•    HOME   
•    NEWS   
•    BUSINESS   
•    INTERNATIONAL   
•    TECH   
•    SPORTS   
•    LIFE & TIMES   
•    OPINION   
•    MY JAKARTA   
•    BLOGS   
•    EYEWITNESS   

In a speech last month on “Internet freedom,” US Secretary of State Hillary Clinton decried cyber attacks that threaten US economic and national security interests. “Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” she warned, alluding to the China-Google kerfuffle. We should “create norms of behavior among states and encourage respect for the global networked commons.”

Perhaps so. But the problem with Clinton’s call for accountability and norms on the global network — a call frequently heard in policy discussions about cyber security — is the enormous array of cyber attacks originating from the United States. Until we acknowledge these attacks and signal how we might control them, we cannot hope to prevent cyber attacks from other countries.

An important weapon in the cyber attack arsenal is a botnet, a cluster of thousands and sometimes millions of compromised computers under the ultimate remote control of a “master.” Botnets were behind last summer’s attack on South Korean and American government Web sites, as well as prominent attacks a few years ago on Estonian and Georgian sites. They are also engines of spam that can deliver destructive malware that enables economic espionage or theft.

The United States has the most, or nearly the most, infected botnet computers and is thus the country from which a good chunk of botnet attacks stem. The government could crack down on botnets, but doing so would raise the cost of software or Internet access and would be controversial. So it has not acted, and the number of dangerous botnet attacks from America grows.

The United States is also a leading source of “hacktivists” who use digital tools to fight oppressive regimes. Scores of individuals and groups in the United States design or employ computer payloads to attack government Web sites, computer systems and censoring tools in Iran and China. These efforts are often supported by US foundations and universities, and by the federal government. Clinton boasted about this support seven paragraphs after complaining about cyber attacks.

Finally, the US government has perhaps the world’s most powerful and sophisticated offensive cyber attack capability. This capability remains highly classified. But the New York Times has reported that the Bush administration used cyber attacks on insurgent cellphones and computers in Iraq, and that it approved a plan for attacks on computers related to Iran’s nuclear weapons program.

The National Security Agency, the world’s most powerful signals intelligence organization, is in the business of breaking into and extracting data from offshore enemy computer systems and of engaging in computer attacks that, in the NSA’s words, “disrupt, deny, degrade or destroy the information” found in these systems.

Simply put, the United States is in a big way doing the very things that Clinton criticized. We are not, like the Chinese, stealing intellectual property from US firms or breaking into the accounts of democracy advocates. But we are aggressively using similar computer techniques for ends we deem worthy.

“My own view is that the only way to counteract both criminal and espionage activity online is to be proactive,” NSA director Lt. Gen. Keith Alexander said last year, adding that if the Chinese were inside critical US computer systems, he would “want to go and take down the source of those attacks.”

Our adversaries are aware of our prodigious and growing offensive cyber capacities and exploits. In a survey published on Thursday by the security firm McAfee, more information technology experts from critical infrastructure firms around the world expressed concern about the United States as a source of computer network attacks than about any other country. This awareness, along with our vulnerability to cyber attacks, fuels a dangerous public and private cyber arms race in an arena where the offense already has a natural advantage.

Everyone agrees on the need to curb this race by creating proper norms of network behavior. But like Clinton, US cyber security policy makers are in the habit of thinking too much about those who attack us and too little about our attacks on others. Creating norms to curb cyber attacks is difficult enough because the attackers’ identities are hard to ascertain. But another large hurdle is the federal government’s refusal to acknowledge more fully its many offensive cyber activities, or to propose which such activities it might clamp down on in exchange for reciprocal concessions by our adversaries.



Jack Goldsmith teaches at Harvard Law School and is on the Hoover Institution’s Task Force on National Security and Law.

The Washington Post