Lately, there has been an increased intensity of hacking attacks on government and business. Of course, government is doing all it can to keep up and stop these hackers. And like the piracy problem on the high seas, hackers in the commons called cyber space are operating with virtual impunity.
To me, there are several areas of weakness that today’s hackers are exploiting. One is the shear enormity of the internet and cyber space, and all the potential targets that a hacker can attack. Like with the pirates of Somalia, hackers have plenty of ocean and are constantly searching for new hunting grounds and weaknesses to exploit.
Their rewards can be immense. Hack into a bank, steal information from a technology firm, or hack a government website and exploit that information. Or they do it because of the ‘lulz’ or the hell of it, just to prove they are the best. Or worse, they attack individuals. (companies or the government has done nothing to protect the little guys– like this blog, from attacks) And these hackers can do it all from a terminal at some random location in the world.
The other thing at play here is scale. Once folks see for themselves how successful one group or individual is, then others will copy them. They will borrow brilliance and follow a model of operation that works, all to achieve a goal. And like today’s example of piracy, hacking spreads because it is inspired by the success of others and by the rewards of the risk taking.
It also spreads when money or organizational influence comes into play. China or a cartel from Mexico can easily do things to add fire to the world of hacking and cyber warfare. All nations add to scale of such things. Just wait until ‘plomo o plata‘ comes to the world of hacking, and then that is when cyber lances will really become essential.
Which brings me to the point of this post. Because this problem is only growing, there must be measures that equal the size and scale of this global deluge. Legal tools like the LoM must be considered to even the scale between black hat and the company use of white hat hackers. Of course it would be nice if government and it’s law enforcement apparatus could be large enough enough to apply the rule of law to all corners of the cyber universe. But like with today’s modern day scourge of piracy, government cannot be everywhere and at all times.
So here is where I like to take the next step forward. Companies need the legal authority to effectively combat black hat hackers. That legal authority can and should come in the form of a Letter of Marque and Reprisal. Or maybe a government can come up with a different title for this license. But either way, by giving companies the legal authority to do what they need to do to combat the problem, they in essence help to put ‘the armed guards on boats’. (another analogy with today’s piracy problem)
Here is some more food for thought. If the targets of hackers are companies, then is the government the best tool to use to protect all of these companies out there? Who would have more interest and incentive to protect a company’s infrastructure–a government or the the company itself? Of course a company would love for someone to do it for free, but the problem here is that there is too much at stake to put the security of a company simply in the hands of a burdensome, bureaucratic and highly inefficient government organizations. Government does not have the resources to watch over every company, and it does not have the personal motivation to defend a company’s assets to the fullest degree.
Yet again, the piracy analogy works for this example. All of the navies in the world have not stopped piracy, and if anything, the problem has grown. Likewise, the US government was not able to protect Sony, Google or Lockheed Martin from vicious hacking attacks, even though the government has cyber warfare units and tons of agencies tasked with monitoring cyber related activities.
So what is the solution? I say government should listen to what the companies have to say about how best to help them. The government would also have to re-evaluate what ‘help’ really means, in the context of this problem. If a company says it is legally constrained when trying to defend against black hat hackers, then what is the logical solution? Do you put the government’s police forces in charge of a company’s security anti-hacking units, or do we license a company to combat this problem? To me, issuing a license to companies so they can actually compete with these black hat hackers, is the equivalent of putting ‘armed guards on boats’ to defend against Somali Pirates. It makes sense, and it answers the problem of scale.
It also sounds like this is the natural progression anyways? The new DIB Cyber Pilot program sounds like another step towards empowering companies. With companies like Lockheed Martin, it behooves the government to help them because this company is very much a part of our national security. So will licensing companies be the next ‘natural progression’ as an answer to this world wide scourge? I know myself, and the Morgan Doctrine blog will be following this stuff, and we will see….-Matt