About
In cyber terms, arms control is roughly in the same place as the 1950s was for nuclear weapons. There is no common understanding of what “cyber weapons” are, or indeed even “cyber forces”. States are left guessing as to the overall capability of another state. By foreclosing any common language on offensive cyber capabilities and intent, this lack of transparency has implications not only for intelligence and national security assessments but also for institutional dialogues and the wider public discussion on international peace and security in cyberspace. A vital ingredient for progress is greater transparency of the relative cyber capabilities of nations. Transparency helps reduce the scope for misunderstanding, provides for clarity of intent and predictability, and helps establish norms of restraint and communication – all essential ingredients for stability.
The Cyber Arms Watch seeks to contribute to transparency by fostering a much-needed overview and comparison of the self-declared and the perceived offensive cyber capabilities of 60 states. It enables the determination of an overall “Cyber Transparency Index” for states by using two specific ratings:
The Declared Capabilities Rating (DCR) indicates to what extent a state publicly discloses information about its offensive cyber capabilities. This includes official government communication, such as strategies, doctrines, and similar documents, as well as sanctioned media reporting that cumulatively indicate the level of declared capability using a six-tiered labelling system (level 0-5). This system ranges from no official indications of offensive cyber capabilities, to stated aspirations, sanctioned reporting by media or official statements, and finally three levels of offensive capabilities.
The Perceived Capabilities Rating (PCR) indicates how the offensive cyber capabilities of a state are observed by outsiders using open-source information and categorizes them using a similar six-level categorization system. Whereas the first rating is limited to official self-disclosures by a respective government itself, this rating describes the offensive cyber capability of that government by using external sources. This is limited to open-source information, such as intelligence reports and assessments from governments and industry, indictments, sanctions, past operations, leaked documents.