Offensive operations will continue apace in the foreseeable future—conducted by the United States, its allies and its adversaries. The choice is whether and how to engage in them responsibly and minimize cost to societies.
While there is widespread agreement that Huawei devices in 5G infrastructure pose some risk to the U.S. and allied nations, the policy community—in particular the U.K.’s National Cyber Security Centre—has paid insufficient attention to the technical aspects. The discussion must examine not simply whether China would use this technology maliciously, but the specific threats that Huawei equipment could pose and the extent to which these threats can be mitigated.
Recently, Tim Maurer, Ariel Levite, and George Perkovich of the Carnegie Endowment for International Peace released a white-paper with a broad new proposal regarding the offensive cyber operations conducted by nation states, in an attempt to address acknowledged interdependent risk issues within the global financial system.
The vulnerability equities process (VEP) is broken. While it is designed to ensure the satisfaction of many equities, in reality it satisfies none—or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities.
“Lawful hacking” is an interesting and potentially very useful future path for law enforcement and the intelligence community. But lawyers and policymakers rushing to address potential problems are getting ahead of the technology.
This week, Senator Sheldon Whitehouse called for the creation of a cybersecurity “militia” to strengthen US defense. He suggested reexamining a “militia model that lets ordinary citizens come to their country's aid". Whitehouse’s remarks represent a growing focus on exploring mechanisms to incorporate civilian involvement and “active defense” into traditional government activities.
On Monday, Paul Rosenzweig suggested a number of areas in which the recently formed Commission on Enhancing National Cybersecurity should focus in charting the US government’s path forward. While I agree the government must rethink strategic policy choices, Rosenzweig is putting the cart before the horse.