Private Sector 2
I think Lucian’s previous post on this issue highlights many important issues regarding the role of the government in protecting the private sector from cyber attacks and the degree to which 1) we should take a collaborative approach to cyber security (with firms such as Microsoft, McAfee, and Symantec) and 2) we are comfortable with giving the government policing powers over the entirety of the private sector. Civilian resources have been identified as both resources and targets; there remains, however, another dimension to the landscape of cyberconflict that has not yet been explored—namely that in which private corporations are not simply bystanders, but agents.
Granted, this dimension lies more in the realm of possibility—when dealing with cyberwarfare at the present, the largest and most potent agents are almost exclusively nation-states. Few private corporations, let alone teams of citizen-hackers, have the technological capability and vast amount of resources necessary to construct and deploy a cyberweapon on the scale of Stuxnet or Flame. That being said, it is not inconceivable that some day defense contractors like Blackwater will have added code to their ever-growing arsenal of tools for achieving their objectives. On the other side of the trenches, computer security firms like Symantec have already begun encountering (largely by accident) the tools of international conflict in their everyday work. These burgeoning conflicts rightfully illuminate the question of how private corporations will interact with this new arena of combat.
The question of code-making and the question of code-breaking are two sides of the same coin, and both pose interesting questions regarding the ability of government to regulate the actions of private entities, particularly when the compelling interest is national security.
In the case of private military companies—defense contractors that make up almost a third of defense personnel in the United States—the commingling or transfer of cyber capabilities from/between government and corporation creates several issues. As has been noted previously, while pooling resources and public-private partnerships may allow cybersecurity to be undertaken more effectively, the consolidation of our national security apparatus also leaves open the possibility of a small number of sophisticated attacks to bring down a large part of our national defenses. Such partnerships would render private contractors more likely to be attacked by foreign agents, and it is quite possible that the risk of damage is not worth the value gained by greater collaboration. Another important consideration here is the impact that explicitly involving private military companies in cyberwarfare would have on the status of PMCs under the Geneva Conventions. The rules that govern the changing arena of conflict that we’ve been addressing in the Cyber-Weapons series have yet to be explicitly determined, so it’s yet unclear whether involvement in cyberwarfare would compromise firms like Blackwater and DynCorp’s already precarious positions in the sphere of international conflict.
We should also consider the impact of cyber conflict on computer security firms like Symantec and McAfee, who, it seems, will find themselves increasingly caught in the crossfire as the usage of cyberweapons becomes more prevalent. Already noted has been the role of experts at Symantec in the cracking of the now-infamous Stuxnet virus. What is perhaps less evident is the frequency with which computer security firms may find themselves unwittingly working at the edges of a larger conflict. The team originally assigned to investigate Stuxnet, for example, initially expected it to be a somewhat more sophisticated form of industrial espionage. Other instances have brought computer security teams into contact with bugs of unknown provenance and indecipherable motive.
No matter the true nature of these encounters, the difficulty involved in telling apart routine cases of malware and the work of more powerful and well-organized entities I predict will bring computer security firms into more frequent contact with the defense agencies of nation-states. The United States would have great difficulty in asking security firms to desist from investigating sensitive pieces of code, particularly firms with international clientele like Symantec or McAfee, as well as those based in other countries like GSMK in Germany. Investigations by private entities could easily compromise the success of operations involving cyberweapons, and methods of resolving these inevitable conflicts should be given serious consideration before cybersabotage becomes a norm of international relations.