I read an interesting article on ReadWriteWeb yesterday entitled New Cyberwar Rules Of Engagement: Will The U.S. Draft Companies To Fight? by Brian Proffitt.
In it, Proffitt reports on a speech given by CIA director Leon Panetta to business leaders in New York City last Thursday (Oct 11). Panetta discussed how for the first time ever, US military forces were prepared to go on the offensive against cyber attackers who seek to cause harm against US assets, infrastructure or its citizens. This contrasts from its previous policy when the military acknowledged it would only take a defensive stance.
The Washington Post reports that among those new rules of engagement, "for the first time, military cyber-specialists would be able to immediately block malware outside the Pentagon’s networks in an effort to defend the private sector against an imminent, significant physical attack, The Post has reported.
Panetta was careful to state that the government would not be monitoring private networks, nor involved in the day-to-day protection of corporate and other private infrastructure. That raises questions about the effectiveness of the defense strategy, let alone the usefulness of an offensive response, since cyber attacks can happen faster than the blink of any eye.
This is weird. The military would block malware outside of the Pentagon’s networks? What does that even mean? That they would forcibly issue updates for known malware into private networks and corporations? How do they expect to issue these updates?
The article goes on to say that the Third and Fifth Amendments of the US constitution prevent the government putting military assets without the private homeowner (or corporation’s) consent. To get around this, it means that there would have to be significant partnerships between private enterprise and government so that they would agree that if there is a threat detected by the government, they would let the military issue malware signatures.
That’s all well and good, but it’s still a defensive posture, not an offensive one. This is where the article gets interesting:
Nevertheless, at least one academic paper has argued that companies be drafted to participate in cyberwarfare.
"Cyberwarfare… will penetrate the territorial borders of the attacked state and target high-value civilian businesses," wrote University of Dayton Professor Susan Brenner in 2011. "Nation-states will therefore need to integrate the civilian employees of these (and perhaps other) companies into their cyberwarfare response structures if a state is able to respond effectively to cyberattacks.
"While many companies may voluntarily elect to participate in such an effort, others may decline to do so, which creates a need, in effect, to conscript companies for this purpose," Brenner and her co-author, attorney Leo Clarke, added.
Speaking for myself, I have never lived under the possibility of being drafted into the military. Most of my life, I lived during a time when the government used an all volunteer army, and during a time when conscription was not required (the US abolished the draft after the Vietnam War, and it has not been used in Canada since long before that).
I’m now getting older (I’m 33), but I’d make a pretty useless soldier. I’m not physically large, I have two bad hips, I’m near sighted and I have sinus problems in certain climates. In short (pun intended), I’m not who the military is looking for to wage a conventional war.
On the other hand, I am who the military is looking for to conscript for a cyber war. I admittedly have mediocre hacking skills but I know a lot about cyber security. I have good data analytics skills and I can program. I know many of the techniques that hackers use to break in. And unlike in a conventional war, the value of what I bring to the table and could do for the military continues to increase over time.
So, while there’s some interesting debates around whether or not the military might draft individual companies into working with them, there’s also the interesting position of whether or not the military might draft individual people into their service.
The rules of engagement have changed, and with it are ideas about who the military might consider to be persons of interest. The military draft is about finding people to do the fighting. Seeing as how the military is now prepared to go on the cyber attack, if they need people to do that kind of fighting, they’d best start with people who already have a background in it.
Hmm… that’s something for me –and you – to think about.