Playing With (Digital) Fire

As any fan of martial arts knows, one of the best moves is to take an attacker's weapon and turn it back on them. In 2016, that's just what Beijing did – in cyberspace: after American operatives used a particular bit of code to attack Chinese computer systems, Chinese hackers took it, repurposed it, and used it to attack a bunch of US allies, according to The New York Times.

The technical details of the story are fascinating, but it also raises some big political questions:

If countries can't control their cyber arsenals, can they at least establish some ground rules for how they are used? Avoiding a destructive free-for-all in cyberspace may depend on it. But hacking tools aren't like conventional or nuclear arms, where countries have agreed to enforceable limits on capabilities and behavior. They're invisible, with no real way to count them or verify they've been destroyed, and prone to being stolen.

And despite an ongoing attempt by the US and its allies to deter bad behavior by indicting hackers, imposing sanctions, and even threatening military force in response to malicious cyber-attacks, there's nothing in cyberspace comparable to the doctrine of mutually assured destruction that has helped deter and prevent conflicts between nuclear-armed powers.

Why is that so difficult? For one thing, it's relatively easy to hide your identityor get hired guns to do your bidding in cyberspace – making it hard for the victims of cyber-attacks to be 100 percent confident in targeting their response.

There's also a lot of mischief that state-backed hackers can get up to that is short of outright war, but can still hurt an adversary (think: swiping personal data that can help identify spies or stealing trade secrets). Governments don't want to give those capabilities up. This helps explain why attempts to establish widely agreed, enforceable "cyber norms" have made limited progress, despite 15 years of wrestling with the issue at the UN.

The upshot: We already knew the US was struggling to secure its cyber arsenal. Now we know that just using a cyber weapon means there's a risk it'll be stolen and used by someone else. As more countries gain access to these tools, reaching a basic agreement on rules of behavior will become even more important.