Could cyberattacks one day be governed by treaties like those limiting the use of nuclear, chemical and biological weapons? The US and China are reportedly taking a first step in that direction.
The countries are discussing a mutual promise not to launch a first-strike attack with cyberweapons on the other country's critical infrastructure, such as power plants, hospitals and banks, The New York Times reported Saturday.
The talks are geared toward producing a deal that would be announced next week during China President Xi Jinping's state visit to the US, the Times said, citing unnamed officials involved in the negotiations.
Such an announcement might not mention an official rule barring attacks on critical systems, a Times source said. Rather, it could involve a general embrace of a United Nations code of conduct that spells out nonbinding "principles of responsible behavior" regarding the use of cyberweapons like malicious software.
Nonetheless, the UN guidelines single out attacks on critical infrastructure as the "most harmful," and the negotiations could evolve into the first-ever arms-control deal for cyberspace, the Times said.
The news comes amid increased tension between the US and China over hacking and cyberspying. In June,of an attack on the US government's personnel office that compromised the data of millions of current and former federal workers. And in August, officials with the Obama administration told The Washington Post that the US was developing a range of "unprecedented" .
The deal under discussion wouldn't prohibit such spying, or the theft of intellectual property, but it would, the Times said, "be a first effort by the world's two biggest economic powers to prevent the most catastrophic use of cyberweapons."
It's not clear, though, how effective a cyberweapons treaty would be, the Times noted. Unlike a missile strike, a cyberattack can be tough to track, making deterrence and retaliation difficult.
"It could create some self-restraint," a Harvard professor who studies US power told the Times, but "how do you verify it, and what is its value if it can't be verified?"
The White House declined to comment on the Times report.