Private Retaliation in Cyberspace

There has been a resounding chorus of voices in Washington calling for the United States to give companies the right to retaliate against cyber attackers in China with counterstrikes of their own, the most recent being a report that concludes that if other measures to get China to change its behavior fails , the United States should consider giving companies the right to retaliate against cyber attackers with counterstrikes of their own.” This is a remarkably bad idea that would harm the national interest. Our goal is to make cyberspace more stable and secure, not less. Endorsing retaliation works against that goal in many ways, all damaging.

The United States plays a leading role in an international effort to build a secure and stable cyberspace. A central part of that effort is to get all nations to agree that international law applies to cyberspace, that states have the same responsibilities in cyberspace as they do in other areas, and that nations should cooperate in security and law enforcement. There is an emerging international consensus that international norms and principles apply to cybersecurity. Part of this consensus, and a central point for our diplomatic efforts, is that in cyberspace as in the physical world, states are responsible for the actions of those resident on their territory and must take action against cybercrime.

The United States is also a leading proponent of the Budapest Convention on Cybercrime, to which we and many other countries are signatories. Under this convention, private retaliation would be a crime. The victim could reasonably ask the United States to assist in an investigation and extradite those found guilty. They could then bring suit against the perpetrators in U.S. courts. Russia and China strongly oppose the convention because they make use of “proxies,” civilians who engage in cybercrime at the behest of the state or with its tolerance. The United States and other nations have been pressing Russia and China to take responsibility for these proxies and reign in their actions. Private retaliation by U.S. companies would completely undercut the effort to hold Russia and China accountable for actions by their citizens. In a contest over who can go further in violating the law, despite the bluster of some in the high-tech community, private citizens are no match for the Russian mafia, the Russian Federal Security Service, or the People’s Liberation Army in China. This is not a contest American companies can win.

What if the Chinese police ask for help in investigating the crime? If the United States says no, it justifies their refusal to cooperate with us. If the United States says yes, it will find itself in the awkward position of having to arrest American citizens for hacking in China (don’t assume that retaliation will be anonymous). If China puts out a warrant through Interpol for American executives, many nations will choose to serve it. Anyone who engages in retaliation probably should avoid international trips. One of our goals has been to build greater law enforcement cooperation in combating cybercrime. In countries that respect the law, this has been very successful. We have been able to build support in the international community for law enforcement cooperation against cybercrime, but retaliation could undo this progress.

There is also considerable risk that amateur cyber warriors will lack the skills or the judgment to avoid collateral damage. A careless attack could put more than the intended target at risk. A nation has sovereign privileges in the use of force. Companies do not. Ask corporate general counsels if they advise intentional violation of U.S. and international law. We assume that China or Russia will know that a damaging attack by a private American is not an official act. They may not believe this, since they use proxies, control their own companies, and are paranoically suspicious. Do we send China a diplomatic note saying that the attack wasn’t us, that it was just some frustrated citizens? How do we prevent escalation of a retaliatory incident into a larger conflict without admitting culpability?

What signal would adoption of a retaliatory policy send to nations like Iran and North Korea about cyber attack, especially since they are likely to believe that any retaliatory action is undertaken at the behest of the U.S. government? We are convinced of the righteousness of our cause, but others do not share that view. If the United States disrespects the law, others will cite this as precedent. Private retaliation increases the risk for attacks on the United States or other nations by these nations, both of which are experimenting with cyber attacks.

Companies accepted the losses of cyber espionage from China for many years and only recently have begun to complain. Serious engagement with China only began in 2009, after a decade of ignoring their activities. Getting espionage under control is a diplomatic problem; there are a series of measures, including frequent high-level discussion, graduated penalties of various kinds, and other methods to both compel and persuade China and others to change their behavior in cyberspace. We have just started down his path, and although it will take years to reach its end, it is the least risky approach and the most likely to succeed.

The argument for retaliation seems to be that since others do not observe the law, we should not either. This assumes we would benefit from a more lawless world. Another argument is that governments are not taking action, and therefore private actors must step in. This is wrong. Governments are taking action, although knowledge of this is not always public. The pace can be slow because governments move cautiously in an area that has profound implications for national security and economic health, and where the risk of miscalculation and damaging conflict is great. Cybersecurity is not an action movie where a frustrated hero takes the law into his own hands, ending with everything neatly solved. This is the real world, messy and abounding with unintended effects and unexpected costs.

England, the source of common law, outlawed private wars in the reign of Elizabeth I, and the last English lords to try it faced her wrath. But the same political trends that undermine the legitimacy of governments in general affect our attitudes toward cybersecurity, particularly in the United States. If government is seen as not delivering security, some will arm themselves or expand the right of self-defense. Privateers flourished and merchant ships armed themselves with cannon when the seas were not safe, but navies and courts eventually brought piracy under control. The same is happening in cyberspace, and the choice for policy is to do those things that build a more stable environment or take steps, like authorizing retaliation, that will only increase the level of anarchy on our networks.

James A. Lewis is a senior fellow at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2013 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program