Does 'stand your cyberground' stand a chance?
Internet security experts say the concept has merit, but major legal and ethical problems still need to be sorted out
May 07, 2012 — CSO — Despite a public relations problem with the concept as it applies to people, a few voices in Internet security circles believe "stand your cybergound" laws have merit when it comes to fighting against cyberattacks.
So-called "stand your ground" laws -- which allow the use force in self-defense when there is reasonable belief of a threat -- have been in the spotlight since George Zimmerman, accused of murder in the shooting of Florida teen Trayvon Martin earlier this year, invoked it as a legal defense. And like with that law, some experts say "Stand Your Cybergound" laws create more problems than they solve with cybersecurity.
Patrick Lin, director of the Ethics and Emerging Sciences Group at California Polytechnic State University, made the "stand your cyberground"-argument recently in The Atlantic, writing that because the U.S. government is too constrained by international law to lead cyberdefense against foreign attacks, and with private companies having "been the main victims of harmful cyberactivities by foreign actors to date," we should weigh up allowing "commercial companies to fight cyberfire with cyberfire."
Lin includes a disclaimer that he is "not proposing that we adopt this solution, but only develop it for full consideration."
Self-defense, he notes, is a basic right: The Second Amendment authorizes citizens to bear arms -- he says it helped deter outlaws during the "Wild West" era; commercial ships under attack from pirates are allowed to shoot and kill them; bank security guards are allowed to shoot robbers.
And he says international laws governing armed conflict, including the Geneva and Hague Conventions and rules established by the International Committee of the Red Cross, make it difficult for government to respond to foreign cyberattacks.
"[International Humanitarian Law] requires that we take care in distinguishing combatants (such as military personnel) from noncombatants (such as most civilians) when we use force. Yet containing any cyberattack to lawful military targets is perhaps impossible today," he says.
Since private corporations are not constrained by humanitarian law, Lin says they could retaliate against cyberattacks without the risk of dragging a nation-state into war. If they were given some level of immunity for self-defense, they would be more willing to deter the outlaws of the Internet.
To include a measure of due process, he suggests companies could present evidence to courts to secure warrants for counter attacks. And things like, "misidentification and unreasonable action -- a corporate George Zimmerman-like case -- can be adjudicated (by the courts) with a standard of reasonable proof," he says.
Lin acknowledges any number of potential problems: Innocent parties could be harmed; a retaliatory attack could spawn escalation that could lead to physical conflict; attribution in cyberconflict can be near to impossible. But he says those problems exist in physical conflict as well: There is regular so-called "collateral damage" in war, when civilians are harmed even when military targets are attacked, and people don't always know exactly who is shooting at them when they shoot back.