New technologies are emerging at a dizzying pace, and arms control agreements cannot seem to keep up. My Brookings colleague Amy Nelson examines how the increased speed of technological change is creating holes in existing arms control agreements and how policymakers might better respond as the speed of change continues to grow.

But it is not only state behavior that is undermining arms control. The regimes are being disrupted by the rapid pace of technological change in three key ways. First, industrially advanced nations (and aspiring ones) are accelerating the rate of development for innovations. New technologies are emerging too quickly for working group members—typically a combination of technologists and diplomats—to keep control lists current with emerging threats. Second, the technologies underlying existing weapons, platforms and systems—from the schematics for how they’re made to the software that makes them run—are being digitized, and newer technologies are emerging in digital formats that circumvent existing regulation. Third, the combination of accelerated innovation and digitization is contributing to the digital diffusion of technologies that augment the risk of proliferation and enable states to maintain latent military capabilities.

Existing arms control regimes are failing to adapt to these technological shifts. If arms control, already embattled by compliance violations and withdrawals, is to meet the moment, states need to muster the political will to address its challenges and shore up the existing nonproliferation architecture from the bottom up.

included the modernization of the Wassenaar Arrangement’s control list to include network-penetration software that countries can use to monitor networks and surveil network communications. This effort was fraught because of the dual-use nature of the software, which could at once be used to monitor a state’s own computer networks to prevent unwanted intrusion and also be misused by a surveilling state, for example, to monitor its citizens’ online activity. The proposed controls were aimed at preventing oppressive regimes from using this intrusion software to spy on their own citizens or to launch a cyberattack, but the controls were undermined by overly broad language that targeted “cybersecurity items,” which included dual-use software that could be used for monitoring systems and providing security patches—essentially, for spying on a population of network users and improving cybersecurity. Stakeholders, including actors from the private sector, objected in the strongest possible terms. Much of their opposition stemmed from concerns that the controls would inhibit the sharing of threat intelligence with peer companies and would limit “bug bounty” programs that pay researchers (often abroad) to identify potential vulnerabilities in their systems. The U.S. government ultimately initiated a do-over, and controls were successfully negotiated. But the experience of updating the Wassenaar Arrangement has become emblematic of the kinds of problems contemporary dual-use technologies that originate in the private sector wreak on arms control systems.

read more………….