Chinese hackers made the headlines in May when Washington confessed that Chinese army officers are behind cyber-attacks to collect U.S. intellectual property and military strategies. It is unclear if the army hackers are on a commercial mission, doing espionage, or perhaps both.
In April, Spanish police charged a man with a massive distributed denial of service (DDoS) attack on anti-spam watchdog, Spamhaus. He enlisted help from hacker friends and they slowed big parts of the Internet. Also in April, LivingSocial said it suffered a cyber attack that exposed names, e-mail names, birth dates, and encrypted passwords for 50 million customers. Between December 2012 and now, an international crew hacked credit card transaction processers and set up a $45 million cash haul. Hackers are doing massive damage.
The Internet’s current design leaves us exposed to hacker attack because it allows anyone to assert a false identity, help themselves to information that isn’t theirs, and damage other’s property. It was designed for open exchange of memos and data among academic researchers at DARPA, not for secured communications.
Major stakeholders are resistant to Internet design changes because their investments were built around today’s flawed design. For example, even a highly constructive change such as IPv6 (which allows for more Internet destinations) faced foot-dragging. Design changes that enforce strong identity verification may take several decades, and we can’t just change a few lines of code to flush the hackers from the system.
While we allow hackers to profit and to face inconsequential punishment, they will continue attacking. Sternly worded speeches on the evils of hacker theft and attacks are worse than useless — they may convince a gullible audience that politicians will handle the problem. It’s not that easy. Without redesign, halting attacks depends on the hacker’s identity and protector.
When domestic hackers are arrested, court progress can be delayed by a defense attorney working the motions and appeals processes. Some even argue that violating “terms of service” agreements are not a crime. Other gambits claim the perp is a modern day saint – exercising first amendment rights; or have fellow “hactivists” invent socially redeeming intentions for their crimes while relying on the media to downplay the theft and vandalism of other people’s property, or hoping the readers are unaware that there is no first amendment entitlement to vandalize private property. When convicted, these perpetrators are released or briefly incarceration.
The bitter irony is that hacking victims bear the direct cost of the crime, usually the cost for the perp’s public defender, the cost of incarcerating the perp, and often the cost for post-release welfare payments to the perp. Until law forces a mandatory sentence of bankruptcy-proof full restitution for court costs and victim damages, the gain from hacking will continue to outweigh the pain from being caught.
It is more difficult to bring offshore hackers to justice. A foreign commercial hacker who is pursued by U.S. police may attract support from other hackers, nationalist activists or politicians. A U.S. decision to press forward with arrest has implications for international relations, dragging in the Department of State, muddying up the choice of jurisdiction, and perhaps converting the perp into prisoner exchange fodder. Attorney costs, incompatible codes of law, and high profile opportunities for political narcissism push “justice” beyond reach.
State-sponsored hackers such as the Iranians and Chinese are beyond the reach of U.S. courts so must be handled differently. Avoiding media coverage, we need to determine how reliably we can defend against the sovereign hackers and how severe the damage done by the hacking might become. If we cannot defend against it or cannot tolerate the potential damage, then we should demand an immediate end and threaten painful retaliation (e.g. hobble the sponsor country’s communications, or banking system, etc…). The big stick is necessary. Stuxnet was a successful example of a big stick, even though no country has admitted ownership of it.
Letting a hacking sponsor off the hook in return for his promise of future righteous behavior is out of the question — which politician would be crazy enough to rely on the word of a proven sneak capable of harming us lethally?
Taking slack out of the post-arrest treatment for hackers is a useful project. But redesign of the Internet so that it enforces identity verification is far more productive.
Alan Daley is a retired businessman who lives in Florida and who writes for The American Consumer Institute Center for Citizen Research