control treaties—a component of arms control systems. Among these is the recent demise of the Intermediate-Range Nuclear Forces Treaty, which unraveled because of disputes over newer technologies, including missiles and unmanned aerial vehicles, and highlights the difficulty arms control treaties have keeping pace with new technologies, weapons and systems. Similarly, new, “exotic” Russian systems appear to fall under constraints imposed by New START but haven’t yet been brought under control or included specifically in the agreement. Further, U.S. withdrawal from the Joint Comprehensive Plan of Action, which negotiated limits on Iran’s nuclear program, over concerns that the agreement wasn’t sufficiently broad or limiting undermined both norms of compliance with arms control treaties and trust in future U.S. compliance. The withdrawal also derailed what could have been a sequential and cumulative endeavor to curtail Iran’s threatening activities by striking a blow to the first and foundational agreement. Finally, both the U.S. and Russia have now withdrawn from the Open Skies Treaty, which has fostered transparency and trust by enabling member states to conduct short-notice reconnaissance flights over territories to facilitate the collection of data on military forces and activities.
New Technologies, Weaker Regimes
The pattern is consistent: As newer technologies evade controls and proliferate despite existing regimes, overall arms control systems designed to inhibit, prevent, lessen or slow the potential for harm and insecurity are weakened. In addition to network surveillance tools, these innovations include software used to penetrate information systems (that is, launch a cyberattack), computer-aided design (CAD) files for machining and additive manufacturing, and various applications of artificial intelligence—all of which can be applied to the development or enhancement of weapons and delivery systems. These newer technologies evade regulation by exploiting lags in control-list modernization or gaps that exist within and between them. Certain 3D printers, for example, tend to evade control—they simply aren’t regulated and interdicted until they are added to a control list through modernization. Alternatively, emerging technologies, such as malware, typically fall outside the scope of existing regulations, which struggle to define and regulate software; they perforate regimes by exploiting gaps not covered by the agreements and take advantage of as-yet-unsuccessful efforts to negotiate a framework for cyber norms. Additionally, the digital nature of many emerging technologies and their components means that, despite effective controls, sensitive technology or technical data can “get out” just by sending an email.
Historically, when loopholes, workarounds and innovations have circumvented existing regimes, a dual process of regime augmentation and control-list modernization has solved the problem by adding complementary agreements or updating the list of technologies and related information to be controlled. This is what the development of the NSG did for the nuclear nonproliferation regime: Policymakers identified that the regime lacked strong controls on dual-use nuclear technology and material and established a new organization to regulate its transfer. The increasingly rapid pace of innovation, the digitization of technology and the diffuse nature of new dual-use technologies pose threats to these arms control systems by evading the controls they have put in place.
Emerging technologies increasingly threaten the validity and normativity of arms control. Some new threats are intangible. For example, regulators have struggled to control easily shareable CAD files that allow handguns, grenades or even nuclear centrifuge components to be 3D printed. Threats such as these challenge the purpose and function of a global governance architecture that was designed for threats that could be seen and counted. Arms control writ large was already in a vulnerable place as a function of “emerged” weapons and systems that have continued to evolve; in recent years, the enterprise has been weakened at the treaty level by noncompliance, suspensions, the cessation of implementation, and withdrawals.
Going forward, the prognosis is poor. To date, efforts to modernize control lists and update regimes with additional agreements have not yielded much success. Moreover, not only is the evolving nature of technology facilitating this arms control system erosion, but the very idea of augmenting regimes to better manage the threat is at once problematic and motivational. As international relations scholar Robert Jervis has pointed out, “[R]estrictions can increase an actor’s incentives to engage in the forbidden activity. … [T]he very banning of an activity may make it more attractive.”
As such, planners, policymakers, scholars and regulators need to modify their thinking. Rather than react to emerging technologies as they come into conflict with arms control systems, these stakeholders must do a better job of anticipating potential threats from their use and proceed with a threat-based, rather than technology-based, focus. They can and should do a better job of “cross-regime harmonization,” or communicating about emerging threats across all potentially affected regimes. At the same time, they must also work expediently to maintain the systems in place. New technologies only mean new problems for nonproliferation—the old ones don’t go away. Control lists must be updated more rapidly to keep pace with threats from novel technologies, and prominent and continuous industry participation is vital. Ultimately, because agreements are designed to work in concert to mitigate threats and proliferation concerns, a failure to keep up with the rate of innovation places the larger enterprise at risk. Maintaining arms control systems by shoring up and modernizing regime architectures can and should be a priority for policymakers.