The following op-ed by Harvard Law School Professor Jack Goldsmith appeared in the February 1, 2010, edition of the Washington Post.
Can we stop the global cyber arms race?
In a speech this month on “Internet freedom,” Secretary of State Hillary Clinton decried the cyberattacks that threaten U.S. economic and national security interests. “Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” she warned, alluding to the China-Google kerfuffle. We should “create norms of behavior among states and encourage respect for the global networked commons.”
Perhaps so. But the problem with Clinton’s call for accountability and norms on the global network — a call frequently heard in policy discussions about cybersecurity — is the enormous array of cyberattacks originating from the United States. Until we acknowledge these attacks and signal how we might control them, we cannot make progress on preventing cyberattacks emanating from other countries.
An important weapon in the cyberattack arsenal is a botnet, a cluster of thousands and sometimes millions of compromised computers under the ultimate remote control of a “master.” Botnets were behind last summer’s attack on South Korean and American government Web sites, as well as prominent attacks a few years ago on Estonian and Georgian sites. They are also engines of spam that can deliver destructive malware that enables economic espionage or theft.
The United States has the most, or nearly the most, infected botnet computers and is thus the country from which a good chunk of botnet attacks stem. The government could crack down on botnets, but doing so would raise the cost of software or Internet access and would be controversial. So it has not acted, and the number of dangerous botnet attacks from America grows.
The United States is also a leading source of “hacktivists” who use digital tools to fight oppressive regimes. Scores of individuals and groups in the United States design or employ computer payloads to attack government Web sites, computer systems and censoring tools in Iran and China. These efforts are often supported by U.S. foundations and universities, and by the federal government. Clinton boasted about this support seven paragraphs after complaining about cyberattacks.
Finally, the U.S. government has perhaps the world’s most powerful and sophisticated offensive cyberattack capability. This capability remains highly classified. But the New York Times has reported that the Bush administration used cyberattacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran’s nuclear weapons program. And the government is surely doing much more. “We have U.S. warriors in cyberspace that are deployed overseas” and “live in adversary networks,” says Bob Gourley, the former chief technology officer for the Defense Intelligence Agency.
These warriors are now under the command of Lt. Gen. Keith Alexander, director of the National Security Agency. The NSA, the world’s most powerful signals intelligence organization, is also in the business of breaking into and extracting data from offshore enemy computer systems and of engaging in computer attacks that, in the NSA’s words, “disrupt, deny, degrade, or destroy the information” found in these systems. When the Obama administration created “cyber command” last year to coordinate U.S. offensive cyber capabilities, it nominated Alexander to be in charge.
Simply put, the United States is in a big way doing the very things that Clinton criticized. We are not, like the Chinese, stealing intellectual property from U.S. firms or breaking into the accounts of democracy advocates. But we are aggressively using the same or similar computer techniques for ends we deem worthy.
Our potent offensive cyber operations matter for reasons beyond the hypocrisy inherent in undifferentiated condemnation of cyberattacks. Even if we could stop all cyberattacks from our soil, we wouldn’t want to. On the private side, hacktivism can be a tool of liberation. On the public side, the best defense of critical computer systems is sometimes a good offense. “My own view is that the only way to counteract both criminal and espionage activity online is to be proactive,” Alexander said last year, adding that if the Chinese were inside critical U.S. computer systems, he would “want to go and take down the source of those attacks.”
Our adversaries are aware of our prodigious and growing offensive cyber capacities and exploits. In a survey published Thursday by the security firm McAfee, more information technology experts from critical infrastructure firms around the world expressed concern about the United States as a source of computer network attacks than about any other country. This awareness, along with our vulnerability to cyberattacks, fuels a dangerous public and private cyber arms race in an arena where the offense already has a natural advantage.
Everyone agrees on the need to curb this race by creating proper norms of network behavior. But like Clinton, U.S. cybersecurity policymakers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyberattacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.
Jack Goldsmith teaches at Harvard Law School and is on the Hoover Institution’s Task Force on National Security and Law. He was a member of a 2009 National Academies committee that issued the report “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities.”