WASHINGTON, June 30, 2011 – The Federalist Society convened Tuesday to discuss the complex and interconnected legal and policy issues of cyber security in relation to the law of armed conflict, privacy and legislative action.
Morning and afternoon panels comprised of national security and economic security experts presented to the legal society the difficulties of applying the law of armed conflict towards cyber threats. The new threat conditions introduced by cyber intrusions and attacks do not fit the old paradigm of doing warfare. Panelists agreed, however, that the new rules should not be determined before major cyber conflicts have taken place.
“It is not in the United States’ interests to preempt how it will develop,” said Steven Bradbury, former Acting Assistant Attorney General for the Office of Legal Counsel.
“International law does not necessarily apply to cyber warfare,” said Bradbury, “it is largely a policy for the president, not lawyers, to decide the exercise of our national security.”
Panelists focused largely on the conflicts between nation states, but state-sponsored cyber threats are not always the issue. The conflict is asymmetric in nature: the majority of threat actors being organized crime groups targeting private networks and infrastructure systems, and the perpetrators are anonymous and invisible to their targets.
“This administration is the first of three to really try to grapple with this,” said Michael Vatis, founding Director for National Infrastructure Protection at the FBI.
The other panelists also acknowledged the Administration’s attempts to handle the problem, despite the posture of government and industry to be largely defensive in nature due to the anonymity of attackers and the sole legal authority of the government to enact justice.
Still, it is easier to attack than defend, said panelists. Laws and security measures designed to counteract network attacks are often obsolete by the time that they are implemented.
“The enthusiasm for the offense has overwhelmed planning for the defense,” said Stewart Baker, former Assistant Secretary for Policy at the Department of Homeland Security.
According to Baker, “The problem is not that they do not have the [legal] tools, they just can’t find the guys.”
Yesterday, a defense spokesperson also told BroadbandBreakfast.com to expect the Pentagon’s cyber strategy announcement in mid-July, although an exact date was still unclear.