Quarantine mechanisms contain this attack by enabling the ISP to shut off an infected computer as soon as it recognizes it, unilaterally and without owner authorization, taking the computer off-line. “The basic premise is that when you have a network disease, you have to find a way to slow the spread rate,” Mundie explained. “We quarantine people involuntarily, but in cyberspace we haven’t yet decided that quarantining is the right thing to do.” When any machine shows signs of virus or disease, it must be “isolated, contained and healed before being exposed to healthy systems,” he added. Users often don’t recognize when their computers have been compromised, so allowing the ISPs to conduct these actions will bring about a much faster resolution. Depending on how the mechanism works and what kind of attack is being used, the attackers may or may not recognize that the infected device is off-line—but the user would find his Internet connection inoperable, by mandate of the ISP. By denying the attackers the ability to reach through the infected computer, the harm they can do is greatly reduced.

In Mundie’s vision, there would be a neutral international organization to which ISPs could report the IP addresses of infected computers. This way ISPs and states around the world could refuse to let quarantined IP addresses into their online space, cutting off the range of the cyber attack. In the meantime, investigators could watch the cyber attackers from a distance (the attackers would not know the device had been quarantined) and gather information about them to help trace the origin of the attacks. Only when the user had certifiably cleaned his device (with special antivirus software) would his IP address be released from quarantine. In addition to an international organization leading these changes, we might see in parallel the creation of an international treaty around the automatic takedown mechanism. International agreement about swift action to deal with infected networks would be a big step forward in fighting cyber attacks. States that do not agree to the treaty might risk having their whole country considered quarantined, thus putting it off-line for much of the world’s users.

Stronger network security will improve the odds for potential targets well before any quarantining is required. One of the basic problems in computer security is that it typically takes much more effort to build defenses than to penetrate them; sometimes programs to secure sensitive information rely on 10 million lines of code while attackers can penetrate them with only 125 lines. Regina Dugan, a senior vice-president at Google, is a former director of DARPA (the Defense Advanced Research Projects Agency), where her mandate included advancing cybersecurity for the U.S. government. She explained to us that, to effectively counter this imbalance, “We went after the technological shifts that would change that basic asymmetry.” And, like Mundie, Dugan and DARPA turned to biology as one of the ways to counter the imbalance: They brought together cybersecurity experts and infectious-disease scientists; the result was a program called CRASH, the Clean-Slate Design of Resilient, Adaptive, Secure Hosts.

The philosophy behind CRASH recognized that human bodies are genetically diverse and have immune systems designed to process and adapt to viruses that pass through them, while computers tend to be very similar in their structure, which enables malware to attack large numbers of systems efficiently. “What we observed in cybersecurity,” Dugan said, “is that we needed to create the equivalent of an adaptive immune system in computer security architecture.” Computers can continue to look and operate in similar ways, but there will have to be unique differences among them developed over time to protect and differentiate each system. “What that means is that an adversary now has to write one hundred and twenty-five lines of code against millions of computers—that’s how you shift the asymmetry.” The lesson learned is undoubtedly applicable beyond cybersecurity; as Dugan put it, “If that initial observation tells you this is a losing proposition, you need something foundationally different, and that in and of itself reveals opportunities.” In other words, if you can’t win the game, change the rules.

Still, despite some tools for dealing with cyber attacks, lack of attribution online will remain a serious challenge in computer and network security. As a general rule, with enough “anonymizing” layers between one node and another on the Internet, there is no way to trace data packets back to their source. While grappling with these issues, we must remember that the Internet was not built with criminals in mind—it was based on a model of trust. It’s challenging to determine who you are dealing with online. Information-technology (IT) security experts get better at protecting users, systems and information every day, but the criminal and anarchic elements on the web grow equally sophisticated. This is a cat-and-mouse game that will play out as long as the Internet exists. The publication of cyber-attack and malware details will help, on a net level; once the components of the Stuxnet worm were unpacked and published, the software it used was patched and cyber-security experts could work on how to protect systems against malware like it. Certain strategies, like universal user registration, might work too, but we have a long way to go before Internet security is effective enough everywhere to prevent simple cyber attacks. We are left once again with the duality of the online world: Anonymity can present opportunities for good or ill, whether the actor is a civilian, a state or a company, and it will ultimately depend on humans how these opportunities manifest themselves in the future.

To summarize: States will long for the days when they only had to think about foreign and domestic policies in the physical world. If it were possible to merely replicate these policies in the virtual realm, perhaps the future of statecraft would not be so complex. But states will have to contend with the fact that governing at home and influencing abroad is far more difficult now. States will pull the most powerful levers they have, which include the control they hold over the Internet in their own countries, changing the online experiences of their citizens and banding together with like-minded allies to exert influence in the virtual world. This disparity between power in the real world and power in the virtual world presents opportunities for some new or underappreciated actors, including small states looking to punch above their weight and would-be states with a lot of courage.

States looking to understand each other’s behavior, academics studying international relations, and NGOs and businesses operating on the ground within sovereign territory will need to do separate assessments for the physical and virtual worlds, understanding which events that occur in one world or the other have implications in both, and navigating the contradictions that may exist between a government’s physical and virtual foreign and domestic policies. It is hard enough to get this right in a world that is just physical, but in the new digital age error and miscalculation will occur more often. Internationally, the result will be more cyber conflict and new types of physical wars, and, as we will now see, new revolutions.

¹ We recommend the 2006 book Who Controls the Internet?: Illusions of a Borderless World, by Jack Goldsmith and Tim Wu, which puts forth this scenario with great clarity.