There has been similar discussion in India. In November 2011,
Information Technology Minister Kapil Sibal called for a community of
ethical hackers to help defend Indian networks since "the resource pool of them is very limited in the world." India has also reportedly been considering using patriotic hackers for offensive operations. The Times of India
reported a high level meeting in August 2010--chaired by National
Security Adviser Shiv Shankar Menon and attended by the director of
Intelligence Bureau as well as senior officials of the telecom
department and IT ministry--that considered recruiting and providing
legal protection to hackers who would be used to attack the computers of
hostile nations. During a visit that October, several security experts
in Delhi told me that NTRO officials were soliciting hackers on websites and electronic bulletin boards.
China, of course, is widely suspected of using patriotic hackers and cyber militias for defense and offense. According to the Financial Times, Nanhao Group, a web company outside of Beijing, has departments tasked for attacks and defense, and this Chinese report mentions cyber militias in Tianjin's Hexi District. Recent intelligence leaks
and private security reports about cyber espionage suggest that the
Chinese government backs or directs the majority of espionage attacks on
Western and Japanese technology companies, with hackers clocking in and
out between 9am and 5pm Chinese time.
The talent concern is real,
but addressing the problem through cyber militias would be profoundly
destabilizing for the region. Militia members may one day walk out the
door and not only use their skill and knowledge against other states
without authorization, but may also turn them back on home networks.
Military planners would also have to worry, especially during a crisis,
that militias might ignore orders or target off-limit networks,
increasing the risk of escalation and decreasing ability to signal
intent to the adversary.
The plausible deniability of patriotic hackers is one of their
biggest selling points; states can claim they know nothing about attacks
and can do little to stop them. Technological changes that make
attribution easier, or other forms of intelligence that have the same
impact, would do a great deal to make cyber militias less attractive to
policymakers. In the short term, if regional leaders are not going to
fight the urge to mobilize their own militias, they at least need to
ensure that they know who they should be talking to on the other side if
a crisis breaks out and they must be able establish clear lines of
communication. In the longer term, ASEAN or other regional groupings
would be wise to promote a norm of state responsibility for cyberattacks
emanating from within a country's borders. As the Atlantic Council's Jason Healey argues,
developing this norm will involve state-to-state negotiations and
capacity building as well as diplomatic, economic, intelligence, and,
possibly, military responses.
Patriotic geeks might be the answer to a lot of policy challenges.
But in terms of cybersecurity, it may be best to either bring them
completely into the fold, or keep them at arms length.
This article originally appeared at CFR.org, an Atlantic partner site.