The political science of cybersecurity: Why running hackers through the FBI really isn’t a good idea

http://www.washingtonpost.com/blogs/monkey-cage/wp/2014/04/25/the-political-science-of-cybersecurity-v-why-running-hackers-through-the-fbi-really-isnt-a-good-idea/

One of the most difficult challenges of cybersecurity is that it enables private actors to play a significant role in international security. Both security officials and international relations scholars tend to assume that states are the most important security actors. With a couple of minor exceptions (mercenary forces and the like) private actors simply don’t have the firepower to play a substantial role. Even terrorist groups with international ambitions usually require some kind of state to provide them with safe haven or to back them. Many (although certainly not all) experts argue that cybersecurity is different. Computers and Internet access are all that you need to carry out many kinds of attack, allowing private actors to become a real force in international cyber politics.

This potentially presents two problems for traditional understandings of international security. First, many argue that the world will be less stable if private actors can affect international security. For example, Joseph Nye, a prominent scholar and former policymaker, argues (PDF) that states have not been displaced by private actors in cybersecurity, but now have to share the stage with them. This creates greater volatility in world politics. The more actors there are, the greater the chance of unpredictable accidents, events, attacks or misunderstandings. Furthermore, private actors may have widely varying motivations and be more difficult to discipline. They are less likely to be concerned with the stability of the international system than states are.

There is also a more subtle problem. The existence of empowered private actors in cybersecurity presents temptations to states. It is easier for states to attack other states while blaming hackers, rogue elements or others for the attacks, thus making retaliation less likely. In cyberspace, it is often hard to figure out who precisely is responsible for an attack. These problems are multiplied when states can e.g. use clandestine relationships with private actors to carry out attacks by proxy.

For example, there is still vigorous debate over whether or not the Russian state mounted cyber attacks on Georgia during a dispute a few years ago. Certainly, the major attacks appear to have been mounted from within Russia. However, Ron Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that the likely perpetrators were patriotic Russian cyber criminals (who had already created “botnets” of compromised computers for purely criminal attacks) rather than the Russian state itself. While it is possible that the Russian state (some elements of which maintain clandestine contact with the Russian underworld) was using these criminal networks as a cutout to blur responsibility, it is nearly impossible to prove one way or another....