Dave Clemente
(Former Chatham House Expert)

In response to what was perceived as the censorship of Wikileaks, an online activist group launched a series of cyber attacks at Visa, MasterCard and PayPal as 'revenge' for the decision of these companies to suspend the processing of all donations to Wikileaks.

Plenty has been written about potential for terrorists (or even environmental activists) to launch cyber attacks against nuclear power plants or other critical national infrastructure. But while these recent attacks had the same effect of forcing costly disruptions, the attackers had a vastly different motivation; freedom fighting for increased internet transparency. As online activism continues to grow, it will force corporations to adopt new methods of defence and prevention in response to 'non-traditional' threats.

In this instance volunteer activists downloaded a programme from the internet and were immediately able to begin launching cyber attacks en masse. This demonstrates how low barriers to entry are in cyberspace, where technical knowledge is not a requirement for participation, and where changes happens with a speed that is difficult if not impossible for governments and corporations to match.

It also raises the questions; to what extent should corporate entities police the internet, often in the absence of adequate government legislation? How can they deal with anonymous actors who are spread around the globe and operate, sometimes very freely, under a multitude of legal jurisdictions?

This question of responsibility and policing has generally been viewed as a conversation amongst states and corporations, for example in the censorship dispute between China and Google. Yet the private sector is increasingly forced to acknowledge not just the wishes of their shareholders and national governments, but also the impact of actors that were previously though to be insignificant.

The private sector can choose to respond in a variety of ways. One option is to increase resilience to cyber attacks through advanced defences, backup systems and other technological safeguards. Another possibility is to work more closely with government to update legal frameworks so that they can provide guidance in an increasingly complex operating environment. The third and least expensive option (in the short term) is to muddle through and hope that lightning strikes someone else. This option only works until a cyber attack steals valuable intellectual property, a situation which often results in equally expensive (and reactive) decisions by the Board of Directors.

The private sector owns the vast majority of internet infrastructure, and as such are forced to engage with a wide variety of stakeholders. This is a difficult balancing act, and one that can result in a public relations disaster, or at the very least a meagre compromise that satisfies no one. Even though corporate managers are far more agile than government bureaucracies, they will have to become even more nimble as the rules of the game attempt to catch up with the fastest players.

A recent Chatham House report stated that cyber warfare 'could be the archetypal illustration of 'asymmetric warfare' - a struggle in which one opponent might be weak in conventional terms but is clever and agile, while the other is strong but complacent and inflexible.' While this current episode does not (yet) rise to the level of cyber war, it easily fits the description of asymmetric conflict.

This episode also shows that the limits of transparency and policing (both public and private) are hotly contested. There is strong disagreement where the lines should be drawn. The internet facilitates this contest, and significantly levels the playing field between large and small players. These disagreements have been bubbling below the surface for some time, and the unfolding controversy surrounding Wikileaks has significantly raised the temperature. The private sector is part of this controversy, and their choices are a combination of building walls, building rules or building a house of straw.