Recent reports that the Obama administration has begun pursuing US Senate approval for ratification of the Comprehensive Test Ban Treaty don’t sound entirely credible. It might be that the administration wants to flag the issue as ‘unfinished business’. A US official suggested as much in a recent speech, observing that the administration was focused on ‘an open dialogue, rather than a timeline, to refamiliarize Senators with the Treaty’. But we’re only a year out from a presidential election. And it would be courting disaster to resubmit the treaty for the Senate’s ‘advice and consent’—it was rejected in 1999—unless the administration was sure it would pass.

Why are constraints on nuclear testing so contentious? Back in the 1980s and 1990s, the debate about testing was especially lively. Advocates of continued testing argued that it contributed to four technical objectives: modernisation of the arsenal, improved safety and security of warheads, stockpile reliability, and a better appreciation of weapons effects. Critics of testing argued that it contributed to the relentless progress in weapons development, harmed the environment, and made proliferation easier for new nuclear weapon states.

Believers can be found on both sides of the argument. And for those people, the decision’s about politics as much as it’s about technical factors. Some think that retaining a right to test retains an important capacity both to signal determination to an adversary and to respond to a sudden technological shift. On the other side of the argument, some say that ratifying the CTBT now signals a renewed commitment to the ageing framework of international arms control.

Do actual tests still matter? True, in the advanced nuclear weapon states computer simulation now allows ‘virtual testing’. But not all nuclear weapon states have equal access to those simulations, nor to the material data upon which they are based—and nor would we want them to. If North Korea could enhance and miniaturise its warheads without further testing, the gains from a test ban would be less clear cut. In short, there’s an irony in steadily-improving simulation techniques: the more they improve and spread, the less valuable a ban on actual tests. It was frequently argued during the 1990s that a CTBT would ‘lock-in’ Western technical advantages in nuclear weapon design, for the simple reason that the US had conducted more nuclear tests than anyone else. That argument’s still true, but weakening as other countries’ simulation models improve.

Today’s advocates of CTBT ratification are especially keen to put to work the global seismic verification system that’s been built since the 1990s. They see this as a solution to the traditional problem of verification that dogged test-ban worries in the 20th century. Then, small nuclear tests were seen as especially problematic. I can remember one suggestion at the time that the CTBT should permit any nuclear detonation which could be safely contained in a sealed above-ground container, for the simple reason that such tests would be exceedingly difficult to detect—unless, of course, they burst the container.

Decoupled tests—in which nuclear devices are detonated within a previously excavated underground cavity—were also of concern. US anxieties on that score go way back to the mid-1960s, when the Americans conducted a series of nuclear and chemical explosions at the Tatum salt dome in Mississippi. Today’s global seismic system probably offers better capabilities against really weak seismic signals, but I’m not sure it’s ever been tested against a country working actively to conceal a nuclear explosion. The North Koreans made few efforts to conceal their tests. And the Indians and Pakistanis wanted to advertise their nuclear status with their 1998 tests.

Australia has long been an advocate of a CTBT, driven in part by its own experience as a nuclear test site for the British program and its consciousness that the Pacific seemed to bear the brunt of the early-US and late-French testing programs. But the CTBT hasn’t featured much in Australian arms control thinking since 1999, when the treaty failed to attract US Senate approval last time around. Not surprisingly, the post 9/11 world has offered a variety of distractions. And meanwhile, the signatories of the treaty have abided by their commitment not to test, so at least some of the benefits of the treaty have been available without having to jump the most difficult hurdles.

Still, the treaty hasn’t yet entered into force. And it won’t do so anytime soon; not until the 44 countries specifically identified in Annex 2 as ‘nuclear-capable’ have all signed and ratified the treaty. Only 36 have done so. Five of the 44—the US, China, Israel, Egypt and Iran—have signed but not ratified. Three—Pakistan, India, and North Korea—haven’t even signed, and it’s possible all three have deliberately chosen to keep open the possibility of a return to testing.

So, are we about to embark on one more crusade to conclude a CTBT? Well, a slow-motion effort certainly seems to be under way in Washington—an effort intended gradually to put the issue back on the agenda. But it’s hard to see much happening soon. And getting the US Senate on board is only one of a number of challenges.

Nuclear deterrence theory is often seen as the go-to solution to cyber instability. After suffering a sequence of alleged Chinese hacks on its corporations and government departments, the US prepared a suite of potential economic sanctions for China in the hope of bringing Xi Jinping to the negotiating table and deterring future attacks. This move came in the wake of public commentary citing the need for a ‘cyber equivalent of a nuclear deterrent’ and a US shift towards a more offensive cyber posture, as seen in the Department of Defences’ April Cyber Strategy that outlines the importance of ‘effective response capabilities to deter an adversary from initiating an attack.’

That language is a clear attempt to apply nuclear deterrence theory to international cyber relations. Deterrence by punishment uses the threat of an unacceptable cost to make an attacker’s perceived reward no longer justifiable. This strategy prevented the Cold War from turning ‘hot’ and some hope this stabilising affect can be brought to bear in cyberspace. The threat of sanctions may have helped facilitate the Sino–US ‘common understanding’ in Washington last month, which has been interpreted as an ‘historic’ shift in relations. This was followed soon after by news that Chinese police recently arrested hackers at the request of the US government. Unfortunately, the Washington agreement lacks tangible enforcement measures and the arrests, likely an attempt to ease tensions in the weeks leading up to Xi’s trip, weren’t the first time China has obliged the US in this way. The lingering threat of US punishment is unlikely to be a successful deterrent in the long-term, with experts expecting hacks to continue unabated. Such attempts to apply nuclear deterrence theory to cyberspace will likely generate no lasting change for three reasons.

First, in order for an adversary to be deterred from taking an unwanted action, the deterring state must be able to identify and articulate the behavioural red line past which the adversary will be punished. The binary nature of nuclear weapons makes this simple. However, it’s far more challenging to establish a threshold for retaliation in cyberspace due to the continuous spectrum of actions possible and absence of a ‘red button’.

This challenge is visible in the US’ current deliberations over how to respond to China’s alleged hacking of the Office of Personnel Management (OPM) in June this year. The former Director of both the CIA and the NSA, Michael Hayden, argued that the OPM breach represented a ‘legitimate foreign intelligence target’. However, other US officials are divided over whether the sheer size of that intrusion changes things. Normative behaviour in cyberspace is still yet to be determined and entrenched so the credibility of a deterrence threat is undermined, as there’s no confidence in what behaviour will or won’t be punished. As The Diplomat’s headline put it: ‘America Can’t Deter What It Can’t Define in Cyberspace’.

Second, low detection levels of the majority of hacks pose another obstacle to deterrence. A threat is only effective if the perpetrator believes they will be caught. This isn’t an issue for nuclear deterrence, thanks to missile trajectory analysis and the limited number of potential culprits. However, high frequency/low intensity cyber intrusions often slip under the radar—35­­-70% of all hacks go undetected. These hacks are individually insignificant, however in aggregate they represent a persistent syphoning of intellectual property and government data through a salami-slicing tactic. So, even if an adversary was convinced of the credibility of a threat, it may fail as a deterrent if they think that they can succeed unnoticed.

Third, the difficulty and desirability of the attribution process undermines deterrent threats. Network technologies weren’t designed with identity in mind, and as a result it’s challenging to determine the specific computer that launched the attack, let alone who was operating that computer. Adversaries aren’t discouraged by a threat if they don’t expect to be identified. For example, ISIS was thought to be responsible for the highly sophisticated hack of TV5 Monde earlier this year, and it’s only recently been discovered that it was in fact the work of a Russian group called APT28. Attribution is a risky business: misinformed retaliation could translate into an attack on an innocent party, the creation of a new enemy and an escalation of conflict.

Moreover, even if a perpetrator could be accurately identified, attributing blame may be a pyrrhic victory. In the rules-based international order, a state may have to expose valuable data resources, detection capabilities or assets in order to prove the guilt of the party on whom they are enacting punishment. Revealing those capacities may compromise ongoing operations and capabilities, resulting in a tactical win but a strategic loss.

Cyber retaliation is all well and good if the end is punishment itself, however if a state is seeking to establish a deterrent, this approach is likely to leave them disappointed. Governments must be cautious of pursuing a policy that’s not only unlikely to work, but also risks escalating tensions and exposing vital intelligence assets. As former Deputy Secretary of Defense William Lynn foreshadowed in 2010, the unique qualities of cyberspace necessitate that cyber deterrence ‘be based more on denying any benefit to attackers than on imposing costs through retaliation.’

The US Third Circuit Court of Appeals has affirmed the Federal Trade Commission’s (FTA) authority to charge corporations over insufficient levels of cybersecurity. Wyndham Worldwide, the parent company of several hotel chains is being taken to court by the FTA for the company’s alleged failure to protect customers’ personal data, which resulted in more than 600,000 customers having their credit card details stolen between 2008 and 2010. This court ruling marks a significant step towards reaffirming the powers of the FTC, setting legal precedent for cybersecurity liability and raising questions in regards to other large-scale corporate breaches, like those which affected Target in 2013 and eBay last year.

After their well-publicised hack of a Jeep Cherokee, computer security engineers Charlie Miller and Chris Valasek have been hired by Uber. You might recall that the duo exploited the vulnerabilities of Fiat Chrysler’s Uconnect software in order to remotely manipulate the Jeep’s blinkers, navigation, brakes and steering; Jeep responded by recalling 1.4 million vehicles. Miller and Valasek will now be working at Uber’s Advanced Technology Centre in Pittsburgh which is currently researching autonomous car technologies. While questions have been raised over the potential PR motives behind the hiring, this move comes as part of a much broader talent acquisition program which has recently poached more than 100 engineers from different divisions of Google.

The White House is reportedly in the process of crafting a suite of sanctions targeting Chinese firms responsible for corporate cyber espionage. Informed by an executive order made by Obama in April, the US has shortlisted five state-owned and private Chinese firms that steal trade secrets from American companies. Retribution for activities in cyberspace wouldn’t be an unprecedented move, with the US having imposed sanctions on North Korea after the Sony hack in 2014. The discussion is occurring at a politically precarious moment, only weeks before Chinese President Xi Jinping makes his first state visit to Washington. Some are in favour of the move, arguing that it will act as a vital deterrent for future cyberthefts, while other are wary that this could escalate Sino-US tensions and cause economic retaliation. A decision is expected to be reached in the coming weeks, and will undoubtedly impact the outcomes of the visit, with the spokesperson of the Chinese embassy in Washington advocating for ‘enhanced dialogue and cooperation’ between the two parties.

An American teenager has been sentenced to 11 years in prison for supporting Islamic State. Ali Shukri Amin, a 17 year old high school student from Virginia, has been convicted of running an influential pro-ISIS Twitter account with the handle @Amreekiwitness, which accrued more than 4,000 followers. In addition to his social media outreach, Amin raised funds for the terrorist organisation by giving tutorials on how to use the cytpocurrency, Bitcoin. The teen’s jail sentence has sparked debate over whether the government is being overly harsh on those who, while expressing hateful views, possess no capacity to inflict actual harm. However, Amin was also accused of radicalising a fellow teen who proceeded to travel to Syria as a foreign fighter.

Japan’s Internal Affairs and Communications Ministry will execute large-scale simulated cyberattacks in order to prepare for the 2020 Tokyo Olympics and Paralympics. The new National Centre of Incident Readiness and Strategy for Cybersecurity will run drills to anticipate and prevent likely cyberattacks on critical infrastructure and processing systems.  The urgency is fuelled by a lack of public confidence in the government’s cybersecurity following the data breach of the Japan Pension Service earlier this year. Starting in the 2016 financial year, Japan will allocate more than ¥1 billion to the effort, however a shortage of trained cyber security experts remains a critical obstacle.

The Chinese Assistant Foreign Minister, Zheng Zeguang, set the tone for the recent ARF Cyber Workshop in Beijing when he said there should be three priorities for the nations gathered in the room. First, that they should ‘respect each other’ and ‘build political consensus’ on cyber capacity-building. According to Zheng, that’s because Asia–Pacific nations ‘differ and have different requirements’ and that there was a need to ‘accommodate all of those on the basis of mutual respect and the need for common development’. His second point was that the ASEAN Regional Forum should take a ‘pragmatic’ approach to ‘build cyber capacity together’ to include joint research on both software and hardware as well as information sharing, and that nations with greater capabilities should work to build the capacity of those that don’t. Third, this should be done in a way that all ASEAN Regional Forum members can ‘benefit together from the digital economy’.

Many of these themes should be present in the keenly anticipated and snappily titled, ‘ASEAN Regional Forum Work Plan on Security of and in the use of Information and Communications Technologies (ICTs)’, to be released by the ARF. The key purpose of the work plan is to promote a peaceful, secure, open and cooperative cyber environment, and prevent conflict and crises in cyberspace through building confidence between states in the region and capacity building.

Minister Zheng’s comments appear to resonate well with the work plan’s narrative; that the region is approaching the point of an emerging consensus on cyber capacity in the region shouldn’t be underestimated. However, the key to all of this is the interpretation of his three points, and members states’ interpretations will vary wildly depending upon where on the political ideological spectrum they sit. This became evident as the ARF progressed and the key messages emerged from some of the presentations.

The message—that cyber capacity building is going to take place in the Asia–Pacific and the ‘big players’ are getting ready to lead this effort in earnest—was clear and was received in no uncertain terms by all present. This is a positive message, as some presenters went to great pains to point out, the digital divide is still evident in the Asia-Pacific and the gaps between the ‘haves’ and the ‘have-nots’ is growing quickly. Creating some baselines will assist in raising security, stimulate economic growth and lower the potential for miscalculation or misinterpretation.

As a keen listener to the presentations it felt like the Chinese were couching themselves amongst those that were developing in this area, and to a degree this is true. Only 46% of the population has internet access which gives enormous capacity for growth, and China is only beginning to cultivate an innovation culture in this area. But this seems counter to their wish to be considered part of new ‘great power relations’ which would place China on a more level playing field with the US. Rather, the image of a fellow developing nation makes the Chinese less imposing to its smaller neighbours when it offers its cyber capacity building wares. And this could reduce suspicion of their true motives when they offer to build entire networks.

Let’s not kid ourselves that the US will differ much in its approach, despite its claims of an entirely altruistic agenda. Cyber capacity building will be used to re-enforce existing alliances and friendships and strike up new ones. Illustrating how easily the capacity building agenda will become part of the broader contest for strategic influence in the Asia–Pacific.

There are many regional nations regionally who find it hard not to accept China’s assistance in cyber capacity building. That assistance will be delivered through the lens of ‘techno-nationalism’. This part of the discussion from Chinese presenters emphasised the capability of Chinese industry to develop affordable computing for all, and how companies such as Alibaba are driving new innovative business models within China.

This can’t be disputed, but this goes hand in glove with President Xi’s ambitious drive to place China as a major cyber power. Xi’s plan includes nationalising the ICT base of China and creating an environment that pushes China to the forefront of technological advancements and gives its companies a competitive edge over foreign enterprises. It also includes the introduction of draft cyber security legislation which further legislates for content control, allows the Chinese authorities to cut internet access during public security emergencies, and set up alert systems and emergency-response measures. Furthermore, it calls for technology that supports crucial sectors to be ‘secure and controllable’ which lends itself easily to requirements for companies to build in ‘back-doors’ allowing third party access to systems, provide encryption keys or hand over source code.

Nations which are being given capacity building assistance by China will, of course, be presented policy and technical advice flavoured by this kind of techno-nationalism. They’ll need to be conscious of whether it’s the correct approach for them. Developing nations such as Myanmar, Cambodia or Laos who are at the beginning of the ICT development journey are already being wooed by all sides. They must think carefully about the kind of cyber ‘blueprint’ they want to develop.

At the heart of the international effort to stop Iran from developing nuclear weapons has been the knowledge and understanding that Iran is a dangerous, expansionist rogue country and a leading state sponsor of terrorism that must be prevented from obtaining even the capability to produce the world’s most dangerous weapons.

The newly unveiled Iran nuclear agreement represents an historic mistake for the simple reason that it has traded—and even the deal’s crafters admit this—at best a temporary delay in Iran’s drive towards nuclear weapons for permanent international legitimisation of Iran’s nuclear program. It will also lead to a supercharging of Iran’s economy and conventional military capabilities and a removal of all penalties for Iran’s global terror activities, past and present.

This agreement lavishly rewards Iran for embarking on its illegal nuclear program, changes the balance of power strongly towards the Iranian bloc, and promotes Iranian hegemony in the Middle East despite the fact that its expansionist international agenda and repressive domestic policies persist.

This is a concern shared not only by Israel, threatened by Iranian proxies on its Gaza and Lebanese borders, but other countries in the region. Indeed, we can see Iran’s ‘handiwork’ throughout the Middle East; whether through support of the murderous Assad regime in Syria, Shiite interests in Iraq or the Houthis in Yemen—and all this happening even under sanctions. Such Iranian terror sponsorship and military intervention is certain to increase exponentially from the $150 billion windfall that Teheran is expected to reap from the lifting of sanctions as a result of this agreement.

When and why did the global objective to stop Iran acquiring nuclear weapons get downgraded to stop building a nuclear bomb for only the next 10–15 years? Alarmingly, this agreement paves the way for Tehran to develop a nuclear weapons capability whether it follows the terms of the deal or not. If Iran decides to violate the deal in a selective and piecemeal fashion—not improbable given its track record of cheating—the contrived, ‘managed’ inspection scheme combined with vague, tardy compliance mechanisms, will make it extremely difficult to hold Iran accountable.

Western demands during negotiations for ‘anywhere, anytime’ inspections have been diluted in the final agreement to ‘sometime, someplace’ inspections that Iran will find easy to avoid. It’ll take at least 24 days to force Iran to agree to a ‘snap’ inspection!

Meanwhile, the highly-touted ‘snap-back sanctions’ feature of the agreement that the US insisted would keep Iran wary of any violations has been exposed as a toothless gimmick. Not only would it not apply retroactively to contracts signed between now and the time the sanction is reimposed, but a UN Security Council resolution draft on the agreement being written with full US support would nullify all previous UN sanctions on Iran in 10 years—regardless of Iran’s actions. To put it succinctly, after 10 years, it appears there will be no sanctions to ‘snap back’ to.

In terms of infrastructure, nothing is permanently scaled back, no nuclear sites shut down, and nothing actually dismantled yet Iran can advance certain aspects of their program. Significantly, any curbs on Iran’s research and development of faster centrifuges are temporary. This means that breakout time to the enriched material for a bomb once the agreement concludes would almost certainly be measured in days or weeks, not months. Alarmingly, the deal places no restrictions on Iran’s intercontinental ballistic missile program—useful only as a delivery system for a nuclear warhead, and nothing else.

The end of the arms embargo of Iran will touch off a conventional arms race between Iran and the Gulf Sunni states, while Saudi Arabia has already vowed to procure nuclear weapons if Iran succeeds in developing them. Proponents argue it’s the best possible deal that could be achieved claiming that there was no alternative, except war. Yet President Obama and Secretary of State Kerry previously said that having no deal would be preferable to a bad deal. They are now in effect arguing that any deal by which Iran agrees to limit its nuclear activity in any way is by definition a ‘good deal’ because it is better than war or Iran simply ‘racing’ to a bomb.

In fact, no deal would have been infinitely better than the bad deal delivered. And good diplomatic deals are possible as President George W. Bush’s agreement leading to the total dismantling of Libya’s elaborate nuclear infrastructure in 2003 demonstrates. And one must recall that Iran did pause its nuclear activity in 2003 soon after the US invasion of Iraq. Yet with the credibility of a US military strike reduced as a result of President Obama’s view—well understood in the region—that military action would be even worse than Iran’s eventual acquisition of a nuclear capability, the potential dividends of coercive diplomacy have been squandered.

Indeed, simply renewing indefinitely the Geneva 2013 interim nuclear deal would have been preferable, because it would have kept the sanctions and arms embargo in place, maintaining pressure on Iran over time to abandon its costly nuclear program.

In Washington, all the Republican presidential contenders and informed Democratic and Republican lawmakers are trenchantly exposing the inherent flaws in this deal. Congress has the power to demand the White House strikes a better agreement by overriding a promised presidential veto and prevent the removal of sanctions that this deeply dangerous agreement depends upon.

These rightly troubled US lawmakers have an uphill battle to mobilise enough Congressional support to insist the White House renegotiates a better agreement that will help secure, rather than destabilise, regional and global affairs.