4个月前,微软(Microsoft)在网络世界取得了一次成功。该公司的数字化侦察器发现了一个在世界各地许多计算机中安插了恶意软件的“僵尸网络”(也就是假服务器),随后与美国联邦调查局(FBI)及其他方面合作关闭了该网络。微软副总法律顾问汤姆•伯特(Tom Burt)称,让他们担心的是,他们发现有至少1200万台——没错,就是1200万——个人电脑已被感染。
If you are tempted to shout “hooray”, that is understandable. After all, botnets pose aparticularly pernicious threat since they are fiendishly hard to find. And cyber attacks ingeneral are increasing explosively, costing global businesses $400bn a year, according to datafrom Microsoft.
There is a catch, though. Microsoft and the FBI now hope to bring the cyber hackers whocreated that botnet to court. But since this botnet was not entirely run from US soil — andthose 12m infected computers sit everywhere around the world, from China and India to Chileand the US — the saga could be about to plunge into a legal grey zone.
“Think of a situation where you have a botnet in Singapore run by hackers in Bulgaria whocause damage to somebody in America,” Mr Burt told a Financial Times conference inWashington this week. “Who has jurisdiction? What laws are used?” Nobody knows. In cyberspace, as in the global financial system a decade ago, a plethora of criminal activity is indanger of falling between the cracks because national rules are ill suited to a fast-moving digitalworld.
Investors and politicians around the world should take note — and worry. Deeply. In the pastcouple of years, western governments and businesses have made considerable strides inbuilding defences against cyber crime. This week in Washington, for example, the Departmentof Homeland Security is launching an “automated information-sharing” program for utilitycompanies. The aim is to ensure that, “when adversaries try something” against one US utilitycompany, everyone else is alerted, according to Suzanne Spaulding, an undersecretary at thedepartment.
世界各地的投资者和政界人士应该留意,并为此感到担忧——严重担忧。过去几年,西方政府和企业在构建网络犯罪防御网方面取得了长足的进展。例如,不久前在华盛顿,美国国土安全部(DHS)为公用事业企业启动了一项“信息自动分享”计划。DHS副部长苏珊娜•斯波尔丁(Suzanne Spaulding)称,该计划的目的是确保当有人对一家美国公用事业企业图谋不轨时,每个人都会收到警报。
In truth, such information-sharing is still imperfect. John Carlin, assistant attorney-general fornational security, admits “the vast majority of companies do not report small intrusions” toeach other. But the situation is better than four years ago, when suspicion between businessand the security establishment reached such depths that the US Chamber of Commercedragged its feet about setting up mandatory information-sharing programs. And the fact thatnobody has yet conducted a successful hack on a US utility, say, is one reason for comfort.
事实上,这类信息分享计划仍不完善。美国司法部负责国家安全事务的副部长约翰•卡林(John Carlin)承认,“绝大多数企业并不相互通报自己受到的小规模入侵”。但是如今的情况要好于4年前,当时企业和安全机构相互抱有极深的戒心,以至于美国商会(US Chamber of Commerce)在建立强制信息分享计划时也拖拖拉拉。目前还没有任何针对比如一家美国公用事业企业的黑客攻击得手过,这是值得欣慰的地方。
But, as business and government strengthen their defences, the big missing piece of thiscampaign is punishment. As any parent or regulator knows, it is hard to deter wrongdoingwithout a system for imposing discipline. And, right now, remarkably few cyber criminalshave been brought to trial relative to the scale of the current $400bn heist.
That partly reflects the difficulty of identifying and apprehending perpetrators, particularly inplaces such as Russia and China. The other big problem is the one faced by Microsoft: the legalframework across borders is a mess.
In a rational world, this would suggest a multilateral body, such as the UN, urgently needs tocreate some common laws or at least promote more mutual recognition. In the real world,sensible collaboration is hard to organise now; indeed, events such as the Edward Snowdenaffair — where revelations by a former US National Security Agency contractor about the extentof American internet surveillance fuelled transatlantic rows over privacy — are making thisdebate even harder. “Walls are going up,” says Mr Burt.
在理性的世界中,这意味着一家多边机构(比如联合国)迫切需要制定一些通用法律,或者推动各国加强法律互认。而在现实世界里,理性的合作眼下很难组织起来;事实上,爱德华•斯诺登(Edward Snowden)等事件正使得相关讨论更加难以进行。斯诺登是前美国国家安全局(NSA)合同工,他关于美国互联网监视强度的爆料,引发欧美关于隐私问题的争执。“高墙正在竖起,”伯特称。
So in the interim, US officials are using whatever homegrown tools they have. Mr Carlin, forexample, says Washington security officials recently managed to extradite from Malaysia asuspected hacker who had created a cyber attack against a US retailer that spearheaded abigger Islamist plot.
But strong-arm US legal action is not an effective long-term solution; not least because suchunilateral measures risk sparking a backlash. And many western companies are in effect stuck:they can build defences against cyber crime but cannot effectively retaliate.
So when people describe cyber space as the new Wild West, they are only half correct. This is aplace where baddies have an endless supply of cheap guns but ordinary citizens have onlybarricades. This looks unlikely to change soon — unless and until companies such as Microsoftfind a way to put those botnet creators behind bars. That would be an even more remarkablecoup.
所以,当人们把网络空间形容为新的“狂野西部”(Wild West)时,他们只说对了一半。网络空间是这样一个地方:坏人有源源不断的廉价枪支供应,而普通公民只有防御工事。这种状况似乎不太可能很快改变——除非微软等企业找到将“僵尸网络”的创建者绳之以法的办法。那将是一次更引人瞩目的成功。