Private Sector 1
A key difference between cyber-warfare and physical military conflicts lies in the involvement of the private sector. There are two ways in which the private sector play a role in cyber-conflicts: as resources and as targets.
Civilian resources are used much more often in cyber-warfare than in conventional attacks. Often, hackers use networks of hacked computers, or a ‘botnet’, in order to better leverage an attack. Even more significantly, civilian companies provide attackers with targets that are both valuable in their own right and as stepping stones to attacking military or government servers directly. For example, Chinese government-backed hackers have in recent years targeted various fortune 500 companies, from financial firms to software developers to energy companies. In 2008, McAfee reports that an estimated $1 trillion of intellectual property was stolen across the world through hacking.1 In the pentagon’s statement of its cyberstrategy, William J. Lynn writes, “The cyberthreat posed to intellectual property may prove to be the most significant one facing Washington.”2 Furthermore, today’s government servers are in a large part protected by private sector contracts and technology. Private firms now hold sensitive information regarding the nature of our security system, exposing them to even greater risk from foreign interests.
There are two sides to the debate surrounding government involvement in private sector security. On the one hand, many large firms, including Microsoft, alongside the Pentagon and Cyber Command, call for greater collaboration, citing the sheer volume of attacks and the inability of either government or company to defend their resources alone. On the other hand, issues of privacy and economic favoritism can arise from such direct government involvement. It is, on the one hand, economically unfair for the government to privilege companies by selecting only some subset of software firms to defend. On the other hand, it is also infeasible for the government to begin a sort of universal cyber-care system and shoulder the burden of protecting all of the nation’s intellectual e-resources. Furthermore, having the government play such an involved role in the protection of, for example, the identities of political dissidents, leaves little impediment in the way of privacy violation.
Spreading the resource of the government so thin can also easily backfire, weakening rather than strengthening the security of our resources. Having shared widespread elements of a security system both gives hackers greater freedom to probe and test their exploits, while simultaneously leaving the nation at risk of collapsing if a very common system were to become breached.
Finally, there comes a question of the government’s role in society. For the most part, when it comes to protecting individual property, the government provides a police force and a judicial system not to prevent crimes directly, but to catch and punish criminals once the crimes have been committed (which, in turn, acts as a deterrent). In this sense, it would be something of a change if the government were to become directly involved in protecting private companies’ intellectual property against hackers directly, rather than simply cracking down on hackers once they have committed crimes; it is akin to the difference between the government providing policemen as security guards for a bank, rather than simply as a response force used only once banks have been robbed. The implications of such a shift in the role of government are somewhat unclear, and, to be fair, it is not well established that this would necessarily be a bad thing – it could be argued that the reason the government does not provide security guards for all establishments is one of practicality, which is no longer an issue when the ‘guard’ in question is simply a sequence of code which can be transferred essentially for free. On the other hand, again, such a shift carries with it a precedent of strong, directly involved government, rather than a government which simply punishes violations of a legal structure, which carries its own series of issues. Either way, I think this is a crucial issue to consider with regard to the relationship between government and private sector security.
1China Home to Most Hacked Computers, Says Reporthttp://www.inc.com/news/articles/2010/02/china-home-to-most-hacked-computers.html
2Defending a New Domainhttp://www.defense.gov/home/features/2010/0410_cybersec/lynn-article1.aspx