An ace hacker brought down by the FBI gave up enough on fellow members of the shadowy hackavist group Anonymous to indict six individuals in Europe and the United States.
If there is an object lesson in this story, it is a reminder that most of our thinking about battling bad actors online is badly muddled. Most think cybersecurity is about our electrons battling their electrons—that the challenge is a technical issue about managing the Internet. That is just flat wrong—about the same as arguing that gun control controls crime. It is a mistake to fixate on the technology and not the problem.
Online bad people are the problem—and there are more ways to deal with malicious actors than putting up a firewall.
Cyber forensics, like the techniques used to snare the FBI’s informant—whether performed by governments, netizens, or nongovernmental agencies—is not the only tool available to track down cyber enemies. A range of information-gathering tools, from open-source intelligence to old fashioned spies, can be used to hunt down malicious actors—just like any other threat.
My colleague Paul Rosenzweig argues that for some bad online actors, it makes more sense to treat them like a cyber insurgency. A cyber counterinsurgency strategy emphasizes intelligence, a framework for coordinating public and private efforts, network resilience, a doctrine for offensive action, and capacity building to enhance the cyber capabilities of host nations and U.S. allies.
Most of the legislation on the Hill that proposes to “fix” cybersecurity myopically focuses on managing the Internet like Obamacare. The better answer is limited legislation that promotes information sharing, enhances the quality of government’s cybersecurity leadership, and contributes to the resiliency of the infrastructure that keeps America online. Congress needs to take a measured approach to trying to make us safer online.
Meanwhile, the FBI needs to go after malicious actors before they start to unwire America.