Herb Lin of the National Research Council has launched the first, soft counterattack on those who think victims of cyberespionage should have greater leeway to respond directly to intrusions. Herb always strives for some balance in his work, but it’s clear that he’s a skeptic, concluding
“It is not clear that the use of offensive operations in response to hostile actions against private parties would in fact mitigate the threat those parties face, or that the benefits would necessarily outweigh the risks. It is certain, however, that taking such actions would raise a host of thorny domestic and international legal and policy issues.”
In fact, some of the issues Herb raises aren’t “thorny” at all. Should companies defending themselves be able to hire experts to assist them, he asks. Well duh. Is there anyone who thinks that they shouldn’t be able to get such help?
And Herb’s stance on the international issues is strikingly prescriptive:
“Finally, international forums must be identified where such issues can be discussed and agreement sought. Such forums would have to involve all stakeholders and not presume that only national governments have rights to engage.” (Emphasis added.)
Why Herb thinks these things are mandatory, I can’t guess. If a right of self-defense depends on getting agreement in an international forum that involves all stakeholders, it’s safe to say that there won’t be much left to defend by the time the negotiators are done.
That said, for a short piece, Herb’s article does a good job of flagging the issues that need to be addressed by those of us who advocate a greater private role in counterhacking.