> 1. No targeting of tech companies, private sector or critical infrastructure.
In peacetime, the last item is okay — clearly in wartime it's appropriate to degrade a foe's infrastructure, consistent with the accepted laws of war and humane concerns.
I think the private sector ought to be generally off-limits — but surely there are times when that might not be the case. Do spies never duck through a dry cleaners'?
I'm negative about privileging tech companies vs. the private sector in general.
> 2. Assist private sector efforts to detect, contain, respond to & recover from events.
Sure, that sounds reasonable.
> 3. Report vulnerabilities to vendors rather than to stockpile, sell or exploit them.
I can't possibly imagine that will or should ever happen. Nation-states have a duty to their citizens to be able to conduct offensive & defensive cyber operations; a necessary condition of doing so is the ability to stockpile & exploit vulnerabilities.
There's a gain-loss calculation to be made for report any vulnerability: does the gain to national defense of closing that vulnerability outweigh the loss to national defense of being able to exploit it against an adversary? I see absolutely no reason to believe that the answer is automatically 'yes,' or even mostly 'yes.'
> 4. Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise and not reusable.
Restraint of course is laudable. Limited & precise capabilities are obviously a good thing. Trying to limit reuse, though, seems impossible to ensure in the general case, and not really desirable anyway. Why restrain makers of software munitions from using one of the most powerful tools in a software developer's toolkit: reuse?
> 5. Commit to nonproliferation activities to[sic] cyberweapons.
Meh, I always thought nonproliferation in general is either a case of pulling up the ladder behind oneself (on the part of states which have already achieved a capability) or a exercise of wishful thinking (on the part of those who think that the genie can be crammed back in the bottle). As applied to cyberweapons, I have difficulty understanding what this is even supposed to mean.
> 6. Limit offensive operations to avoid a mass event.
This is already addressed by the existing laws of war, particularly the principle of proportionality.
Overall, I imagine this is really meant to be a starting point, not a draft: there is absolutely no way that a serious person can expect point 3 in particular to universally hold.
>>> Nation-states have a duty to their citizens to be able to conduct offensive & defensive cyber operations; a necessary condition of doing so is the ability to stockpile & exploit vulnerabilities.
You speak of war as those it's some necessary and good force, as opposed to a 0-sum-game that has lost all use in modern society.
Am I the only one who thinks that we as a race need to look to an era 200 years out where the very concept of "war" and "nation" is obsolete?
In peacetime, the last item is okay — clearly in wartime it's appropriate to degrade a foe's infrastructure, consistent with the accepted laws of war and humane concerns.
I think the private sector ought to be generally off-limits — but surely there are times when that might not be the case. Do spies never duck through a dry cleaners'?
I'm negative about privileging tech companies vs. the private sector in general.
> 2. Assist private sector efforts to detect, contain, respond to & recover from events.
Sure, that sounds reasonable.
> 3. Report vulnerabilities to vendors rather than to stockpile, sell or exploit them.
I can't possibly imagine that will or should ever happen. Nation-states have a duty to their citizens to be able to conduct offensive & defensive cyber operations; a necessary condition of doing so is the ability to stockpile & exploit vulnerabilities.
There's a gain-loss calculation to be made for report any vulnerability: does the gain to national defense of closing that vulnerability outweigh the loss to national defense of being able to exploit it against an adversary? I see absolutely no reason to believe that the answer is automatically 'yes,' or even mostly 'yes.'
> 4. Exercise restraint in developing cyber weapons and ensure that any developed are limited, precise and not reusable.
Restraint of course is laudable. Limited & precise capabilities are obviously a good thing. Trying to limit reuse, though, seems impossible to ensure in the general case, and not really desirable anyway. Why restrain makers of software munitions from using one of the most powerful tools in a software developer's toolkit: reuse?
> 5. Commit to nonproliferation activities to[sic] cyberweapons.
Meh, I always thought nonproliferation in general is either a case of pulling up the ladder behind oneself (on the part of states which have already achieved a capability) or a exercise of wishful thinking (on the part of those who think that the genie can be crammed back in the bottle). As applied to cyberweapons, I have difficulty understanding what this is even supposed to mean.
> 6. Limit offensive operations to avoid a mass event.
This is already addressed by the existing laws of war, particularly the principle of proportionality.
Overall, I imagine this is really meant to be a starting point, not a draft: there is absolutely no way that a serious person can expect point 3 in particular to universally hold.