This article can also be found in the Premium Editorial Download "Information Security magazine: Depth charge: Survey shows big spending on defense in depth."
Download it now to read this article plus other related content.
We've lived under the cyberwar/cyberterrorist cloud for more than a decade.
But, we've yet to see a single, credible "cyberwarfare" event. And there's good reason: Cyberwarfare simply isn't an effective form of warfare. A digital attack could cause significant disruptions, but it wouldn't come close to the specter of nuclear Armageddon during the Cold War.
To better understand the hollowness of this threat, let's debunk five key myths of cyberwarfare:
The whole notion of cyberwarfare is a scam.
Cyberwarfare Is New. Dust off your history books. Combatants have used information-based countermeasures and deception since ancient times. In the modern context, the only difference is that it occurs in cyberspace.
During the late-1990s war in Bosnia, hackers reportedly attacked NATO headquarters, disrupting communications channels to stop the bombing of Serbian positions. Assuming this did happen (NATO never confirmed the report), the cyberattacks would have forced NATO to take some counteraction. But, the Serbians and their underground supporters had little effect on the bombing campaign.
Hackers Set the Tone. If hackers can break into enterprise and government systems with relative ease, then a cyberwarrior's job should be simple, right? Not exactly. To launch a successful attack, cyberwarriors would need predictably effective and highly discriminating weapons -- things that hackers don't have. Common crackers and script-kiddies benefit from the randomness of their haphazard targeting and can't attack critical targets of choice at will.
Cyberwarfare Could Devastate the Economy. Demagogues talk about cyberwarfare causing mass disruption of critical services that might ruin the economy. But, one of 9/11's important lessons is the resiliency of the U.S. economy. Cyberwarriors or digital terrorists could cause inconveniences and disruptions -- maybe even cause the economy to sputter -- but it's unlikely they could do permanent damage.
Cyberwarfare is an Efficient Form of Offense. Cyberwar is often touted as a battlefield equalizer through which a poor nation or terrorist group could attack a superior force to soften targets in advance of physical strikes. This is utterly ridiculous. Even if a cyberattack reduces a target's responsiveness, you still need a viable military force to take and hold territory. Demagogues argue that cyberwarfare is an option for a nation or terrorist group that just wants to inflict damage and spread fear. The sad truth is that a single fanatic with a gun and homemade explosives is vastly more effective.
Cyberwarfare Is Anonymous. What good is anonymity if you're trying to strike fear into a target population or persuade a government to change its policies? There's a reason why terrorists blow up buses and buildings: It's how they get on the six o'clock news. Cyberwarfare units and terrorists may use the Internet to conceal their nefarious activities, but they'll usually race to take credit once their plans come to fruition. For nation-states, an anonymous digital attack might be useful for tweaking a superior enemy, but their identities will eventually be discovered.
The whole notion of cyberwarfare is a scam. The security community has been treated to the constant drumbeat of cyberwarfare FUD, but, in the absence of a real threat, we're left with little more than Chicken Little hype and unfounded speculation.
Should we discount the possibility? Like most things in security, common sense and attention to detail will go a lot farther toward improving security than trying to scare people with tales of cyber-invaders.
MARCUS J. RANUM is a senior scientist at TruSecure Corp. and the author of The Myth of Homeland Security (Wiley, 2003).
This was first published in April 2004