A recent Wired article by Andy Greenberg has raised much interest in the cyber security field as it supports an idea many have been pushing for years, the ability to hack-back when countries target private entities and individuals. Much like a license for piracy and privateering, the idea of hunting forward on your own for retribution is more akin to a John Wick movie than the course of international politics.
Much like the mind of Donald Trump and his mythical 400-pound hacker, for Wired, a hacker is a “man in a T‑shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks.” This line was literally in a professional article written about a foreign policy issue.
The man with the handle P4x accused North Korea of trying to steal his exploits, often unknown methods of invading opposing computer systems. When no action by the United States government was forthcoming, P4x took matters into his own hands and took down the entirety of North Korea’s internet. Literally “dozens” of sites, by shutting down routers for a few hours. The oxymoron of a term, North Korean cyber defenses, failed, mainly because there is really no need to defend what is not really there since North Korea does not have much of a normal internet.
The coverage contained in the Wired article is disappointing in that it fails to demonstrate the danger of letting a sole individual take foreign policy into their hands. While security researcher Dave Aitel does note that there is a danger of harming ongoing intelligence operations, the true danger is greater than that. Individuals do not make foreign policy, it’s even unclear if the president has a free role to make foreign policy given the clear oversight role of Congress for war powers and treaty ratification.
Even the Wall Street Journal suggests that allowing hack-backs is a “terrible idea.” The obvious problem is that individuals can step into the middle of an international conflict, one that is already managed by a portfolio controlled by the National Security Council, the State Department, and the Department of Defense. There is also the issue of mistakes, collateral damage, and spoiling ongoing law enforcement or intelligence operations. There are a complex set of calculations involved in taking foreign policy action and unfortunately for P4x, protecting his property is nowhere near the top of the list, especially since North Korea keeps testing missiles challenging ongoing diplomacy.
Sadly, many people have a misguided view of the role of the United States in protecting an individual, with one blue checkmark commentor remarking that “when a US citizen is physically attacked aboard, the US embassy gets involved.” Unaware of the limitations of the embassy who must involve local law enforcement rather than acting as Jason Bourne to hunt down those who have wronged them, retribution is the not the role of the US embassy, or the foreign policy community.
This is all just evidence of cyber road rage. Some are obviously dismayed that the United States does not go on the offensive in cyber security very often. This misguided view of the efficacy of offensive operations pervades the discourse and highlights the general misunderstanding of the role of cyber operations as a way to manage risk and complex international communications rather than as a new form of warfare.
All these themes come together nicely through the lens of a recent road rage incident, vividly captured on film. Eric Popper, a Florida man, cut another driver off and when that driver passed him, he opened fire with a sidearm because the person dared to honk at him. Popper, who a minute early was happily bopping along to a tune, fired wildly inside his own vehicle blowing out all his windshields. He is lucky he did not hurt anyone else or himself. These sorts of road rage incidents were once common but have declined. The fear is that cyber road rage will become a common fact of daily life, endangering the entire international system, not just a guy sitting in his car dancing to a bop.