[ISN] 'Stand Your Cyberground' Law: A Novel Proposal for Digital Security

From: InfoSec News <alerts_at_private>
Date: Wed, 2 May 2012 01:48:26 -0500 (CDT)

Dr. Patrick Lin
The Atlantic
April 30, 2012

With the Cyber Intelligence Sharing and Protection Act (CISPA), we're in 
a political tug-of-war over who should lead the security of our digital 
borders: should it be a civilian organization such as the Department of 
Homeland Security (DHS), or a military organization such as the 
Department of Defense (DoD)? I want to suggest a third option that 
government need not be involved--a solution that would avoid very 
difficult issues related to international humanitarian law (IHL) and 
therefore reduce the risk of an accidental cyberwar or worse. This 
option models itself on the (admittedly controversial) "Stand Your 
Ground" law that's rooted in our basic right to self-defense, and it 
authorizes counter-cyberattacks by private companies, which have been 
the main victims of harmful cyberactivities by foreign actors to date.

Why We Need More Options

First, as a nation of law, we may not be ready yet for government to 
lead cyberdefense against foreign adversaries. To do so would trigger 
serious and unresolved issues with IHL, also known as the laws of war 
which include Geneva and Hague Conventions as well as binding rules 
established by the International Committee of the Red Cross. For 
instance, IHL requires that we take care in distinguishing combatants 
(such as military personnel) from noncombatants (such as most civilians) 
when we use force. Yet containing any cyberattack to lawful military 
targets is perhaps impossible today; even the Stuxnet worm against 
Iranian nuclear facilities has infected more than 100,000 private, 
civilian computers worldwide, including in the US. Any cyberattack would 
likely go through civilian infrastructure; for example, the Internet is 
not owned by the military, in the case where that's the delivery channel 
for the attack. If civilian programmers were to be involved--let's say 
the government enlists the help of Google or Microsoft employees in 
designing a cyberweapon--then those computer scientists and engineers 
may transform into legitimate targets for retaliation in either a cyber 
or kinetic (i.e., bullets or bombs) war.

Other IHL issues that we have yet to settle, but would need to for a 
state actor to lawfully and justly engage in armed conflict, include the 
principle of proportionality: a counterattack must apply the minimum 
force necessary to achieve military objectives, yet how effective any 
cyberattack would be is largely unknown. We might launch several 
cyberattacks to ensure that at least one of them goes through; but if 
all of them work, then the resulting damage could be disproportionate or 
overkill. This and other issues I won't discuss here--such as the 
problem of attribution or knowing who attacked us and deserves to be our 
target--add up to a real risk that the US might act improperly and 
illegally given IHL, and this could trigger either a cyber war, or a 
kinetic war, or both.


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Tue May 01 2012 - 23:48:26 PDT

This archive was generated by hypermail 2.2.0 : Tue May 01 2012 - 23:46:37 PDT