SAN FRANCISCO – A panel of high-profile government and security experts waged a semantics battle at RSA Conference 2011 Tuesday over the use of the term cyberwar. The debate set the context for a bigger discussion on the use of offensive weapons in cyberspace, and how economic and political forces are guiding this conversation in Washington and around the world.
Former secretary of Homeland Security Michael Chertoff, former Director of National Intelligence Michael McConnell and security expert Bruce Schneier said there's a certain ambiguity with the cyberwar definition, largely because the ground rules for such conflicts haven't been established. Also, too many times, the panel said, cyberwar and cyberespionage are juxtaposed.
I'd like to think we're an informed society, but if you look at history, we'll have to wait for a catostrophic event before we get legislation, and at that point, we'll overreact.
former DirectorNational Intelligence
"War is a sexier term than cyberattack. These are headline terms -- that's what sells," Schneier said. "But the reality is that we're seeing cybercommands up and running in different nation-states and with NATO. There's a lot of push for budget and power, and overstating the threat is a good way to get people scared. These are big terms and useful terms if you're trying to set up a cybercommand."
The packed keynote hall, via a show of hands, seemed to put last summer's Stuxnet attack against an Iranian nuclear facility in the category of cyberwar. However, last year's Aurora attacks against Google, Adobe and other tech companies, defense contractors and large enterprises fell into the category of espionage.
"Using conventional definitions of war, the theft of information is espionage, while very bad, is not considered war," Chertoff said. "In my mind, the catostrophic destruction of systems, sabotage, maybe war."
McConnell harkens the conversation back to the early days of the Cold War between the U.S. and Russia when the U.S. built a deterrance policy, debates were held and policy decisions were made that ultimately, he said, were the right call.
"Rather than say it's hype for benefit, let's say it's part of the discussion," McConnell said.
The war dynamic has certainly changed, Schneier said.
"We're seeing the increasing use of war-like tactics in cyber conflicts: politically motivated hacking, espionage, these things used to be the purview of war. Now this stuff is more democratized, it's in the hands of nonstate actors. Scott Charney made the point that when you're attacked in cyberspace, who defends you? It depends on who is attacking you and why. In cyberspace, you don't know. Is the attack from China? Is it war, espionage, or kids playing politics? You don't know, but they're all using the same attack."
Chertoff echoed the worry over the confusion; attacks are happening on machines that are privately owned. Who is responsible for defending those machines; do you want the government on your networks? "That's why we have a lot of stress; the traditional categories don't work."
The panel debated whether market pressures could mitigate some of these issues. Schneier said that isn't feasible because the risk is greater than the value of what's doing the work.
"A chemical plant faced with the risk of a terror attack will secure it to the value of the company," Schneier said. "If there's a risk to the country, it won't secure it to that level. It won't be their risk. There will be a delta where a market economy won't get to it."
Moderator Jim Lewis of the Center for Strategic and International Studies suggested incentives for cybersecurity, something Chertoff was aboard with. "It's relatively easy to do--create revenue protection immunity for companies that protect their networks," Chertoff said.
In the end, however, McConnell thinks it's likely that, despite all the rhetoric and debate, this issue will be solved like all others: reactively rather than proactively.
"I'd like to think we're an informed society, but if you look at history, we'll have to wait for a catostrophic event before we get legislation, and at that point, we'll overreact."