• Choose a category
• All
• Classic-Fiction

By Root 1215 0

commerce, communication, emergency services, energy production and distribution, mass transit, military defenses, and countless other critical state sectors. In effect, the Internet has become the nervous system of modern society. Unfortunately, reliance on the Internet is a two-edged sword. While it provides tremendous benefits to states, it also opens them up to attack from state and nonstate actors. Given the ease with which anyone can acquire the tools necessary to conduct a cyber attack, anonymously and from afar, cyber attacks provide the enemies of a state with an ideal tool to wage asymmetric warfare against it. Thus, it should come as no surprise that states and terrorists are increasingly turning to cyber attacks to wage war against their enemies.

Today, the United States treats cyber attacks as a criminal matter and has foregone using active defenses to protect its critical information systems. This is a mistake. The government needs to modernize its approach to cyber attacks in order to adequately protect US critical information systems. Unless policymakers change course, the United States will continue to be at greater risk of a catastrophic cyber attack than need be the case.

Modernizing the US approach to cyber attacks requires major changes to the way the federal government currently does business.

First and foremost, the United States needs to start using active defenses to protect its critical information systems. This will better protect these systems, serve as a deterrent to attackers, and provide an impetus for other states to crack down on their hackers.

Second, the United States needs to devote significantly more resources and personnel to its cyber warfare forces. Creating the preeminent cyber warfare force is an absolute imperative in order to secure US critical infrastructure against cyber attacks, and to prevent the Internet from becoming the Achilles’ heel of the United States in the 21st century.

Furthermore, a large, expertly trained cyber warfare force should be a prerequisite to actually using active defenses, since using active defenses on the national scale without properly trained personnel could easily lead to unjustified damage against illegitimate targets.

The decision to use active defenses will, no doubt, create a lot of controversy, as would any major change to state practice. However, there is sound legal justification to use them, as long as their use is limited to attacks originating from sanctuary states, as laid out in Chapter 4. Limiting active defenses to attacks originating from sanctuary states still leaves states vulnerable to cyber attacks from rogue elements of cooperating states, but this change to state practice significantly improves US cyber defenses without running afoul of international law.

Furthermore, under a paradigm where active defenses are authorized against sanctuary states, the United States could feel comfortable knowing that either cyber attacks would be defended against with the best computer defenses available or that when computer defenses were limited to passive defenses alone, the state of origin would fully cooperate to hunt down and prosecute the attackers.

In adopting this approach, the United States needs to use its diplomatic influence to emphasize states’ duty to prevent cyber attacks, defined as passing stringent criminal laws, conducting vigorous law enforcement investigations, prosecuting attackers, and, during the investigation and prosecution, cooperating with the victim-states of cyber attacks. Using US influence to emphasize this duty, combined with the threat that the United States will respond to cyber attacks with active defenses when states violate this duty, should help coerce sanctuary states into taking action against their hackers. This is an essential step toward both a global culture of cyber security and eliminating the threat of cyber attacks from nonstate actors.

Admittedly, the decision to use active defenses is not without complications. Technological limitations will still make it difficult to detect, assess,