To give a concrete example of your excellent point:
You could hack into missile guidance systems and have the missiles all route to the Pacific ocean -- having the boards fritz-out is a MUCH less powerful weapon, blowing up the factory for missiles is much less powerful than that. I'm sure if Stuxnet could make the machinery seem to work but not give them good enough materials to build anything worthwhile, (1) those engineers would have done that, and (2) the public would still not know about it.
This is perhaps the best argument for cyber-weapons, too (the intelligence/espionage element): it inverts the incentives. You build a gun, I need a better gun. You have a bomb, I need a bigger bomb that kills more people and destroys more and more. But cyber-weapons? Best cyber-weapons change the very least possible to accomplish the actual objective.
Breaking the ENIGMA, for instance, didn't change every single tactical choice for the Allies. To do so would eliminate a large portion of the benefits.
The drawback is that they require systematic vulnerabilities to work; therefore the rhetoric for state-sponsored malware demands systems deliberately be left vulnerable to attack, either by failing to fix vulnerabilities found or deliberately inserting them (as in by backdoors)
This has a global effect. The "enemy" uses the same things you do. A weapon to attack them demands weaknesses in everyone's armour, including your own.
They are so easily reverse-engineered and repurposed to attack you or third parties, so easily developed by low-budget or non-state actors, and so easily misattributed, that they exhibit all the same essential properties as biological weapons.
I think state-sponsored malware should be banned, by international treaty, and I say this as someone with expertise in the field.
So, let's tease out a couple ideas here, that way I can address your core idea at its best.
>They are so easily reverse-engineered and repurposed to attack you
You probably meant just third parties here. No one is checking government machine's patch level and demanding an explanation -- if they have the exploit they probably patched any vulnerable systems before they used it.
> I think state-sponsored malware should be banned, by international treaty
So, espionage is largely _already_ banned by international treaty, including fairly specific rules about how, if you are a soldier down behind enemy lines you can escape using a disguise but not if you are a spy (I hope this conveys how bizarre international law is, the idea that if a spy is caught that their use of a disguise will play a factor in their fate).
Suffice it to say, you want a "soft ban", because you want them to not be used in reality (not just that you don't want them used in threat gestures, etc. -- plus you can't really rely on international law for things like this, as we've seen by recent NSA leaks as well as Merkel's response to learning she was personally wiretapped).
----
Most importantly: you have an argument that is too general. You could make _precisely the same argument_ in defense of banning pistols in any wars. (1) enemy is symmetrically offensive; (2) if there exist defenses, your opponent is likely to use them; (3) this leaves you largely unprotected to isomorphic attacks for all useful versions of this weapon (soldiers can still die from gunshot wounds); (4) similar technology can be devised by your opponents; (5) guns can be developed by low-budget or non-state actors; (6) direct attribution for gun crime is difficult (about half of murders in the US go unsolved, and that's not in a war zone).
So governments paying for pistols is too dangerous and should be "soft banned" or banned by international treaty.
I believe you have a more complex belief that would provide for much better discussion (subject matter experts typically do). Would you mind expanding on your ideas and sharing?
You could hack into missile guidance systems and have the missiles all route to the Pacific ocean -- having the boards fritz-out is a MUCH less powerful weapon, blowing up the factory for missiles is much less powerful than that. I'm sure if Stuxnet could make the machinery seem to work but not give them good enough materials to build anything worthwhile, (1) those engineers would have done that, and (2) the public would still not know about it.
This is perhaps the best argument for cyber-weapons, too (the intelligence/espionage element): it inverts the incentives. You build a gun, I need a better gun. You have a bomb, I need a bigger bomb that kills more people and destroys more and more. But cyber-weapons? Best cyber-weapons change the very least possible to accomplish the actual objective.
Breaking the ENIGMA, for instance, didn't change every single tactical choice for the Allies. To do so would eliminate a large portion of the benefits.