Drop the norms and punch back in cyber

Imagine walking to work in the morning. Someone walks up to you with their hand in their pocket and says “I have a gun, give me your money.” You could debate whether the gun is real or not, but most likely you’d hand over your wallet, not willing to risk getting shot.

Now let’s say this starts to happen every day. Especially if you’re used to normally walking to work and not getting mugged, this would likely cause you to change your behavior. Either you’d start bringing a friend to ward off the attacker, putting a small amount of cash in your pocket as “mugger’s money” (so that the thief doesn’t get the whole wallet), or arming yourself and shooting back, you would change your behavior in some way.

Unfortunately, if you look at the U.S. response to cyber operations, we’re the equivalent of simply walking around and getting mugged every day. We’ve had the Chinese, Russians and others steal our data, including valuable weapon platform data and data related to our political processes, yet we keep marching on, with little change in our behavior.

Recently, President Trump has removed the “cyber norms” that President Obama had put out. Originally on the State Department’s website, these norms were supposed to regulate behavior, but because they were non-binding, nobody signed onto them and they did nothing to change behavior.

Going forward, my hope is we start to punch back in cyber. Let’s say we have data stolen and we can identify the thief. Reaching out and hurting that person or group of people, including using economic sanctions or physical attack, would go a long way to deterring future aggression. If a hacker thinks that the U.S. government might drop a weapon on his house, there will at least be some hesitancy to initiate attacks. It wouldn’t stop all attacks, but it might discourage those with more to lose.

This post represents the views of the author and not those of the Department of Defense, Department of the Navy, National Security Agency, or any other government agency. No, seriously, I don’t make cyber policy, just occasionally comment on it.

Please donate to Da Tech Guy!