On Lawfare, Elaine Korzak and Herb Lin are pushing a proposal for the computer industry, or, er, the world:
This article proposes the creation of an international organization modeled after the International Committee of the Red Cross (ICRC) to provide assistance and relief to vulnerable citizens and enterprises affected by serious cyberattacks. Companies that have signed onto the Tech Accord principles would form the core of the organization, thereby filling an important gap in an increasingly volatile geopolitical environment. In this article, the term “cyber-ICRC” is intended to be suggestive of the role that such an organization might play but not to imply any kind of formal connection to the ICRC. Moreover, we emphasize that the proposal outlined in this article has not been vetted by anyone at the ICRC and is not endorsed by the ICRC in any way.
I’ve been going back and forth on this proposal in my mind. Why not let private industry continue to provide relief services? This is basically a socialization of the costs of cyber-attacks, and the responsible entity can be public or private.
That said, what about a corrupt private entity which provides relief services – for a price – and then engages in malicious attacks? Illegal and unethical, but also a special problem for the victim, as they may not have the technical smarts to detect that sort of activity.
Which suggests that a cloud computing solution may be a way around the problem, as that permits the concentration of qualified technical personnel who can repair and defend the computing system. But since we’re talking corruption, wouldn’t it make financial sense for a cloud computing organization to actually attack non-customers in hopes of chasing them right into their customer list?
Obviously, I got up a little too early this morning.
But corruption could certainly invade the hypothetical Digital Red Cross as well, and while some of the details will differ, as I suspect national governments would be more likely the malicious actors in our little dramas, the results may be the same.
So I’m fairly ambivalent. But I do note an implicit category error, which Korzak and Lin do not address. The ICRC saves lives, and life is an absolute necessity before we can do anything else. Computers and computing? They may seem like necessities.
But they’re not.
