Governing Proliferation in Cybersecurity

This article compares state activities to control the international spread of malware with efforts to counter the proliferation of weapons of mass destruction (WMD). The analysis focuses on representative institutions, the Wassenaar Arrangement (Wassenaar) which began to address malware in 2013, and the Proliferation Security Initiative (PSI), comparing the origins, operation, and relative success of each. The article challenges the idea that PSI might serve as a successful model for countering malware proliferation, examining several basic questions about governing proliferation to offer insight into cybersecurity for the research and practitioner community. Looking at both intentional proliferation, through alliances, proxy relationships, or the malware markets, and unintentional proliferation, the article outlines key ideas in cybersecurity and underlines the challenges to governance. Concluding, the article argues PSI is a poor model to address malicious software, but that there are two substantive goals which may see more success: creating legal protections for cybersecurity research; and limiting the supply of software vulnerabilities available to attackers. Highlighting these differences between the approaches of Wassenaar and the PSI, this article presents cybersecurity as an interdependent ecosystem of people and ideas suitable for examination rather than being inaccessible or a purely technical space.