There's an interesting article at Strategy Page on the DoD's preparations for waging offensive cyberwar, which notes that it likely will entail a public-private partnership:
Since the military cannot afford to pay enough to recruit qualified software and Internet engineers for this sort of work, it has turned to commercial firms. There are already some out there, companies that are technically network security operations, but will also carry out offensive missions (often of questionable legality, but that has always been an aspect of the corporate security business.)
Some of these firms have quietly withdrawn from the Internet security business, gone dark, and apparently turned their efforts to the more lucrative task of creating Cyber War weapons for the Pentagon. It may have been one of these firms that created, or helped create, the Stuxnet worm.
Which got me thinking. First, it's an odd procurement system that doesn't allow the Pentagon to pay expert individuals a high enough salary to bring them in house, but allows the Pentagon to outsource the same work to private companies and pay those companies enough for the companies to afford hiring such individuals. I frankly don't see the logic.
Second, why would these offensive cyberwar firms necessarily limit themselves to working for the DoD? It's widely known that Chinese hacker collectives sponsored by the Chinese government "are responsible for the majority of cyberattacks on U.S. businesses and government agencies":
The bulk of the attacks are stealthy in nature and have resulted in the loss of billions of dollars’ worth of intellectual property and state secrets from the private and public sector. ... “Industry is already feeling that they are at war,” said James Cartwright, a retired Marine general and the former vice chair of the Joint Chiefs of Staff.
Imagine a corporate CEO of the more imperious type who arrived at work one morning to be told that his firm's trade secrets had once again been stolen in a cyberattack launched from Chinese hackers. Frustrated that the US government is doing more to put a stop to Chinese industrial cyber spying, the CEO hires one of these internet security firms and launches his own private war against China. Or maybe it's the CEO of an outfit like Google or Microsoft, which probably has the capacity to wage cyber war in house.
It'd make a great thriller. (Of course, corporate wars have been a staple of science fiction for a long time.)
It'd also make for some very interesting legal issues. And not just in the usual suspects like international law re the use of force or domestic laws on private armies and cyber crime.
Assume, for example, that the CEO got board of director approval before declaring war on China. A shareholder files a derivative suit in the Delaware Chancery Court. Would the business judgment rule protect the directors in this case? Assuming the company has a Section 102(b)(7) exculpation clause in its articles of incorporation, would that clause preclude monetary liability in such a case? Does it matter whether the company wins the war? What are good corporate governance practices for a company that goes to war with a nation-state?