I’ve become a big proponent of adding deterrence – really punishment – to our menu of responses to massive cyberespionage. Those who used to argue that we can’t identify our attackers have been largely silenced by an avalanche of attribution data. The avalanche will continue. It is a product of the same insecurity problems that make the espionage possible. I call it Baker’s Law: Our security sucks, but so does theirs.

Like love and marriage, attribution must be followed by retribution. My latest ideas on how to bring the hurt to cyberspies is here.

To overcome the resource and imagination constraints that governments face, I would deputize victims to do far more aggressive sleuthing to identify their attackers. That’s not quite the same as hacking back or active defense; it’s more of a passive aggressive defense. Mounting such a defense in the United States or a Budapest Convention nation raises “authority” questions that can and should be resolved if victims want to avoid the risk of prosecution for tracking their own data. My latest exchange with Orin Kerr, the brightest and most thoughtful purveyor of conventional legal wisdom on this topic produced a remarkable convergence on how and whether to amend or use US law to enable private sector nontraditional defenses.

To be candid, the international and foreign law consequences of pursuing retribution need careful thought, but that does not mean wringing our hands about whether we’re setting a bad example or might face more cyberespionage if we take a more aggressive stance. Other nations are likely to do whatever they think they can get away with in this sphere, and right now they think they can get away with a lot.

Nor do I think that negotiated international norms will save us. They will arrive too late, if at all.

The hard international issues that I see are what retaliation we can expect from a retribution campaign, whether we can preserve a measure of deniability while also ensuring oversight of private investigators’ actions, whether we can or should preserve the principle that a computer is governed by the law of the country where it’s located, and how to build an effective coalition against the worst cyberespionage offenders.

About Stewart Baker

Stewart Baker practices cybersecurity law at Steptoe & Johnson in Washington. He served as the first Assistant Secretary for Policy at the Department of Homeland Security where he set cybersecurity policy, including inward investment reviews focused on network security. He is the author of Skating on Stilts – Why We Aren’t Stopping Tomorrow’s Terrorism, a book on the security challenges posed by technology and a blog of the same name. He also served as General Counsel of the National Security Agency. Stewart was a law clerk to Justice John Paul Stevens on the US Supreme Court and the Honorable Frank M. Coffin of the US Court of Appeals for the First Circuit