Late last year, an online battle erupted when Wikileaks supporters attacked the websites of businesses that had attempted to sever ties with the online leak depository following Wikileaks’ release of thousands of secret U.S. State Department cables. Is it fair to call the dust-up to first cyberwar? And are we facing more cyberwars now?
Not really, suggested members of a panel discussing cyberwar, cybersecurity and the challenges ahead at the RSA 2011 security conference Wednesday. RSA’s being held in San Francisco through this week.
“I’ve seen the first cyberwar so many times now,” sighed panel moderator James Lewis, a director and senior fellow at the Center for Strategic and International Studies. “Some people say WikiLeaks was the first battle in the first cyberwar. All that strikes me as nonsense.”
We should draw a line between events like the theft of information and espionage on the one hand, and war on the other, said Michael Chertoff, former head of U.S. Security of Homeland Security, who was one of the panelists.
“Theft of information and espionage are very bad things, but they’re not war,” Chertoff explained. “Sabotage of systems, depending on their scale and genesis, may be war.”
The Art of CyberDefense
One problem we face with cyberattacks is that the paradigms used in the real world don’t work very well, Chertoff pointed out. This is also the case for biological warfare, he added.
“The laws of war are designed to protect the civilian,” Chertoff remarked. “In an area of cyberconflict there are no bystanders. The conflict’s occurring on your network and your machines. Do you want the government on your network? If not, do you want to protect your network? The categories we use don’t really work in this kind of frame.”
Perhaps a useful approach would be to consider that things of value such as our military infrastructure should have a layer of protection, remarked panelist Mike McConnell, an executive vice president at Booz Allen Hamilton.
“Rather than say one side’s evil and the other side’s good, let’s talk about the global network and how we can have layers of protection to protect things that are important to you,” McConnell elaborated.
What Is Cyberwar?
Cyberwar is a subset of war, declared panelist Bruce Schneier, chief technology security officer at BT.
The term “cyberwar,” Chertoff said, “underscores some risk at the upper end of the scale of some kind of cyberattack that would have consequences on the economy and perhaps some loss of life like a real war.”
Perhaps the case for cyberwar is overstated, Schneier suggested.
“Certainly ‘war’ is a sexier term than ‘cyberPearl Harbor’ or ‘cyberArmageddon,’ and it’s talked up because it’s what sells,” Schneier elaborated. “We’re seeing cybercommands being set up throughout the NATO countries. There’s a push for budget and power, and overstating the case is a good way of getting budget.”
Military war, cybercrime, espionage and potential for cyberwar can overlap, Lewis stated.
There’s a debate about whether or not we’re in a cyberwar because “we’re seeing the increasing use of warlike tactics in broader cyber conflicts,” whether these are politically motivated hacking or espionage, Schneier said.
“These are things that used to be the purview of war, and now they’re democratized; they’re no longer the purview of the state,” Schneier added. “When you have a cyberattack, who defends you depends on who attacks you and why. When you get an attack from China is it war, espionage or a bunch of Chinese kids? We don’t know.”
Should Technology or Policy Rule?
Should the solution to cyberattacks, Lewis asked, be more of a technical fix, or should it depend more on policy and setting up an international framework to come up with rules and laws?
“To me, the real challenge for the nation is the right legislative framework,” McConnell said. “How would you describe this problem in a way that describes the outcomes you’re after?”
The market won’t be able to deal with protection because “the risk is greater than the value of the company that’s doing the work,” Schneier stated. For example, when a chemical company’s attacked, it will protect itself up to its value but won’t take into account the damage to the country, he suggested.
“The maximum value is the value of your company, and beyond that is something no incentive to companies will fix,” Schneier opined.
How, then, can businesses be motivated to act for the greater good?
Perhaps the carrot and stick technique might work, Chertoff suggested.
The carrot is the creation by governments of a level of protection for companies that take steps to protect their own networks, Chertoff suggested. The counter-incentive to this is liability. “We saw a little bit of this during Y2K — any board of directors has to ask the chief risk officer or CFO what’s the risk of being sued,” Chertoff explained. “That’s the stick part of the carrot and stick approach.”