When people warn of growing cyber insecurity they are often referring to the threat of an arms race, countries trying to outdo each other in the development of offensive weapons and defensive technologies. This is certainly a real risk, but the greater threat to Asian regional stability may not be from technology, but the spread of an organizational framework.
Keio professor Motohiro Tsuchiya has written a commentary (h/t David Wolf) suggesting that Japan needs to establish a cyber militia in order to defend itself from attacks. Offense will always have the upper hand over defense, Tsuchiya argues, so the government will always struggle to keep up. The majority of expertise is in the private sector, and government salaries will never be competitive enough to attract and retain the talent needed. What can Japan do but appeal to patriotism? "Success hinges on whether the government can secure patriotic geeks."
There has been similar discussion in India. In November 2011, Information Technology Minister Kapil Sibal called for a community of ethical hackers to help defend Indian networks since "the resource pool of them is very limited in the world." India has also reportedly been considering using patriotic hackers for offensive operations. The Times of India reported a high level meeting in August 2010—chaired by National Security Adviser Shiv Shankar Menon and attended by the director of Intelligence Bureau as well as senior officials of the telecom department and IT ministry—that considered recruiting and providing legal protection to hackers who would be used to attack the computers of hostile nations. During a visit that October, several security experts in Delhi told me that NTRO officials were soliciting hackers on websites and electronic bulletin boards.
China, of course, is widely suspected of using patriotic hackers and cyber militias for defense and offense. According to the Financial Times, Nanhao Group, a web company outside of Beijing, has departments tasked for attacks and defense, and this Chinese report mentions cyber militias in Tianjin’s Hexi District. Recent intelligence leaks and private security reports about cyber espionage suggest that the Chinese government backs or directs the majority of espionage attacks on Western and Japanese technology companies, with hackers clocking in and out between 9am and 5pm Chinese time.
The talent concern is real, but addressing the problem through cyber militias would be profoundly destabilizing for the region. Militia members may one day walk out the door and not only use their skill and knowledge against other states without authorization, but may also turn them back on home networks. Military planners would also have to worry, especially during a crisis, that militias might ignore orders or target off-limit networks, increasing the risk of escalation and decreasing ability to signal intent to the adversary.
The plausible deniability of patriotic hackers is one of their biggest selling points; states can claim they know nothing about attacks and can do little to stop them. Technological changes that make attribution easier, or other forms of intelligence that have the same impact, would do a great deal to make cyber militias less attractive to policymakers. In the short term, if regional leaders are not going to fight the urge to mobilize their own militias, they at least need to ensure that they know who they should be talking to on the other side if a crisis breaks out and they must be able establish clear lines of communication. In the longer term, ASEAN or other regional groupings would be wise to promote a norm of state responsibility for cyberattacks emanating from within a country’s borders. As the Atlantic Council’s Jason Healey argues, developing this norm will involve state-to-state negotiations and capacity building as well as diplomatic, economic, intelligence, and, possibly, military responses.
Patriotic geeks might be the answer to a lot of policy challenges. But in terms of cybersecurity, it may be best to either bring them completely into the fold, or keep them at arms length.