Dyman Associates Management The political
science of cybersecurity V: Why running hackers through the FBI really isn’t a
good idea
(Washingtonpost)
- One of the most difficult challenges of cybersecurity is that it enables
private actors to play a significant role in international
security. Both security officials and international relations scholars tend
to assume that states are the most important security actors. With a couple of
minor exceptions (mercenary forces and the like) private actors simply don’t
have the firepower to play a substantial role. Even terrorist groups with international
ambitions usually require some kind of state to provide them with safe haven or
to back them. Many (although certainly not all) experts argue that
cybersecurity is different. Computers and Internet access are all that you need
to carry out many kinds of attack, allowing private actors to become a real
force in international
cyber politics.
This
potentially presents two problems for traditional understandings of
international security. First, many argue that the world will be less stable if
private actors can affect international security. For example, Joseph Nye, a prominent
scholar and former policymaker, argues (PDF) that states have not been
displaced by private actors in cybersecurity, but now have to share the stage
with them. This creates greater volatility in world politics. The more actors
there are, the greater the chance of unpredictable accidents, events, attacks
or misunderstandings. Furthermore, private actors may have widely varying
motivations and be more difficult to discipline. They are less likely to be
concerned with the stability of the international system than states are.
There
is also a more subtle problem. The existence of empowered private actors in
cybersecurity presents temptations to states. It is easier for states to attack
other states while blaming hackers, rogue elements or others for the attacks,
thus making retaliation less likely. In cyberspace, it is often hard to figure
out who precisely is responsible for an attack. These problems are multiplied
when states can e.g. use clandestine relationships with private actors to carry
out attacks by proxy.
For
example, there is still vigorous debate over whether or not the Russian state
mounted cyber attacks on Georgia during a dispute a few years ago. Certainly,
the major attacks appear to have been mounted from within Russia. However, Ron
Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that
the likely perpetrators were patriotic Russian cyber criminals (who had already
created “botnets” of compromised computers for purely criminal attacks) rather
than the Russian state itself. While it is possible that the Russian state
(some elements of which maintain clandestine contact with the Russian
underworld) was using these criminal networks as a cutout to blur
responsibility, it is nearly impossible to prove one way or another.
This
has led some experts to call for new norms about responsibility. Jason Healey
of the Atlantic Council proposes a sliding scale under which states would
effectively be required to take responsibility for any major attacks organized
from their territory or carried out by their citizens. This would change the
incentives, so that states would both be less inclined to cheat by acting
through hidden proxies, and more inclined to tidy up rogue elements on their
territory that might mount international attacks and land them in hot water.
They suggest that the best way for the U.S. to protect its national security
interest is to push for such norms.
In
this context, yesterday’s New York Times story about the relationship between
the FBI and the loosely-knit hacker culture/collective Anonymous raises some
problems. The FBI identified a key Anonymous member, Sabu, and turned him so as
to identify other hackers. Sabu then appears to have shared a list of foreign
Web sites (including sites run by the governments of Iran, Syria, Poland,
Turkey, Brazil and Pakistan) with vulnerabilities, and encouraged his
colleagues to try to hack into them, uploading data to a server monitored by
the FBI.
The
Times says it is unclear whether he was doing so on direct orders from his FBI
handlers. It is also unclear what happened to the information after it was
uploaded (the Times raises the possibility that it was shared with other
intelligence agencies, but it may have been left there to sit as evidence).
Either way, this report is sure to be interpreted by other countries (including
U.S. allies like Poland and Turkey) as strong circumstantial evidence that the
U.S. has used independent hackers to conduct attacks in the past, and very
possibly is doing so at present.
This
obviously makes it harder for the U.S. to push for the kinds of norms that
Healey and others advocate. If the U.S. appears to have dirty hands, it will
have a more difficult time getting other states to believe in the purity of its
actions and intentions. U.S. allies will
be disinclined to believe its protestations. Countries that are more or less
hostile to the U.S., and which have dubious relations with their own hacking
community (such as Russia), are sure to point to the FBI’s decision to run Sabu
as evidence of U.S. hypocrisy if the U.S. tries to get them to take
responsibility for attacks mounted from their soil.
This
will also have consequences if and when U.S. hackers (who are smart, talented
and sometimes politically motivated) mount a successful public attack on a
target in a third country. The U.S. administration will likely come under
sustained suspicion as the hidden culprit behind such an attack, even if it has
had absolutely nothing to do with it. Apparent past history will guide other
states’ judgment (especially if these other states themselves have clandestine
but systematic relationships with hackers, and assume that countries do the
same). It’s doubtful that these issues of international policy were foremost in
the thoughts of FBI officials when they decided to run Sabu (the FBI is a
domestically focused agency, primarily concerned with criminal enforcement).
Even so, their decisions may turn out to have important, and likely unfortunate,
international ramifications.
Dyman Associates Management The political
science of cybersecurity V: Why running hackers through the FBI really isn’t a
good idea