*I enjoyed reading this. It has some fresh thinking in it.
*All historical analogies have problems, though. Back when maritime piracy was successfully repressed, national governments were increasing in strength and capability. Now they're not.
*The security punditry forecasts a cyberPearl Harbor or a cybernuclear attack, but instead they're being reduced to impotence and poverty through an out-of-control, globalized, cyber-finance sector. That's the grave modern weakness that states can't confront. Nobody's gonna call these important rich guys "pirates" or a "cyberwar threat," but the inability of nation-states to reign them in means that nothing-much can be effectively reigned in.
*Narco moguls, global guerrillas and even cyberwarriors are just a stigmatized epiphenomenon, compared to the genuine structural instability of a twilight-of-sovereignty. The rule-of-law is visibly collapsing, and we're heading toward a Failed Globe situation where "piracy" is just how most people live. Telling "the government" to do something about that is itself a bad historical analogy; it's hearkening back to a Cold War era when strategic briefing papers made a difference.
http://www.brookings.edu/articles/2011/0815_cybersecurity_singer_shachtman.aspx
(...)
"Many of today's discussions of cybersecurity in Washington are reminiscent of the bizarre debates over nuclear weapons in the 1940s and '50s, in which hype and hysteria ranged freely, real-world versions of Dr. Strangelove were taken seriously, and horrible policy ideas like the Army's Pentomic division (which was organized to use nuclear artillery, as if it were just another weapon) were actually implemented. As "Loving the Cyber Bomb," a recent study by actual cyber experts at George Mason University's Mercatus Center (as opposed to the many Cold Warriors who now have rebranded themselves as cyber experts) found, there is a massive amount of threat inflation going on in Washington's discussion of online dangers, most frequently by those with political or profit motives in hyping the threats. It's a new version of the old "missile gap" hysteria.
Mind the Gap
"The result of this fundamental misunderstanding is that in the press, a cyberattack could unquestioningly be portrayed as a massive pixilated mushroom cloud looming over every American city (as the cover of the Economist magazine had it). In Washington, malware could be described as "like a [weapon of mass destruction]" (Sen. Carl Levin, D-Mich.) able to "destroy our society" (Scowcroft), meaning it should be looked at as "an existential threat" (Adm. Mike Mullen, chairman of the Joint Chiefs of Staff). But the reality is that even an all-out cyber conflict wouldn't compare to a global thermonuclear war that truly did threaten to end life on Earth. Nor has there been a Hiroshima-sized prelude yet. For example, the much vaunted Russian attack on Estonia in 2007 was a concern to the country's government, which saw its websites blocked and defaced, but it barely affected the daily life of most Estonians.
"In Georgia, Russian cyberattacks in 2008 took down some external-facing government websites for a few days, but these were peanuts compared with the actual damage caused by actual Russian missiles and bombs in the accompanying war. Indeed, the very next year, a 75-year-old woman was able to outdo the entire Russian cyberwarfare apparatus using a mere shovel. (((Well, yes, that's true – except she didn't intimidate anybody, which is rather the point.))) Out hunting for scrap metal, she accidentally cut a cable and took out all of neighboring Armenia's Internet service. Yet, no local or global catastrophe ensued from the far more effective physical actions of this so-called "spade hacker."
"Similarly, the 2009 attacks against the United States and South Korea are repeatedly cited as examples of what a state government (North Korea is usually claimed in this instance) can do to the United States in this realm, but the actual result was that the websites of Nasdaq, the New York Stock Exchange and The Washington Post were intermittently inaccessible for a few hours. The websites recovered, and more important, these institutions and those that depend on them were not irrecoverably lost as if a real weapon of mass destruction had hit them.
"The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War first strike or what Defense Secretary Leon Panetta has called the "next Pearl Harbor" (another overused and ill- suited analogy) would certainly have major consequences, but they also remain completely theoretical, and the nation would recover. In the meantime, a real national security danger is being ignored: the combination of online crime and espionage that's gradually undermining our finances, our know-how and our entrepreneurial edge. While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they're getting their wallets stolen and their offices robbed.
"Roughly 7 million Americans reported that they suffered directly from cybercriminal activity last year, (((the others never get spam, apparently))) while according to the British government, online thieves, extortionists, scammers and industrial spies cost businesses an estimated $43.5 billion in the United Kingdom alone. Internationally, these numbers total in the hundreds of billions of dollars, creating a huge drag on the global economy. They also are slowly reducing trust in the IT and innovation industry that powered much of America's economic growth over the last two decades (all the more important during a manufacturing decline). These compromises of critical intellectual property threaten to undermine the long-term advantages the United States has enjoyed in economic trade. Take the so-called Night Dragon attacks, which lifted corporate secrets from Western energy companies just before they were to bid against the Chinese on major oil deposits. The result: billions of dollars' worth of business lost over the next few years. Such espionage even has struck small businesses all the way down to tiny furniture companies. The problem also hits national security. Look at the compromise of U.S. officials' email accounts by China-based hackers and diplomatic cables by WikiLeaks revealing internal secrets and jeopardizing external alliances. Or look at the repeated penetration of Lockheed Martin Corp., maker of the F-35 Joint Strike Fighter - the largest weapons program in Pentagon history. Terabytes of unclassified data related to the jet's design and electronics systems were stolen. These lost bytes represent billions of dollars in research and development and years of technologic advantage gone, making it easier to counter (or copy) our latest warplane. And as a sign of things to come, security tokens, allowing infiltrators to pass as company employees, later were taken as well.
"The Pirate Code
"If the most apt parallel is not the Cold War, then what are some alternatives we could turn to for guidance, especially when it comes to the problem of building up international cooperation in this space? Cybersecurity's parallels, and some of its solutions, lie more in the 1840s and '50s than they do in the 1940s and '50s.
"Much like the Internet is becoming today, in centuries past the sea was a primary domain of commerce and communication upon which no one single actor could claim complete control. What is notable is that the actors that related to maritime security and war at sea back then parallel many of the situations on our networks today. They scaled from individual pirates to state fleets with a global presence like the British Navy. In between were state-sanctioned pirates, or privateers. Much like today's "patriotic hackers" (or NSA contractors), these forces were used both to augment traditional military forces and to add challenges of attribution to those trying to defend far-flung maritime assets. In the Golden Age of privateering, an attacker could quickly shift identity and locale, often taking advantage of third-party harbors with loose local laws. The actions that attacker might take ranged from trade blockades (akin to a denial of service) to theft and hijacking to actual assaults on military assets or underlying economic infrastructure to great effect.
"During the War of 1812, for example, the American privateer fleet had more than 517 ships - compared with the U.S. Navy's 23 - and, even though the British conquered and burned the American capital city, caused such damage to the British economy that they compelled negotiations.
"If there are certain parallels, what then are the potential lessons we might adapt to the situation today, other than attempting to hang hackers from the yardarm?
"Maritime piracy is still with us today. (((It didn't used to be, and it's growing.))) But it's confined to the shores of failed states and on a relatively minuscule scale (roughly 0.01 percent of global shipping is actually taken by modern-day pirates). Privateering, the parallel to the most egregious attacks we have seen in the cyber realm, has not only fallen out of favor as a military tactic, it long ago became taboo. While privateering may have won the War of 1812 for the United States, by 1856, 42 nations had agreed to the Declaration of Paris, which abolished privateering, and during the Civil War, President Lincoln not only refused to recruit plunderers for hire, but also blasted the Confederates as immoral for doing so themselves. Remember, two generations earlier, employing these hijackers had been a cornerstone of American naval strategy. By the 1860s, it wasn't something civilized governments did anymore.
"The way this change came about is instructive for cybersecurity and global relations today. Much like the sea, cyberspace can be thought of as an ecosystem of actors with specific interests and capacities. Responsibility and accountability are by no means natural market outcomes, but incentives and legal frameworks can be created either to enable bad behavior or to support greater public order.
"In clamping down on piracy and privateering a two-pronged approach was adopted, which went beyond just shoring up defenses or threatening massive attack as the Cold Warriors would have it. The first step was to go after the underlying markets and structures that put the profits into the practice and greased the wheels of bad behavior. London dismantled markets for trading pirate booty; pirate-friendly cities like Port Royal, Jamaica, were brought under heel, and blockades were launched on the potentates that harbored the corsairs of the southern Mediterranean and Southeast Asia. Today, there are modern equivalents to these pirate havens. For example, the networks of just 50 Internet service providers account for around half of all infected machines worldwide, according to a study prepared for the Organization for Economic Cooperation and Development. Just three firms process 95 percent of the credit card transactions for the bogus drugs advertised by spammers, according to research presented at the IEEE Symposium on Security and Privacy in May. When one particularly noxious hosting company - McColo Corp. of San Jose, Calif. - was taken down, the volume of spam worldwide dropped by 70 percent…."
