Harvard Cyber Policy Lunch April 14, 2010 A. Friedman Notes

Joe: split into 4 pieces War Terror Espionage Crime --> focus on the latter two

"expel an attache" Other ways to retaliate, without escalation Prevent defectors lock-in

Challenge: communication and learning between actors

Ways to turn off a particular system

Above might work with espionage

Crime: Russia Challenges to "export only" Response: ISP has been a response to too many attacks BUT: would require a lot more intervention Policy alternatives: bilateral communication or EU cybercrime treaty

Question: how do they see it? Iterative game? Perceptions of hostility

Bilateral vs. multilateral Analogy: currency valuation Can't make overt threats Issues with moving it to G20 Might have a quiet dynamic Too multilateral: another copenhagen

Precedent: Montreal Protocol Started off with the core, expanded

What's the game? Punishment can be expensive (Not PD) Why PD Opportunity for cooperation Suppose 3 options: Nice, mean, neutral How do you get back to cooperate after you retaliate? Could share 0-days

How do you prevent escalatory reframing? Don't want an action to be interpreted as hegemony

Danger of responding in alternate issues Too many special interests, bureaucracies By keeping it in cyber model

US has many means of signaling displeasure

Positives - can make a conciliatory gesture: scientific exchange Allow foreigners into national labs

Options: writing on screen = send a message with content plus demonstrates (reminds) about potential Better than: release something that helps domestic criminal groups Anti-censorship material

Melissa: crime is the easiest place to get the consensus

Challenge: why do we assume this is a country-level response Private firms have the ability to attack core infrastructure? Banks may already take the law into their own hands Other countries might attribute it to the US At very least, it might escalate

Do we have leverage over renegade US company? Yes, it's illegal Regulation: we will not use these types of weapons (?) Any use of weapon: sacrifice the future use of that weapon

Would we take Goldman to court? Precedents: privateers FSB & russian business network Question: what led to the end of privateering Treaty was written in 1830s US didn't sign it until 1860s

What about private companies refusing to deal with states?

Q: What about multinationals? Do it by the singapore base?

Q: Why would a firm retaliate? A: examples of need: DDOS against closing of quarter Blackmail Phishing

Q: When to litigate vs. take immediate action? Business proposition vs. rule of law Where to press charges?

Can we no longer see the state as the core actor? BUT - Bhopal? Should we transcend the state?

How to trace back attacks? Cyber crime conventions

Other