Drop the norms and punch back in cyber

Readability

Drop the norms and punch back in cyber

Imag­ine walk­ing to work in the morn­ing. Some­one walks up to you with their hand in their pocket and says “I have a gun, give me your money.” You could debate whether the gun is real or not, but most likely you’d hand over your wal­let, not will­ing to risk get­ting shot.

Now let’s say this starts to hap­pen every day. Espe­cially if you’re used to nor­mally walk­ing to work and not get­ting mugged, this would likely cause you to change your behav­ior. Either you’d start bring­ing a friend to ward off the attacker, putting a small amount of cash in your pocket as “mugger’s money” (so that the thief doesn’t get the whole wal­let), or arm­ing your­self and shoot­ing back, you would change your behav­ior in some way.

Unfor­tu­nately, if you look at the U.S. response to cyber oper­a­tions, we’re the equiv­a­lent of sim­ply walk­ing around and get­ting mugged every day. We’ve had the Chi­nese, Rus­sians and oth­ers steal our data, includ­ing valu­able weapon plat­form data and data related to our polit­i­cal processes, yet we keep march­ing on, with lit­tle change in our behavior.

Recently, Pres­i­dent Trump has removed the “cyber norms” that Pres­i­dent Obama had put out. Orig­i­nally on the State Department’s web­site, these norms were sup­posed to reg­u­late behav­ior, but because they were non-​binding, nobody signed onto them and they did noth­ing to change behav­ior.

Going for­ward, my hope is we start to punch back in cyber. Let’s say we have data stolen and we can iden­tify the thief. Reach­ing out and hurt­ing that per­son or group of peo­ple, includ­ing using eco­nomic sanc­tions or phys­i­cal attack, would go a long way to deter­ring future aggres­sion. If a hacker thinks that the U.S. gov­ern­ment might drop a weapon on his house, there will at least be some hes­i­tancy to ini­ti­ate attacks. It wouldn’t stop all attacks, but it might dis­cour­age those with more to lose.


This post rep­re­sents the views of the author and not those of the Depart­ment of Defense, Depart­ment of the Navy, National Secu­rity Agency, or any other gov­ern­ment agency. No, seri­ously, I don’t make cyber pol­icy, just occa­sion­ally com­ment on it.

Please donate to Da Tech Guy!

Imagine walking to work in the morning. Someone walks up to you with their hand in their pocket and says “I have a gun, give me your money.” You could debate whether the gun is real or not, but most likely you’d hand over your wallet, not willing to risk getting shot.

Now let’s say this starts to happen every day. Especially if you’re used to normally walking to work and not getting mugged, this would likely cause you to change your behavior. Either you’d start bringing a friend to ward off the attacker, putting a small amount of cash in your pocket as “mugger’s money” (so that the thief doesn’t get the whole wallet), or arming yourself and shooting back, you would change your behavior in some way.

Unfortunately, if you look at the U.S. response to cyber operations, we’re the equivalent of simply walking around and getting mugged every day. We’ve had the Chinese, Russians and others steal our data, including valuable weapon platform data and data related to our political processes, yet we keep marching on, with little change in our behavior.

Recently, President Trump has removed the “cyber norms” that President Obama had put out. Originally on the State Department’s website, these norms were supposed to regulate behavior, but because they were non-binding, nobody signed onto them and they did nothing to change behavior.

Going forward, my hope is we start to punch back in cyber. Let’s say we have data stolen and we can identify the thief. Reaching out and hurting that person or group of people, including using economic sanctions or physical attack, would go a long way to deterring future aggression. If a hacker thinks that the U.S. government might drop a weapon on his house, there will at least be some hesitancy to initiate attacks. It wouldn’t stop all attacks, but it might discourage those with more to lose.


This post represents the views of the author and not those of the Department of Defense, Department of the Navy, National Security Agency, or any other government agency. No, seriously, I don’t make cyber policy, just occasionally comment on it.

Please donate to Da Tech Guy!