[Dailydave] Sympathy for the Devil

Robert Graham robert_david_graham at yahoo.com
Thu Apr 5 20:05:59 EDT 2012


Re: https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate
> 'security researchers should never turn a blind eye to their ethical 
> responsibility to help improve technology'

This is a good demonstration why libertarians oppose populists like the EFF. Rather than champion for researcher freedom, the EFF champions rules and restrictions. 

The ethical choices aren't between harming computers or not harming them. The choices are between harming computers or harming people.

If Stuxnet had not disabled the uranium enrichment program, we and/or Israel would almost certainly be in a shooting war with Iran right now. In the original Gulf War (in 1990) we sent in hackers to exploit VAXen to silence radars, instead of killing people. In the recent Libyan action, we had to kill people because cyber alternatives weren't ready/available.

The military wants cyber because it's a a non-kinetic/less-lethal alternative. When given a task, they will carry it out regardless. If that means killing people, then so be it, but they want alternatives that have the least risk to our soldiers, non-combatants, and even enemy soldiers.

There is the ethical question whether cyber gives the government new abilities that would otherwise be impossible with kinetic action, or whether it encourages governments to decide on military action when it does not come with the political cost of casualties. But that's not the direction the EFF is going with their argument. Instead, while the military is killing human beings, the EFF is insisting that it's unethical to harm computers instead.


The EFF article wasn't really about military exploit sales, but cybersec legislation. The thing that is wrong with the legislation is that it's a power grab. Different groups within government are fighting among themselves to see who is in charge of "cyber", and they are all fighting together to take power in the name of "government". Outside groups are likewise fighting for influence and lucrative contracts.

Far from opposing the power grab, the EFF is fighting for their own spot at the power-and-influence table. Their argument is that the EFF is charge in deciding what's "ethical", and that this should be reflected in legislation.


Even if you believe the worst inflated threats of state-sponsored hacking, there is little our government can do in cyberspace to stop it. Instead, such laws do much to enhance the threat from our own state. The best defense is not government, but security researchers. Stuxnet shouldn't be the exception, but the rule. Our government should declare open-season on adversaries, clarifying that it's no violation of U.S. law to attack Iranian computers or Chinese firewalls. If a researcher believes s/he can stop a shooting war, but the EFF disagrees, the researcher should be free to make that decision.



More information about the Dailydave mailing list