Can diplomacy get global cyberwarriors to sheathe their swords?

Marton Monus/Reuters
A man holds up a poster in protest against the Hungarian government for using Pegasus spyware to monitor journalists, opposition leaders, and activists in Budapest.
  • Quick Read
  • Deep Read ( 3 Min. )

International arms control used to mean missiles and munitions. Today, it’s about a powerful 21st-century weapon – cybertechnology – that is fueling a new arms race.

The issue has come to the surface with last week’s revelation that governments around the world appear to have been using a state-of-the-art piece of spyware, called Pegasus, to hack into and take control of mobile phones belonging to journalists, lawyers, human rights activists, and businesspeople.

Why We Wrote This

Washington would like to see an international treaty limiting the use of cyberwarfare. Russia and China are not keen, but they are just as vulnerable as anyone else. Might that change their minds?

On the broader cyberfront, hackers based in Russia and China – some of them thought to be working for their governments – have attacked U.S. government and private business targets in recent months. And Washington has its own offensive cyber capabilities.

To try to get things under control, the Biden administration is proposing international “guardrails” to rein in this new arms race. Washington has proposed to Moscow that the two sides draw up a list of key infrastructure and security targets that would be off-limits.

Neither Russia nor China appears very interested yet in such a deal. But with software like Pegasus around, it seems everybody is potentially vulnerable in the absence of a cyberweapons agreement.

And that includes Moscow and Beijing.

A new arms race has erupted around the world, with implications not just for countries’ security, but their citizens’ fundamental rights too. Unlike the old competition – over missiles and munitions – this one revolves around a powerful, 21st-century weapon: cybertechnology.

And in what could lead to a diplomatic tug of war as well, the Biden administration has begun pressing both Russia and China to agree to practical limitations on this new threat: in effect, a new kind of arms control for a new kind of arms.

That’s the message from a recent series of dramatic developments, culminating in last week’s revelations concerning a piece of Israeli software called Pegasus, which has given governments from Mexico to Morocco, and from Hungary to India, the capability to target, hack into, and take control of individual mobile phones.

Why We Wrote This

Washington would like to see an international treaty limiting the use of cyberwarfare. Russia and China are not keen, but they are just as vulnerable as anyone else. Might that change their minds?

The company behind the spyware, NSO, says it explicitly tells clients that it is to be used only against terrorists, drug dealers, and people-traffickers. But last week’s leaked list of more than 50,000 mobile phone numbers – apparently candidates for Pegasus penetration – left little doubt that some clients are ignoring that caveat.

Vetted by a consortium of major world news organizations, which managed to identify the owners of nearly 1,000 numbers, the list included 85 human-rights activists, nearly 200 journalists, and more than 600 politicians, diplomats, or other officials.

This aspect of the cyber arms race – heralding the prospect that Pegasus and similar software will become ever more commonplace – is only one part of a larger cyberwarfare struggle.

China, Russia, and the United States are the major players, though other would-be actors, including North Korea and Iran, have been building up their capabilities. Reports in the United Kingdom this week, citing a leaked Iranian security document, suggested the Iranians may be seeking the capacity to target civilian infrastructure with cyberattacks.

Until recently, Russia was the main focus of American and allied concerns.

U.S. intelligence agencies have concluded that Moscow used social media to attempt to influence the past two American elections. This year, U.S. government departments and private companies have suffered a number of cyberstrikes from Russian territory, one of which Washington blamed on Russian state actors.

In May, a Russia-based ransomware group forced the temporary shutdown of one of America’s main oil pipelines, the Colonial, causing fuel shortages in states from Texas to New Jersey.

But last week, the spotlight fell on China.

NATO and European Union allies joined Washington in an unprecedented rebuke for a series of China-based ransomware operations, as well as a major attack they said was sanctioned by China’s Ministry of State Security – hacking into Microsoft’s main email servers. Wendy Sherman, the second most senior figure in the U.S. State Department, reinforced that message in talks this week with Foreign Minister Wang Yi.

Just how much cyberwarfare the United States wages itself is largely shrouded in official secrecy, but Washington is widely believed to have mounted a number of assaults against Iran. And it may have been an American operation that this month shut down the “dark web” sites of Russian ransomware group REvil, responsible for recent attacks on U.S. businesses. 

Still, that could also have been the result of a stern phone call from President Joe Biden earlier this month telling Russian leader Vladimir Putin that he needed to clamp down on Russia-based hackers as a matter of “national security.” That call came only weeks after Mr. Biden’s summit meeting with President Putin, at which he also pushed for Russian cooperation.

The idea that some new form of arms control is needed to set “guardrails” around this new arms race has become a major foreign policy priority for the Biden administration. 

At the summit, Mr. Biden was explicit about what he saw as a necessary first step: a mutually accepted list of key infrastructure and security targets that should be deemed off-limits.

Echoing that approach, a White House statement last week urged China to recognize that its involvement in ransomware and other hacking attacks was “inconsistent with its stated objective of being seen as a responsible leader in the world.”

Russian and Chinese participation in Washington’s drive to establish international cyber-guardrails will be critical to its success. It is still not clear whether they are ready to join in.

Politically, the signs so far point to no. Russia and China have been drawing closer together diplomatically of late, and that’s already having some cyber-effects: Last month they agreed on a joint position on “management of the internet,” including a bid to secure international recognition of their right to “regulate the national segment” of the World Wide Web.

Still, the Pegasus disclosures may give them a powerful practical reason to join cyber-arms-control efforts: the sheer power of the increasingly advanced cyber tools available.

In other words, it’s not just about Facebook meddling or even ransomware attacks. Every electronic device on earth and every mobile phone could ultimately be vulnerable.

China’s and Russia’s, included.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Can diplomacy get global cyberwarriors to sheathe their swords?
Read this article in
QR Code to Subscription page
Start your subscription today