http://www.theatlantic.com/technology/archive/2012/04/stand-your-cyberground-law-a-novel-proposal-for-digital-security/256532/ Dr. Patrick Lin The Atlantic April 30, 2012 With the Cyber Intelligence Sharing and Protection Act (CISPA), we're in a political tug-of-war over who should lead the security of our digital borders: should it be a civilian organization such as the Department of Homeland Security (DHS), or a military organization such as the Department of Defense (DoD)? I want to suggest a third option that government need not be involved--a solution that would avoid very difficult issues related to international humanitarian law (IHL) and therefore reduce the risk of an accidental cyberwar or worse. This option models itself on the (admittedly controversial) "Stand Your Ground" law that's rooted in our basic right to self-defense, and it authorizes counter-cyberattacks by private companies, which have been the main victims of harmful cyberactivities by foreign actors to date. Why We Need More Options First, as a nation of law, we may not be ready yet for government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved issues with IHL, also known as the laws of war which include Geneva and Hague Conventions as well as binding rules established by the International Committee of the Red Cross. For instance, IHL requires that we take care in distinguishing combatants (such as military personnel) from noncombatants (such as most civilians) when we use force. Yet containing any cyberattack to lawful military targets is perhaps impossible today; even the Stuxnet worm against Iranian nuclear facilities has infected more than 100,000 private, civilian computers worldwide, including in the US. Any cyberattack would likely go through civilian infrastructure; for example, the Internet is not owned by the military, in the case where that's the delivery channel for the attack. If civilian programmers were to be involved--let's say the government enlists the help of Google or Microsoft employees in designing a cyberweapon--then those computer scientists and engineers may transform into legitimate targets for retaliation in either a cyber or kinetic (i.e., bullets or bombs) war. Other IHL issues that we have yet to settle, but would need to for a state actor to lawfully and justly engage in armed conflict, include the principle of proportionality: a counterattack must apply the minimum force necessary to achieve military objectives, yet how effective any cyberattack would be is largely unknown. We might launch several cyberattacks to ensure that at least one of them goes through; but if all of them work, then the resulting damage could be disproportionate or overkill. This and other issues I won't discuss here--such as the problem of attribution or knowing who attacked us and deserves to be our target--add up to a real risk that the US might act improperly and illegally given IHL, and this could trigger either a cyber war, or a kinetic war, or both. [...] _______________________________________________ LayerOne Security Conference May 26-27, Clarion Hotel, Anaheim, CA http://www.layerone.orgReceived on Tue May 01 2012 - 23:48:26 PDT
This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 23:46:37 PDT