Other IHL issues that we have yet to settle, but would need to for a state actor to lawfully and justly engage in armed conflict, include the principle of proportionality: a counterattack must apply the minimum force necessary to achieve military objectives, yet how effective any cyberattack would be is largely unknown. We might launch several cyberattacks to ensure that at least one of them goes through; but if all of them work, then the resulting damage could be disproportionate or overkill. This and other issues I won't discuss here--such as the problem of attribution or knowing who attacked us and deserves to be our target--add up to a real risk that the US might act improperly and illegally given IHL, and this could trigger either a cyber war, or a kinetic war, or both.

In thinking about cyberpolicy, it's natural to look for familiar analogies to guide us. Some have argued that we should follow the policy model for nuclear arms, or outer space, or Antarctica, and so on; and none seems quite right. As imperfect as analogies inevitably are, let's take another look at this model for a possible solution: the "Wild West" of American history. Both the Wild West and cyberspace now are marked by general lawlessness; bad guys often operate with impunity against private individuals and companies, as well as what government exists in those realms, such as the lone sheriff. The distinctively American solution to the Wild West was found in the second amendment to the US Constitution: the right to bear arms. As more private citizens and organizations carried firearms and could defend themselves, the more outlaws were deterred, and society as well as the rule of law could then stabilize and flourish. We also find this thinking in current "Stand Your Ground" laws that authorize the use of force by individual citizens. If such laws make sense, could this model work for cyberspace?

Why It Could Work

Not to endorse this solution (or "Stand Your Ground" laws) but merely to offer it for consideration as a new option, what if we authorized commercial companies to fight cyberfire with cyberfire? As in the Wild West, civilians are the main victims of pernicious cyberactivities. Some estimate that industrial cyberespionage costs US companies billions of dollars a year in lost intellectual property and other harms. As in the Wild West, they now look to government for protection, but government is struggling badly in this role, for the above-mentioned reasons and others. If we consider the US as one member of the world community, there is no clear authority governing international relationships, and this make our situation look like a "state of nature" where no obvious legal norms exist, at least with respect to cyber.

This option isn't completely outlandish, because precedents or similar models exist for the physical, nondigital world today. In the open sea, commercial ships are permitted to shoot and kill would-be pirates. Security guards for banks are allowed to shoot fleeing robbers. Again, "Stand Your Ground" laws--which give some authority and immunity to citizens who are being threatened or attacked--also operate on the same basic principle of self-defense, especially where few other options exist.