Private-Sector Cyberweapons: An Adequate Response to the Sovereignty Gap?

<p style="text-align:justify;">The cyber domain exhibits a sovereignty gap: the government cannot protect the private sector against all relevant threats. The challenge of cybersecurity, therefore, is essentially one of civil defense: how to equip the private sector to protect its own computer systems in the absence of decisive government involvement. Ordinarily, civil defense has involved passive measures such as resilience and redundancy. These measures, however, will not redress the sovereignty gap unless they are complemented by a proactive approach – especially the techniques of “active defense,” which attempt to neutralize threats before they are carried out. Yet presently the authority to implement active defense belongs exclusively to the government. Top officials in the United States and other countries have called for changes in law and policy that would bolster private sector active defense, such the insertion of web beacons in hostile machines. This paper explores the possible strategic and other consequences of arming the civilian quarters of cyberspace with active defense capabilities. It argues that while the potential defensive and other benefits of private-sector arms are significant, the risks to defenders, innocent third parties, and international conflict stability are notably greater. Cyber civil defense should remain a reactive enterprise. </p>