Tuesday, June 7, 2011

Who's really behind the attack?

If you read the myriad analyses of the recently stated Pentagon cyber war doctrine, all the pundits see the same flaw: attribution. In other words, who really launched the attack? Whether in the Cyber war sabers rattle article or in the Big questions about cyber war story, both in today's Network World and just illustrative of dominant thinking throughout newsdom, the authors bring up two scenarios:

  1. Finding out who really launched the attack needs to take into account intentional spoofing by one criminal/government to implicate another; and
  2. If the attack was launched from the United States, how do we prove we didn't do it?
Two good questions. Heck, if I were a jihadist who wanted to plunge the world into war, I'd actually hack into and co-opt China's cyber war machine so it launched the attack. Then they would have problem #2 above, proving that they didn't do it. Try proving a negative sometime, and you'll see why atheists are such a miserable lot. 

If we must assume that the current state of publicly available cyber security tools, then the foregoing two points pretty well pound a stake into the heart of legalizing cyber privateering. However, I've built several fail-safe elements into my proposals:
  1. Compliance with my Cyber Privateer Code carries severe penalties for "getting it wrong."
  2. This means that the legal bonding authority must be pretty sure of all who-did-what-to-whom evidence before they authorize confiscation of funds.
  3. The Ultimate Cyber Privateer Tool Kit will have far greater capabilities than current cyber warfare systems have demonstrated, which means they can back-track and infect all attack vectors until they hit the source of the attack.
  4. Monetizing cyber privateering means that licensed and bonded cyber privateers will pick the low-hanging fruit, namely following the money trail left by criminal organizations.
Of course, if someone did have access to The Perfect Virus, they'd most certainly be tempted to co-opt China's cyber war machine and have the world blaming them for some truly awful stuff. All of which is a very good reason why control of any country's cyber war machinery should be protected with as much diligence as we protect the nuclear launch codes in that football that follows POTUS. Building that ultimate virus will take government-size resources. 


  1. Hey Rick, I was just curious if you have ever come across any economic theories that support the concept of privateering? Something that provides a calculation as to how fast it would expand, or how much money would be required to provide adequate incentive. That type of thing? Or is their similar industries that have the same dynamics of your vision of cyber privateering? Thanks.

  2. The numbers I've run are a reverse hockey stick, meaning that in my most likely scenario, the first hit would be a Godfather-like "This is the day we take care of all Family business." Paccino statement. After a well publicized parley dialogue, most of the cyber thieves will roll up their operations and run for cover. Deterrence is key. And it will take government-scale resources to do it right.

  3. Excellent and thanks for the reply. I have also read your other post about the subject. Too me, the economics of privateering would be a very interesting study.

    I would look at the privateers during the Revolutionary War and War of 1812, I would look at the current Somali pirate scourge, I would look at the current hacker free agents, and I would look at the sicario market in Mexico as references for a study.

    Very cool and thanks.


Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?