Can diplomacy get global cyberwarriors to sheathe their swords?

Can diplomacy get global cyberwarriors to sheathe their swords?

Marton Monus/Reuters

A man holds up a poster in protest against the Hungarian government for using Pegasus spyware to monitor journalists, opposition leaders, and activists in Budapest.


July 28, 2021

Two ways to read the story

  • Quick Read
  • Deep Read ( 3 Min. )

International arms control used to mean missiles and munitions. Today, it’s about a powerful 21st-century weapon – cybertechnology – that is fueling a new arms race.

The issue has come to the surface with last week’s revelation that governments around the world appear to have been using a state-of-the-art piece of spyware, called Pegasus, to hack into and take control of mobile phones belonging to journalists, lawyers, human rights activists, and businesspeople.

Why We Wrote This

Washington would like to see an international treaty limiting the use of cyberwarfare. Russia and China are not keen, but they are just as vulnerable as anyone else. Might that change their minds?

On the broader cyberfront, hackers based in Russia and China – some of them thought to be working for their governments – have attacked U.S. government and private business targets in recent months. And Washington has its own offensive cyber capabilities.

To try to get things under control, the Biden administration is proposing international “guardrails” to rein in this new arms race. Washington has proposed to Moscow that the two sides draw up a list of key infrastructure and security targets that would be off-limits.

Neither Russia nor China appears very interested yet in such a deal. But with software like Pegasus around, it seems everybody is potentially vulnerable in the absence of a cyberweapons agreement.

And that includes Moscow and Beijing.


A new arms race has erupted around the world, with implications not just for countries’ security, but their citizens’ fundamental rights too. Unlike the old competition – over missiles and munitions – this one revolves around a powerful, 21st-century weapon: cybertechnology.

And in what could lead to a diplomatic tug of war as well, the Biden administration has begun pressing both Russia and China to agree to practical limitations on this new threat: in effect, a new kind of arms control for a new kind of arms.

That’s the message from a recent series of dramatic developments, culminating in last week’s revelations concerning a piece of Israeli software called Pegasus, which has given governments from Mexico to Morocco, and from Hungary to India, the capability to target, hack into, and take control of individual mobile phones.

Why We Wrote This

Washington would like to see an international treaty limiting the use of cyberwarfare. Russia and China are not keen, but they are just as vulnerable as anyone else. Might that change their minds?

The company behind the spyware, NSO, says it explicitly tells clients that it is to be used only against terrorists, drug dealers, and people-traffickers. But last week’s leaked list of more than 50,000 mobile phone numbers – apparently candidates for Pegasus penetration – left little doubt that some clients are ignoring that caveat.

Vetted by a consortium of major world news organizations, which managed to identify the owners of nearly 1,000 numbers, the list included 85 human-rights activists, nearly 200 journalists, and more than 600 politicians, diplomats, or other officials.

This aspect of the cyber arms race – heralding the prospect that Pegasus and similar software will become ever more commonplace – is only one part of a larger cyberwarfare struggle.

China, Russia, and the United States are the major players, though other would-be actors, including North Korea and Iran, have been building up their capabilities. Reports in the United Kingdom this week, citing a leaked Iranian security document, suggested the Iranians may be seeking the capacity to target civilian infrastructure with cyberattacks.

Florida brought back its panthers. Can people live with them?

Until recently, Russia was the main focus of American and allied concerns.

U.S. intelligence agencies have concluded that Moscow used social media to attempt to influence the past two American elections. This year, U.S. government departments and private companies have suffered a number of cyberstrikes from Russian territory, one of which Washington blamed on Russian state actors.

In May, a Russia-based ransomware group forced the temporary shutdown of one of America’s main oil pipelines, the Colonial, causing fuel shortages in states from Texas to New Jersey.

But last week, the spotlight fell on China.

NATO and European Union allies joined Washington in an unprecedented rebuke for a series of China-based ransomware operations, as well as a major attack they said was sanctioned by China’s Ministry of State Security – hacking into Microsoft’s main email servers. Wendy Sherman, the second most senior figure in the U.S. State Department, reinforced that message in talks this week with Foreign Minister Wang Yi.

Just how much cyberwarfare the United States wages itself is largely shrouded in official secrecy, but Washington is widely believed to have mounted a number of assaults against Iran. And it may have been an American operation that this month shut down the “dark web” sites of Russian ransomware group REvil, responsible for recent attacks on U.S. businesses. 

Still, that could also have been the result of a stern phone call from President Joe Biden earlier this month telling Russian leader Vladimir Putin that he needed to clamp down on Russia-based hackers as a matter of “national security.” That call came only weeks after Mr. Biden’s summit meeting with President Putin, at which he also pushed for Russian cooperation.

The idea that some new form of arms control is needed to set “guardrails” around this new arms race has become a major foreign policy priority for the Biden administration. 

At the summit, Mr. Biden was explicit about what he saw as a necessary first step: a mutually accepted list of key infrastructure and security targets that should be deemed off-limits.

Echoing that approach, a White House statement last week urged China to recognize that its involvement in ransomware and other hacking attacks was “inconsistent with its stated objective of being seen as a responsible leader in the world.”

Russian and Chinese participation in Washington’s drive to establish international cyber-guardrails will be critical to its success. It is still not clear whether they are ready to join in.

Politically, the signs so far point to no. Russia and China have been drawing closer together diplomatically of late, and that’s already having some cyber-effects: Last month they agreed on a joint position on “management of the internet,” including a bid to secure international recognition of their right to “regulate the national segment” of the World Wide Web.

Still, the Pegasus disclosures may give them a powerful practical reason to join cyber-arms-control efforts: the sheer power of the increasingly advanced cyber tools available.

Get the Monitor Stories you care about delivered to your inbox.

Your email address

By signing up, you agree to our Privacy Policy.

In other words, it’s not just about Facebook meddling or even ransomware attacks. Every electronic device on earth and every mobile phone could ultimately be vulnerable.

China’s and Russia’s, included.

You’ve read  of  free articles.
Subscribe to continue.

Help fund Monitor journalism for $11/ month

Already a subscriber? Login

Mark Sappenfield

Monitor journalism changes lives because we open that too-small box that most people think they live in. We believe news can and should expand a sense of identity and possibility beyond narrow conventional expectations.

Our work isn’t possible without your support.


Unlimited digital access $11/month.

Already a subscriber? Login

Digital subscription includes:

  • Unlimited access to
  • archive.
  • The Monitor Daily email.
  • No advertising.
  • Cancel anytime.


Related stories