CyberwarfareDefining cyber warfare

Bruce Schneier, chief security officer for BT Counterpane, is due to address the RSA security conference in San Francisco this week on the sensationalizing of cyber war threats. The event is a cryptography and information security-related conference held annually in the San Francisco Bay Area.

Based on several high-profile incidents from recent years, Bruce Schneier, a cybersecurity maven, said that there was a power struggle going involving a “battle of metaphors.” These incidents include the 1998 blackouts in Brazil, attacks by China on Google in 2009, the Stuxnet virus that attacked Iran’s nuclear facilities, Wikileaks, and the hacking of Republican vice-presidential candidate Sarah Palin’s e-mail.

“What we are seeing is not cyber war but an increasing use of war-like tactics and that is what is confusing us. We don’t have good definitions of what cyber war is, what it looks like and how to fight it,” said Schneier.

Howard Schmidt, cyber security coordinator for the White House, supported Schneier’s claim by saying, “We really need to define this word because words do matter. Cyber war is a turbo metaphor that does not address the issues we are looking at like cyber espionage, cyber crime, identity theft, credit card fraud. When you look at the conflict environment - military to military - command and control is always part of the thing […] Don’t make it something that it is not.”

A report by the Organization for Economic Cooperation and Development (OECD) also concluded that the majority of hi-tech attacks, such as malware, distributed denial of service, espionage, and acts of recreational hackers do not deserve the name. Catastrophic single cyber-related events that might merit the title include a successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which could severely damage key communication components such as satellites, cellular base stations, and switches.

Professor Peter Sommer, co-author of the report, said that “If you use exaggerated language, you’re highly unlikely to come up with good risk analysis and management.”

Last week, the Cybersecurity Enhancement Act was introduced in the Senate, following reports by oil companies and NASDAQ officials of their computer systems being repeatedly hacked. Schneier worries that such legislation might be symptomatic of knee-jerk politics.

As federal agencies scramble to define cyber warfare and its multitudinous threats, talk of creating an equivalent of a Geneva Convention for cyber space has been gaining momentum.

The proposal was raised by international affairs think-tank, the EastWest Institute at a security conference in Munich last week. With such an accord, targeting enemy hospitals or certain types of civilian systems that would endanger innocent lives would be out-ruled.

Similar notions were brought up in Britain by Foreign Secretary William Hague who called for countries to come together and agree on a set of rules to prevent cyber war. He reported that the Foreign Office IT system had come under attack from a “hostile state intelligence agency.”

Sir Richard Mottram, Tony Blair’s former top national security adviser, told a House of Lords inquiry that new “laws of war” were needed to cope with such a threat. “”Could a cyber attack constitute an act of war? Absolutely. If you could establish who had done it of course… is it feasible to imagine laws of war that could apply in relation to cyber attack? Answer - it is feasible,” said Sir Richard.

Schmidt, believing that not every country would sign up to such an agreement, voiced his skepticism: “I don’t know that a treaty is going to solve anything at this juncture […] Not everyone thinks about this unilaterally around the world. We can’t do this by ourselves,” he said.

Industry commentator Declan McCullagh believes the idea to be a step in the right direction: “I don’t think everyone is going to respect it, and maybe the U.S. won’t respect it at times, but at least it starts the discussion and will probably have a positive effect.”