A couple of weeks ago, sources in the White House leaked that the US was behind Stuxnet (to bolster Obama's image as a militarily tough President?). That's the cyberweapon that sabotaged the centrifuges being used by the Iranians in their nuclear program last year.
However, the story doesn't end there. Researchers around the world found that a much more powerful cyberweapon called Flame, uses exactly the same code as Stuxnet. Given the evidence, officials confirmed that Flame is a US cyberweapon. It's a weapons system that functions as both a spy network and carrier battlegroup (it can gather info and stage attacks by other cyberweapons). It's also designed to penetrate even extremely secure networks (government and corporate).
What's the problem? Flame has been set loose. It isn't just on Iranian government networks. It's on the open Internet. It's self-replicating (making copies of itself) and infecting computers and networks around the world. Breaking into corporate and government system of friends and allies. Keylogging (at a minimum, it has the capacity to activate microphones and video cameras attached to the computer) the activities of hapless citizens around the world...
The question now is: now that people are aware of this cyberweapon, who's going to pay for the cleanup? The US essentially "stole" information and illegally violated the computers and networks of countless numbers of people and companies: stealing proprietary info, violating privacy rules, etc.
I can hear the cash registers of countless law suits ringing....
This leads me to an interesting question: Do we need a Pottery Barn Rule for cyberweapons?
First, a little background.
In 2002, to Colin Powell came up with something that Thomas Friedman later called the "Pottery Barn Rule." Powell came up with the rule to counter (unsuccessfully) advisors to the President that claimed invasion of Iraq would be fast, costless, and painless (as in, "they will greet us with flowers.."). The Pottery barn rule describe the moral, financial, and security burden incurred with an invasion. In long form, it looks like this:
'You are going to be the proud owner of 25 million people. You will own all their hopes, aspirations, and problems. You'll own it all.'
Later, he added this: "It’s going to suck up a good 40 to 50 percent of the Army for years. And it’s going to take all the oxygen out of the political environment."
Friedman boiled the rule down to this:
"You break it, you own it."
Of course, if we had followed this advice in Iraq and Afghanistan, it would have saved countless lives (both killed and maimed). Less importantly, it would have allowed the US to shave $2 trillion off the last decade's "security" bill, while achieving the same impact (a defunct al Qaeda).
So, in shot, let's make a new rule for cyberweapons that pundits can point to later during a bout of buyer's remorse.
Let's call it The "WR Grace Rule"
It's a rule that WR Grace learned the hard way: through hundreds of thousands of lawsuits to recover damages due to asbestos and other chemical spills that have killed a countless number of people worldwide.
In simple form, it's:
"You contaminate it (a computer or network), you own it."