Though problematic, authorizing industry victims to counterattack may prove a good stop-gap measure to remove the political risk of government intervention while still creating deterrence.
With the Cyber Intelligence Sharing and Protection Act (CISPA), we're in a political tug-of-war over who should lead the security of our digital borders: should it be a civilian organization such as the Department of Homeland Security (DHS), or a military organization such as the Department of Defense (DoD)? I want to suggest a third option that government need not be involved--a solution that would avoid very difficult issues related to international humanitarian law (IHL) and therefore reduce the risk of an accidental cyberwar or worse. This option models itself on the (admittedly controversial) "Stand Your Ground" law that's rooted in our basic right to self-defense, and it authorizes counter-cyberattacks by private companies, which have been the main victims of harmful cyberactivities by foreign actors to date.
Why We Need More Options
First, as a nation of law, we may not be ready yet for government to lead cyberdefense against foreign adversaries. To do so would trigger serious and unresolved issues with IHL, also known as the laws of war which include Geneva and Hague Conventions as well as binding rules established by the International Committee of the Red Cross. For instance, IHL requires that we take care in distinguishing combatants (such as military personnel) from noncombatants (such as most civilians) when we use force. Yet containing any cyberattack to lawful military targets is perhaps impossible today; even the Stuxnet worm against Iranian nuclear facilities has infected more than 100,000 private, civilian computers worldwide, including in the US. Any cyberattack would likely go through civilian infrastructure; for example, the Internet is not owned by the military, in the case where that's the delivery channel for the attack. If civilian programmers were to be involved--let's say the government enlists the help of Google or Microsoft employees in designing a cyberweapon--then those computer scientists and engineers may transform into legitimate targets for retaliation in either a cyber or kinetic (i.e., bullets or bombs) war.
Other IHL issues that we have yet to settle, but would need to for a state actor to lawfully and justly engage in armed conflict, include the principle of proportionality: a counterattack must apply the minimum force necessary to achieve military objectives, yet how effective any cyberattack would be is largely unknown. We might launch several cyberattacks to ensure that at least one of them goes through; but if all of them work, then the resulting damage could be disproportionate or overkill. This and other issues I won't discuss here--such as the problem of attribution or knowing who attacked us and deserves to be our target--add up to a real risk that the US might act improperly and illegally given IHL, and this could trigger either a cyber war, or a kinetic war, or both.
In thinking about cyberpolicy, it's natural to look for familiar analogies to guide us. Some have argued that we should follow the policy model for nuclear arms, or outer space, or Antarctica, and so on; and none seems quite right. As imperfect as analogies inevitably are, let's take another look at this model for a possible solution: the "Wild West" of American history. Both the Wild West and cyberspace now are marked by general lawlessness; bad guys often operate with impunity against private individuals and companies, as well as what government exists in those realms, such as the lone sheriff. The distinctively American solution to the Wild West was found in the second amendment to the US Constitution: the right to bear arms. As more private citizens and organizations carried firearms and could defend themselves, the more outlaws were deterred, and society as well as the rule of law could then stabilize and flourish. We also find this thinking in current "Stand Your Ground" laws that authorize the use of force by individual citizens. If such laws make sense, could this model work for cyberspace?
Why It Could Work
Not to endorse this solution (or "Stand Your Ground" laws) but merely to offer it for consideration as a new option, what if we authorized commercial companies to fight cyberfire with cyberfire? As in the Wild West, civilians are the main victims of pernicious cyberactivities. Some estimate that industrial cyberespionage costs US companies billions of dollars a year in lost intellectual property and other harms. As in the Wild West, they now look to government for protection, but government is struggling badly in this role, for the above-mentioned reasons and others. If we consider the US as one member of the world community, there is no clear authority governing international relationships, and this make our situation look like a "state of nature" where no obvious legal norms exist, at least with respect to cyber.
This option isn't completely outlandish, because precedents or similar models exist for the physical, nondigital world today. In the open sea, commercial ships are permitted to shoot and kill would-be pirates. Security guards for banks are allowed to shoot fleeing robbers. Again, "Stand Your Ground" laws--which give some authority and immunity to citizens who are being threatened or attacked--also operate on the same basic principle of self-defense, especially where few other options exist.
A key virtue of "Stand Your Cyberground" is that it avoids the unsolved and paralyzing question of what a state's response can be, legally and ethically, against foreign-based attacks. The wrong move could become a war crime or provide an adversary with just cause to respond with force. Without a clear US cyberpolicy, there's not much deterrent against would-be attackers. Even when we know who has attacked us, there's little political will to do anything about it, much less retaliate; so big talk about counter-cyberattacks by the state seems to be a nonstarter.
Perhaps the reason that we haven't heard open calls for this option is that commercial companies are fearful of legal consequences or liability in counterstriking, and rightly so. Part of the proposed solution, however, is to give them some immunity in the presumptive right to self-defense. While companies still could be mistaken in identifying and retaliating against a suspected attacker, the same risk exists with current "Stand Your Ground" laws. Also, attributing an attack suffered is a difficult problem even for the military and broader government, so we can't expect that a national response will always get it right either.
This is to say that a "Stand Your Cyberground" option isn't necessarily worse with respect to attributing attacks, and we can create safeguards to make it better. Any cases of misidentification and unreasonable action--a corporate George Zimmerman-like case--can be adjudicated with a standard of reasonable proof. An international convention may be needed to set a standard of proof, but this seems easier to reach than broad international agreement on standard or "red line" that would authorize a military response. Our competitors, such as China, explicitly disavow IHL--the laws of war--as the proper frame for disputes and activities in cyberspace. An economic dispute may be easier to negotiate than a political or military one that may force the United Nations, International Criminal Court, and other such organizations to be involved where state-sponsored attacks occur.