American businesses that launch counterattacks on hackers or others who target them online are hindering progress in enacting international weapons treaties. Here's why.
By Constantine von Hoffman, CIO
Retaliatory cyber attacks launched by corporations represent a significant hurdle for government cyberweapons treaties. Only governments can afford to build things like battleships and anti-ballistic missiles, so treaties meant to govern the use of physical weapons have never had to take private sector use into consideration. As we all know, that isn’t the case with virtual arsenals. Anyone can–and very likely will–get cyber weapons if they really want them.
“Known in the cybersecurity industry as ‘active defense’ or ‘strike-back’ technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant’s own systems.”
The U.S. government also may not be too interested in enforcing these laws if a business is breaking them. Department of Homeland Security boss Janet Napolitano said at least once that the government has contemplated authorizing “proactive” private-entity attacks.
Doing so would have a lot of advantages as far as the government is concerned. It would open new realms of plausible deniability, for one thing. Personally, I think it is a horrible idea, and it may even be un-Constitutional–as if that still matters to anyone. The government “authorizing” private-entity cyber attacks is no different than authorizing private-entity drone attacks. In fact, cyber attacks can do a lot more damage than a drone with a missile. And that is just the start of the problem.
For a cyber-weapon treaty to be even remotely plausible it must require governments to thoroughly police their nations’ private sector cyber attacks as well. I believe the difficulties of enforcement raise significant questions about the value of cyber-weapons treaties. That said, I would like to point out a pretty damn good counter-argument by Bruce Schneier:
“Yes, enforcement will be difficult. Remember how easy it was to hide a chemical weapons facility? Hiding a cyberweapons facility will be even easier. But we’ve learned a lot from our Cold War experience in negotiating nuclear, chemical, and biological treaties. The very act of negotiating limits the arms race and paves the way to peace. And even if they’re breached, the world is safer because the treaties exist.
“There’s a common belief within the U.S. military that cyberweapons treaties are not in our best interest: that we currently have a military advantage in cyberspace that we should not squander. That’s not true. We might have an offensive advantage – although that’s debatable – but we certainly don’t have a defensive advantage. More importantly, as a heavily networked country, we are inherently vulnerable in cyberspace.’
It is worrisome that the United States wouldn’t want to negotiate a treaty because it has an advantage in weapons. That is exactly why a country should negotiate a treaty, because it would have much more clout when it comes to setting an agenda and terms. The U.S. government is insane if it believes we will always have the advantage–if we even have it at all.
(Last year I asked a couple of security types if they had any knowledge of companies launching counter attacks, and they all said no. Clearly I should have kept asking. Hat tip to Reuters for the good work.)