Earlier this week, Google claimed to have uncovered a password-stealing campaign that originated from Jinan, China, and targeted senior U.S., officials and other prominent individuals. The Chinese government later denied involvement. The attacks' origins aren't being disputed so much as who is responsible.

The most famous cases of alleged "cyberwar" have some common characteristics that are at the heart of the problem. It's never clearly the governments conducting the attacks and it's plausible that outside actors are responsible. This leads to the "attribution" problem of cyberwar, that it's never crystal clear where retaliatory measures should be targeted.


In the attacks on Estonia and Georgia, the source was clearly from Russia, but was it from the Russian government, or from outside parties acting under government direction, or just some over-enthusiastic nationalists? It's always hard to tell the difference. Likewise with the myriad attacks against US businesses and government agencies that come from China. Are they coming from the Chinese government, perhaps from their "Blue Army" cyberwarrior unit? Or from one of the many criminal hacking gangs there? Or from some gang operating at the behest of the Chinese government?

In both cases, I'd say the most plausible explanation is that of the outside group working with government direction. There's a modern word for this: outsourcing, and it makes the hackers into what we have a very old word for: mercenaries.

Of course (God Bless) the United States of America would never stoop so low as to use mercenaries, would it? Well, maybe a little, like we did in Iraq. But in the case of cyberwar, why not?

When you think about it, the advantages in cyberwar of using outside contractors are profound. They include a certain amount of plausible deniability that we saw in the Russian and Chinese cases. There's also the fact that contractors can probably get away with things that actual government "cyber warriors" can't, or would at least like to avoid, like utilizing botnets built on the computers of innocent third parties.

There's also the fact that we and our allies have no shortage of computer security research and penetration testing companies that are in an excellent position to form shady subsidiaries to conduct such business. We should take full advantage.

This will require something of a "black budget," but if we're willing to use them to fund Area 51 and stuff like that then I don't see why we don't throw the cyberwar budget in there too.

It's worth noting that this outsourcing is largely of an offensive nature, although the same firms that would do it are regularly hired by private industry for defensive consultation. There's no controversy over the defensive part of it.

I imagine we could contract out with a variety of firms and give them targets to research. They would be on the ready to conduct offensive operations only under specific orders. Experts like these will know how to make sure they don't leave a trail.

It probably makes sense to have them do reconnaissance periodically on "adversary" states, mostly just to let them know we can and are willing to do this stuff. It will be at least as anonymous as what the Chinese do to us.

I've wondered over the last few years, when we hear of these attacks from China, whether we're doing the same thing to them. I don't know, but if we are we're doing a great job keeping it secret. I'm not sure that's the best idea. It's largely bluster to claim that we'll retaliate against hacks with conventional military forces. It's hard to imagine a cyberattack big enough to justify such an action. But the countries we're talking about have their own dependence on computers, both civilian and military, and they need to know that their systems are just as vulnerable as ours. Planning for this scenario makes a lot more sense than planning for the President to shut down the Internet, as if this were Syria.

Editor's Note: This story first posted June 4, 2011 at 2:14 p.m. EDT.

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.