OK, I seem to be in a cyber security phase. If the defense guys and wonks are rabid about the lack of policies to address this issue, the lawyers are grappling with a different angle. At today’s Nebraska U Law conference, four big brains debated the slippery slope of domestic vs. international law, crime vs. espionage, kinetic vs. ‘soft’ attack, information sharing vs. security concerns, and the constant challenge of balancing diplomatic restraint and policy trade-offs in the face of known attacks from sovereign state actors (like China and Russia).
One of the panelists quoted a 3rd party who said “we’re the walking dead and don’t know it yet.” This echo’d something I heard at last week’s seminar – “They could shut us down any time they want to; they just don’t want to.” Who is ‘they?’ I pondered with some concern. The exposure of our electrical grid has become a common topic of conversation. Apparently there is a rumor that China has put something called logic bombs in it, which have the sole purpose of destroying the system. BUT, China is our biggest creditor – so can we really force this suspicion? Does this seem like an urgent problem to anyone but me???
Civil, criminal, conflict (war), and espionage attacks fall under the jurisdiction of different governmental authorities – perhaps at the federal or international level, but possibly at the state or even more local level. (And we all know how well these agencies share with each other.) This imposes different protective and prosecutorial statutes, but also creates an enormous grey area over terminology, definitions and boundaries around what constitutes what kind of cyber ‘activity’ (apparently even the word ‘attack’ is loaded and has a strict context. ) The complexity of digital technologies makes cyber aggression difficult to trace and even more difficult to prosecute. Short of a clear instance of physical harm, building a legal case that will stand up with the appropriate adjudicating authority seems quite challenging.
Best to prevent such incidents in the first place, right? I come back again to the defense issue. The list of vulnerable apps was long – mobile, cloud, IPv6, medical devices, smart grid, supply chain reliability, and behavioral advertising…doesn’t that cover just about EVERYTHING that makes the modern world run? As at last week’s Potomac conference, I saw an enormous disconnect between Silicon Valley and Washington. Today’s legal experts also described Silicon Valley as just overwhelmingly concerned with making as much money as possible, with security and data privacy as afterthoughts. Well it would seem to me there is enormous financial opportunity (and a fair bit of glory) for the innovator that figures out real protection for the digital infrastructure that runs today’s world. The point of view of today’s panelists certainly reinforces the growing urgency for policy makers and high tech innovators to somehow come together – fast – in figuring this out.