Michael Chertoff, former US Secretary of Homeland Security, recently emphasized that establishing rules of engagement regarding cyberwar should be a top priority. Dealing with the issue of active defenses is an important component of this initiative.

“Preemption” is a loaded word. The right of a nation to act in self-defense against imminent threats is protected by Article 51 of the UN Charter, but cyberspace adds a different dimension to the issue. If the government discovered potentially malicious code on a computer, code that could disable a US power grid, or shut down military command and control centers, preemptive action to destroy the virus would necessitate a delicate hand.

The code could be on another country’s computers, on a civilian’s computer, or within the government network. Eliminating the code could have unintended effects on target computer or computer system, and accessing it might violate the owner’s civil liberties. In order to respond in "real time" to cyber threats, should the United States develop more automated response systems? If this was the case, cyber threats could be countered without a single human involved. Efficient, but scary.

Sanctioning unchecked cyber preemption is a problem. From a government standpoint it means revealing defense capabilities, as well as the priorities about what assets are important to us. At worst, it means taking a first, possibly aggressive action, that could have inadvertent negative effects on targeted systems, or even provoke an enemy to retaliate. On the other hand, if no preemptive action is taken, one could end up with an "embarrassed executive problem." Somewhere in the aftermath of a cyber attack, an official will have to sit in front of Congress and say the equivalent of "Yes, we knew the oil rig had safety issues, but we didn't fix them." And that, as we all know, is frustrating.