Corporate Cyber Vigilantism

The US Government is highly focused on threats in the Cyber domain. The military, FBI, and DHS each have assigned responsibilities within the US public and private sectors. Of these organizations, the military is the offensive Cyber arm for the government. On the one hand, the division of responsibilities rightly restricts the authority required to exercise Cyber-attacks, but it also fails to navigate through the grey space of Cyber ambiguity. Cyber cannot only be viewed as a weapon of military power, but as an instrument of political and economic power as well as a tool to empower actions of criminal and commercial espionage.  The corporate world has born a great percentage of the Cyber Attacks to date.  In the face of continued threats from Cyber Attacks, the corporate world will likely leave the government behind in order to secure their interests world-wide.

The boundaries of Cyber's use and defense do not follow the physical state boundaries the world is accustomed to navigating in peace and conflict. It is an untamed international and inter-organizational frontier, yet effects in the Cyber Domain impact the real world. Actors in Cyberspace are not limited by the physical boundaries and limitations of physical space. In military terms, it is an asymmetric environment. The adversary is all around you and very difficult to detect and defeat. DHS and the Military have concentrated on building defensive measures for the public and private sectors. FBI and other law enforcement seek to prosecute offenders post-attack and failed defensive measures. But at what point does the US conduct preemptive attacks? If it is in defense of the civilian sector, how should those attacks be planned? Will the US government conduct them? What are the thresholds for intervention, while any action is defined as a military action versus a civilian action?

If one was willing to place a bet on one of the major worries of those that control the world’s financial centers, Cyber would be the thing keeping them awake at night. Can they afford to lose $50 Billion to a few key strokes of a hacker with access to a backdoor in their systems? Could their home countries? When Wall Street companies are probed daily with a long list of successful attacks over the past few year and companies like Sony infiltrated by the N. Koreans, what was the reaction? These attacks were limited instances of Cyber force used against the private corporations of the world. They did not impose significant damage or long term side-effects. In fact something like a DDOS attack really does have only limited impact on a company and can be quickly remediated. But what happens with something more significant? Target only lost customer data, which cost them millions and not to mention the credit issues that caused to their customer base.

How long can the private sector receive the brunt of attacks, without lashing back at their attackers? Many major and small corporations have done their upmost to work through official government channels in order to recover funds and prevent attacks. Independent hacktivist groups already execute attacks under a banner of vigilantism. The Hacktivist organizations lack the extraordinary amount of funding available to corporate and financial giants. While these companies will continue to play defense, should we not also expect them to eventually seek to go on the offense?  Likely the only thing holding many of these companies back are the legal issues that Cyber retaliation would incur. Where then is the threshold for corporate action?

Whereas the governments of the world can “easily” maintain their hold on military capabilities in conjunction their military industrial counterparts, Cyber capabilities require little more than stand-alone test networks and knowledgeable developers to start their own offensive cyber programs. If a company stands to lose as much as the GDP of medium sized country, why wouldn’t they seek to go on the offensive to protect their assets. They will not seek to fire missiles or develop a new fighter jet to protect their assets, instead they will monitor their cyber borders and move into enemy territory in order to pre-emptively protect their assets. Government and civilian sectors need to work together to shift the paradigm of how to secure cyberspace both in offense and defense. It will not happen until the government changes its policies towards Cyberspace.

All the underlying principles of the Cyber domain blur the legal and acceptable rolls of the private sector. Companies would not be hiring private armies of cyber warriors to physically attack their adversaries, but instead they use their considerable assets to hire competent white hats to move outside their cyber fortresses and attack their enemies directly. In the future, be prepared to see an increase in Cyber vigilantism or self-policing by corporations.