There's already several digital Blackwater's so to speak. HBGary Federal is the obvious unsuccessful one, but you also have much more successful ones like Endgame Security.
Personally my view is that the 'physical' Blackwaters of the world haven't demonstrated an awful lot of adherence to the moral requirements associated with such work, so why would the virtual ones do the same? If you sanction a company with the ethics of Blackwater to do offensive work, do you really think they only side they're ever going to fight on is yours? Do you think that they'd represent your interests, or theirs, and do you think there'd be any hope of the kind of transparency or limitations that you'd at least expect to see in a state run equivalent?
I think a lot is down to how you define success. They had a successful Series A round, but in itself I wouldn't consider that success in itself.
I've seen a few things where I've been told it's from Endgame and I have to say that there's no way that the information contained could've been acquired in any way that could be construed as lawful under UK law (bear in mind that our computer crime laws are garbage, but that's another discussion), although I don't have any financial information.
I see - I saw the pricing sheet from endgame that was leaked, but it was not clear to me if anyone is really buying their services, and I am in the industry (doing not shady things). So I was just curious.
I agree a "digital blackwater" can be much more effective than the government for this kind of thing.
However, unlike physical violence, there's not as much "inherent human moral knowledge" about computer crime/war/terrorism. It's pretty obvious to anyone (including Blackwater shooters) that shooting people is wrong, all things being equal; it is necessary in certain situations, but is to be avoided if possible. Some kinds of shooting are worse than others, and there are lines which most people wouldn't cross (shooting obviously unarmed people, children, etc.), even if ordered to do so.
With most computer crime, it's not so obvious who is being hurt and how much; there's also no primate/reptilian brain response to most of the activities themselves, only their consequences.
There's also much more potential to use "able to do digital violence" to influence business and politics within a stable nation state than to use physical violence. Organized crime only really can operate in marginal communities, at least through violent extortion -- in more developed places, it sticks to providing unmet (illegal) needs like drugs, gambling, prostitution, etc., or operates at a sub-organized level.
There's really nothing in "inherent morals" of people, or in cultural values, which will prevent using a "digital blackwater" for political or business ends.
If someone goes down this road (and the Chinese appear to have already, and possibly Russia), everyone else has to, but the world will become worse overall. Better for hackers, perhaps, as a subset, but I'd be fine with having a little less money and living in a less-Gibsonian world.
I do agree that there comes a time when you have to look at current the current security environment and realize that you need to enable the private sector to do more to defend themselves than appears possible currently. Relating of course to industrial espionage and the so-called "APT", not this #antisec nonsense. I don't look forward to a world where private firms are employing offensive cyber-mercenaries, but let's be honest - that is what many chinese firms and some western firms are already doing. Something needs to change to let western businesses respond to these threats, and it's clear that the usual mantras of defense in depth and being increasingly vigilant just aren't leading us down a winning path. We may never have infosec world where it's possible to adequately rely on defense only, perhaps it is time to move past the missile defense shields and on to MAD - much like US defense has gone.
It is more than "what many Chinese firms" are doing; it is what the Chinese government in collusion with many Chinese firms is actively doing all the time at all levels of US infrastructure, including not only industrial espionage but also actively attempting to steal all military and other tech from every server connected to the internet. Everything stolen is then pushed back to the appropriate vendor, which includes of course whatever companies are capable of producing stolen tech. This then is produced at low cost overseas and shipped back to the American consumer, who purchases it at the expense of an American product, leading to a loss in revenues for the American company that originally designed and produced the stolen product and dozens or hundreds more unemployed Americans.
This isn't MAD, this is constant low-level warfare waged by a foreign power without any US response except for monitoring and sporadic defensive efforts. The problem with a counter-offensive, esp. one waged by proxy private sector forces is that, first of all, the US is continually fighting the last war over and over (oh yes, let's invade Libya and setup democracy there... ), second of all even if we can plant detonation devices in Chinese infrastructure like they most certainly have littered in ours (who knows how many electric grids they could shut off at a moment's notice) this doesn't prevent their offensive efforts at all. In fact, the only thing that can prevent theft on a large scale is penalizing that theft, which certainly no current administration is capable of doing (notice the long standing list of promises regarding IP protection that China has reneged on). So really the only solution here is to innovate much more quickly domestically (including whatever private sector partnerships are appropriate via DARPA, etc.) and to continue to develop offensive capacities (which undoubtedly exist but given the classified nature of such, it is hard to know quite how well developed or capable they are). Undoubtedly we should also try to knock off Chinese government servers periodically as they do to ours just to be certain that we can -- and a private Blackwater might be just the ticket.
There is a considerable amount of intelligence that continues to be gathered in the private sector about exploit authors, chinese hacking groups, and the actors involved in ongoing intrusions. Many of these groups conduct a fair amount of discussion and training pretty out in the open, confident of their status as out of the reach of western justice. Specific techniques and code present in a pair of Adobe 0-days used this spring point very loudly back to one collective and probably one or two specific actors that talk about these techniques in public in person. There are strong rumors that the night dragon intrusions track back to a specific actor. I've seen private investigator reports tailing specific intruders who verify that monitored intrusions happen reliably just minutes after people they have full dossiers on show up at their office. With many intrusions it's clear that the long term hosts are complicit in the bahvior. The wall of proxies defense tends to or at least can fall down against determined back hacking of the client.
All of these circumstances may not be the norm, but they exist. More would exist if there were more incentives to develop this kind of intelligence. The basic problem now is OK - what do you do with that info? NSA offensive security practices are not built for or available to the private sector. However, it seems very possible that these individual actors could be dissuaded, harassed, redirected or worse given the right program.
I'm not speaking of a state vs. state MAD. Perhaps I used the wrong term. But, even though I'm not a gun fan, there must be something to the idea that your neighbors may be less likely to break into your house if everyone knows you own a gun and you live somewhere you can shoot an intruder.
Not to mention, the internet is a lot speedier than missiles- you'd need your destructive forces to detect, react and utterly destroy your target in milliseconds, otherwise they'll shut you down before you can do anything.
So like lulzsec, anonymous, or all of the other groups, but operating for money instead of humor and ideology. Sounds like a brilliant idea (that's sarcasm, by the by).
Personally my view is that the 'physical' Blackwaters of the world haven't demonstrated an awful lot of adherence to the moral requirements associated with such work, so why would the virtual ones do the same? If you sanction a company with the ethics of Blackwater to do offensive work, do you really think they only side they're ever going to fight on is yours? Do you think that they'd represent your interests, or theirs, and do you think there'd be any hope of the kind of transparency or limitations that you'd at least expect to see in a state run equivalent?