Private-Sector Cyberweapons: Strategic and Other Consequences
25 Pages Posted: 9 Sep 2016
Date Written: June 15, 2016
Abstract
The cyber domain exhibits a sovereignty gap: the government cannot protect the private sector against all relevant threats. The challenge of cybersecurity, therefore, is essentially one of civil defense: how to equip the private sector to protect its own computer systems in the absence of decisive government involvement. Ordinarily, civil defense in the new domain has involved passive measures, such as resilience and redundancy. Passive measures, however, will not redress the sovereignty gap unless they are complemented by a proactive approach — especially the techniques of “active defense,” which attempt to neutralize threats before they are carried out. Yet presently the authority to implement active defense belongs exclusively to the government. Top officials in the United States and other countries have called for changes in law and policy that would bolster the private sector’s ability to conduct active defense, such as by inserting web beacons or disabling external hostile machines. This paper explores the possible strategic and other consequences of arming the civilian quarters of cyberspace with active defense capabilities. It argues that while the potential defensive and other benefits of private-sector arms are significant, the risks to defenders, innocent third parties, and international conflict stability are notably greater. Cyber civil defense, in short, should remain a reactive enterprise. The paper also explores the meaning of active defense — an ambiguous and contested notion that lies at the heart of contemporary debates about cyber strategy and policy in the Journal of Cybersecurity. Some observers claim that active defense involves actions taken within the defender’s own computer terrain. Others also claim that it entails disruptive action. This paper develops a different definition: it defines active defense as any defensive action — disruptive or undisruptive or both — that a defender conducts beyond the home perimeter.
Keywords: Cyberattack, Cyber-Exploitation, Private Security, Active Defense, Civil Defense, Attribution, Escalation, Retaliation, Law, Militias, Offensive Cyber
Suggested Citation: Suggested Citation