So-called "stand your ground" laws -- which allow the use force in self-defense when there is reasonable belief of a threat -- have been in the spotlight since George Zimmerman, accused of murder in the shooting of Florida teen Trayvon Martin earlier this year, invoked it as a legal defense. And like with that law, some experts say "Stand Your Cybergound" laws create more problems than they solve with cybersecurity.
Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made the recently in , writing that because the U.S. government is too constrained by international law to lead cyberdefense against foreign attacks, and with private companies having "been the main victims of harmful cyberactivities by foreign actors to date," we should weigh up allowing "commercial companies to fight cyberfire with cyberfire."
Lin includes a disclaimer that he is "not proposing that we adopt this solution, but only develop it for full consideration."
Self-defense, he notes, is a basic right: The Second Amendment authorizes citizens to bear arms -- he says it helped deter outlaws during the "Wild West" era; commercial ships under attack from pirates are allowed to shoot and kill them; bank security guards are allowed to shoot robbers.
And he says international laws governing armed conflict, including the Geneva and Hague Conventions and rules established by the International Committee of the Red Cross, make it difficult for government to respond to foreign cyberattacks.
"[International Humanitarian Law] requires that we take care in distinguishing combatants (such as military personnel) from noncombatants (such as most civilians) when we use force. Yet containing any cyberattack to lawful military targets is perhaps impossible today," he says.
Since private corporations are not constrained by humanitarian law, Lin says they could retaliate against cyberattacks without the risk of dragging a nation-state into war. If they were given some level of immunity for self-defense, they would be more willing to deter the outlaws of the Internet.
To include a measure of due process, he suggests companies could present evidence to courts to secure warrants for counter attacks. And things like, "misidentification and unreasonable action -- a corporate George Zimmerman-like case -- can be adjudicated (by the courts) with a standard of reasonable proof," he says.
Lin acknowledges any number of potential problems: Innocent parties could be harmed; a retaliatory attack could spawn escalation that could lead to physical conflict; attribution in cyberconflict can be near to impossible. But he says those problems exist in physical conflict as well: There is regular so-called "collateral damage" in war, when civilians are harmed even when military targets are attacked, and people don't always know exactly who is shooting at them when they shoot back.
Randy Sabett, an attorney and infosec/privacy expert with ZwillGen, says he agrees "100% [with Lin] that we must have a dialogue about this. We need a national policy that is based on well-thought-through concepts around cyber self-defense."
But Sabett, who says he has been involved in the debate over what has also been called "Active Defense" for a decade, doesn't agree with Lin on much else. He says Lin gives essentially equal weight to most of the potential problems, when the problem of attribution outweighs them all -- by a lot.
"All of the issues he raised are important, but if you can't come up with proper attribution at some level, everything else is a non-starter," Sabett says. "If you make a mistake and go after the wrong person or nation state, you could create really serious problems."
U.S. Army Gen. Keith Alexander, director of the National Security Agency and head of the U.S. Cyber Command, has told Congress that attribution is the most critical issue related to cyber self-defense, Sabett notes.
And he says most corporations simply are not equipped to wage cyberwar. "I can think of two companies and fewer than half-dozen individuals who could do anything even remotely useful in this area," he says.
John Villasenor, a nonresident senior fellow at the Brookings Institution and professor of electrical engineering at UCLA, agrees with Lin that government cannot be the cybersecurity czar, but for very different reasons. Villasenor says it is because there is far too much data - 1.8 trillion gigabytes of data created or replicated in 2011.
Writing , he says: "The government can be an essential supporting actor in the effort to secure American networks and to prevent intellectual property theft. But it can't, and shouldn't try to be, the orchestra conductor."
But Villasenor also has major legal and moral objections to Lin's proposals. Using the courts, to issue warrants for counter-cyberstrikes, he says, is flawed, "on ethical and many other grounds. Cyberattacks are generally crimes. The role of the courts includes deciding the punishment for those who have committed crimes. Courts shouldn't be actively authorizing people or companies to carry out criminal acts."
Villasenor calls the suggestion that companies get assistance from the NSA "alarming," and trying to avoid the constraints of humanitarian law "disturbing."
"Legal and ethical frameworks exist because they aim to ensure behavior befitting a civil society," he says. "Approaches that aim to avoid such frameworks, are, by their very definition, unethical -- and not at all 'virtuous.'"
Lin's responds that those are "all good questions," but he doesn't think they destroy his argument. Attribution, he contends, "might be an overblown issue. We can attribute some attacks to China. Yet the U.S. is unwilling to launch counterstrikes against China, since there are greater political and economic interests at stake."
Regarding innocent parties being harmed, Lin notes that "most cyberattacks are launched by botnets, [so] it's an open question of whether these computers are really innocent. While their owners may lack the intent to have their computers used in a botnet attack, in most cases they seem to be negligent in failing to prevent their computers from being hijacked, and this makes them at least partially responsible for the attack."
And while he agrees with Sabett that few corporations could effectively counter cyberattacks, he says, "they could form industry consortiums or cooperatives that collectively can mount a good defense."
All three agree on one thing: this problem is not going away. Sabett says rather than try to adapt humanitarian law to cyberspace, it would be better to adapt the Law of Armed Conflict, which he says is now being done. "A cyber version is being written, and with a cyber equivalent to [the law], we wouldn't have to worry about constraints on government."
Lin says: "Ideally, we'd have a national policy in place that deters attacks and provides for an effective response. But we don't. For that to happen, we need to work harder to solve the difficult moral and legal issues involved, as well as reach some international agreements in this area.
"So 'Stand Your Cyberground' is meant to be an interim solution," he says.
in CSOonline's Malware/Cybercrime section.