By Ayya Sheptukhina
The development of an international treaty regulating cyber warfare raises a fundamental challenge for international law: whether existing arms control models, particularly those governing nuclear weapons, can be adapted to cyberspace. Recent developments, including the adoption of a United Nations Convention against Cybercrime in 2024 and the establishment of a permanent UN cybersecurity mechanism in 2025, suggest increasing institutionalisation. However, these developments do not overcome the structural differences between nuclear and cyber domains. While nuclear arms control is built on material scarcity, state monopoly, and verification, cyber governance is shaped by intangibility, diffuse power, and persistent uncertainty. These differences fundamentally constrain the design and effectiveness of any cyber warfare treaty.
Nuclear arms control regimes are grounded in the materiality and scarcity of weapons. Nuclear weapons are finite, capital-intensive, and controlled by states, enabling legal frameworks focused on non-proliferation and disarmament. The Treaty on the Non-Proliferation of Nuclear Weapons (NPT) remains the fundamental apparatus of this system (Aboul-Enein, 2017, p.3). Although the regime suffers from a legal gap due to the absence of binding timelines for disarmament (Aboul-Enein, 2017, pp.4–5), it has developed into an extensive treaty-based architecture (Finaud, 2020, pp.1–2). Yet its stability is increasingly fragile. Persistent divisions between nuclear-weapon states (NWS) and non-nuclear-weapon states (NNWS) continue to impede progress (Jaramillo, 2022, pp.2–3), and the expiration of the New START Treaty in February 2026 removed the last binding constraint on major nuclear arsenals (U.S. Department of State, 2026).
By contrast, cyberspace presents a fundamentally different regulatory object. Cyber capabilities are intangible, dual-use, and widely accessible, with low barriers to entry for both states and non-state actors. As Hughes (2010, pp.523–524) demonstrates, individuals and non-state groups can conduct disruptive operations at relatively low cost. These characteristics undermine traditional arms control logic: cyber capabilities cannot be meaningfully counted, limited, or eliminated. Regulation must therefore focus on conduct rather than capability.
The evolution of cyber governance reflects both progress and limitation. Mačák (2016, p.127) characterises the field as being in a state of “crisis,” marked by failed treaty-making, limited state practice, and reliance on non-binding norms. While this diagnosis remains analytically useful, recent developments complicate it. The United Nations Convention against Cybercrime, adopted in 2024 and opened for signature in 2025, represents the first global legally binding instrument in this domain (United Nations, 2024; United Nations, 2025a). The establishment of a permanent UN cybersecurity mechanism further signals a shift toward institutional continuity (United Nations, 2025b).
At the same time, there are emerging signs of gradual development in customary international law. Between 2024 and 2026, the international legal landscape matured as a growing number of states and regional bodies articulated formal positions on the application of international law in cyberspace. Notably, both the African Union and the European Union adopted common positions addressing sovereignty, due diligence, and state responsibility in the cyber domain (African Union, 2024; Council of the European Union, 2024).
Building on earlier frameworks developed by states such as the United Kingdom, France, and Canada, more recent contributions from countries including Austria, South Korea, and Thailand have expanded the geographical and legal diversity of state practice (Federal Ministry for European and International Affairs, 2024; Ministry of Foreign Affairs of the Republic of Korea, 2025; Ministry of Foreign Affairs of Thailand, 2025). While these statements do not yet amount to consensus, they contribute to a more representative global compendium of state practice, potentially supporting the gradual formation of customary norms.
Nevertheless, these developments remain limited in scope. The cybercrime convention regulates criminal activity rather than state conduct in cyber warfare, leaving a gap in the regulation of cyber hostilities (Hughes, 2010, p.524). At the same time, states continue to avoid articulating fully convergent legal positions, constraining the crystallisation of customary law (Mačák, 2016, pp.130–131). Institutionalisation, therefore, does not necessarily produce legal clarity.
A defining specificity of cyber regulation is the problem of attribution, which has intensified with recent advances in artificial intelligence. Unlike nuclear activities, which can be monitored through physical verification mechanisms, cyber operations are inherently opaque. As Mačák notes, attribution is a central challenge for international law (Mačák, 2016, p.127). Recent threat assessments indicate that AI is increasingly used by both state and non-state actors to scale cyber operations and complicate adversary tracking (ENISA, 2025; Microsoft, 2025). The emergence of more autonomous, agentic AI systems further raises questions about responsibility where harmful outcomes may not be directly attributable to human intent (UNIDIR, 2026).
These developments reinforce a shift from deterministic to probabilistic attribution, where responsibility is inferred from patterns of behaviour, infrastructure, and effects rather than conclusively proven. This undermines legal frameworks that rely on establishing intent and complicates enforcement. At the same time, adaptive forms of malicious code further challenge static verification methods (ENISA, 2025). Together, these dynamics constrain the feasibility of treaty-based enforcement systems comparable to those in nuclear arms control.
The actor landscape further differentiates cyberspace. While nuclear regimes are state-centric, cyber operations involve a broad range of non-state actors, including corporations and decentralised groups (Mačák, 2016, p.127). Increasingly, private technology companies play a central role in attribution by providing technical analysis and threat intelligence, further diffusing authority away from states (Microsoft, 2025). This pluralisation of norm-making challenges the traditional state monopoly over international law and complicates treaty design.
Thus, cyber governance shows incremental progress, but any treaty remains distinct from nuclear arms control: diffuse, dual-use capabilities and uncertain attribution require regulating behaviour, not eliminating weapons.
References:
Aboul-Enein, S. (2017) ‘Toward a non-nuclear world: The NPT regime – nuclear disarmament and the challenge of a WMDFZ in the Middle East’, International Journal of Nuclear Security, 3(1), Article 5.
African Union (2024) Common African position on international law applicable to the use of information and communication technologies in cyberspace. Adopted by the 37th Ordinary Session of the AU Assembly.
Council of the European Union (2024) Council conclusions on a common understanding of the application of international law to cyberspace. 14755/24.
ENISA (2025) ENISA threat landscape 2025. Athens: European Union Agency for Cybersecurity. Available at: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 (Accessed: 1 May 2026).
Federal Ministry for European and International Affairs (2024) Austria’s position on international law in cyberspace. Vienna: Republic of Austria.
Finaud, M. (2020) Multilateralism and arms control: The end of an era? Geneva: Geneva Centre for Security Policy.
Hughes, R. (2010) ‘A treaty for cyberspace’, International Affairs, 86(2), pp. 523–541.
Jaramillo, C. (2022) Death by a thousand red lines. Beyond Nuclear International. Available at: https://beyondnuclearinternational.org (Accessed: 1 May 2026).
Mačák, K. (2016) ‘Is the international law of cyber security in crisis?’, in Pissanidis, N., Rõigas, H. and Veenendaal, M. (eds.) 2016 8th International Conference on Cyber Conflict (CyCon). Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, pp. 127–139.
Microsoft (2025) Microsoft digital defense report 2025. Redmond, WA: Microsoft. Available at: https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2025 (Accessed: 1 May 2026).
Ministry of Foreign Affairs of the Republic of Korea (2025) Statement by the Government of the Republic of Korea on the application of international law in cyberspace. Seoul: Ministry of Foreign Affairs. Available at: https://www.mofa.go.kr/eng/brd/m_5674/view.do?seq=321145 (Accessed: 1 May 2026).
Ministry of Foreign Affairs of Thailand (2025) National position of the Kingdom of Thailand on the application of international law in cyberspace. Bangkok: Ministry of Foreign Affairs. Available at: https://mfa.go.th/en/content/th-s-national-position-on-app-of-il-cyberspace-en (Accessed: 1 May 2026).
United Nations (2024) United Nations convention against cybercrime. New York: United Nations General Assembly. Available at: https://www.unodc.org/unodc/en/cybercrime/convention/home.html (Accessed: 1 May 2026).
United Nations (2025a) United Nations convention against cybercrime opens for signature in Hanoi. New York: United Nations Office of Legal Affairs. Available at: https://www.un.org/ola/en/news/united-nations-convention-against-cybercrime-opens-signature-hanoi (Accessed: 1 May 2026).
United Nations (2025b) Final report of the Open-ended Working Group on security of and in the use of information and communications technologies 2021–2025. New York: United Nations. Available at: https://digitallibrary.un.org/record/4084927?v=pdf (Accessed: 1 May 2026).
UNIDIR (2025) Artificial intelligence in the military domain and its implications for international peace and security: An evidence-based road map for future policy action. Geneva: United Nations Institute for Disarmament Research. Available at: https://unidir.org/publication/artificial-intelligence-in-the-military-domain-and-its-implications-for-international-peace-and-security-an-evidence-based-road-map-for-future-policy-action/ (Accessed: 1 May 2026).
U.S. Department of State (2026) New START treaty expiration and status update. Washington, DC: U.S. Department of State. Available at: https://www.state.gov/new-start-treaty (Accessed: 1 May 2026).
