Security Management Strategies for the CIOBruce Schneier: What is cyberwar?
Date: Feb 22, 2011In this RSA Conference 2011 interview, Michael Mimoso, Editorial Director of the Security Media Group at TechTarget interviews Bruce Schneier, Chief Security Technology Officer of BT Group and tried to answer the question, "What is cyberwar?"
Read the full transcript from this video below:
Bruce Schneier: What is cyberwar?
Mike Mimoso: Hi, I'm Mike Mimoso and I've got Bruce Schneier
with me today. Hi, Bruce, how are you? Thanks for joining us.
Bruce Schneier: Yeah, thanks for having me.
Mike Mimoso: A lot of people are juxtaposing cyberespionage and cyberwar, and clearly there's a
distinction there. Why do you think it's important to get that message out that those two can't be
juxtaposed, can't be confused, and, how is it leading to confusion out there?
Bruce Schneier: I think there's a lot of confusion in definitions. And it's not just the general
populous, it's us in security don't have a good definition. What is cyberwar? How does it start?
What does it look like? How does it end? How do you fight it? What does a weapon look like? When
you think of the examples of what cyberwar could be, a lot of examples of what has been cyberwar:
Estonia and Georgia, things that happen in Brazil, Stuxnet, the stuff China is doing, some of the
more politically motivated attacks. What we're seeing I think is a broad use of war-like tactics in
broader cyberconflicts. So, whether it's espionage or a criminal attack or a government attack, or
kids playing politics; they're all using the same stuff. They're all using the same
vulnerabilities; they're attacking the same operating systems and we don't have a good
definition.
Scott Charney made a point a couple of years ago that I think is really perceptive. What he said is
that when you're attacked in cyberspace there's a variety of institutions that you can call on to
defend you. The police, the military, Homeland Security, your corporate lawyers, a bunch of
products and services you bought. And who has jurisdiction in any particular attack depends on two
things: who is attacking you and why. In cyberspace when you're attacked the two things you don't
know are: who's attacking you and why. That means when you're attacked you don't know. Is it a
hacker? Is it a government? Is it a military? Is it politically motivated? Is it financially
motivated? These things are largely opaque to you. So you don't know who to call. So a lot of these
calls for cyberwar, I think come from the fact that one, these are war like tactics that have just
become democratized. And two, you don't know who's attacking you so you assume the worst.
Mike Mimoso: Should we care whose attacking us, outside of obviously a political national security
context? I mean, does it matter who is attacking us? I mean everybody kind of takes the approach
of, "Well we're putting our defenses in place no matter what the threat is and we're trying to
counter threats as opposed to whose behind them."
Bruce Schneier: Well, it depends on who the "we" is, right? The FBI cares. Is it my jurisdiction or
is it DOD? Is it a criminal or is it a terrorist?
Mike Mimoso: Right.
Bruce Schneier: Who is attacking you? The attacks might be the same but the motivations, the
objectives, the risk aversion, that's all different. So while we largely use the same tools, in
many ways we shouldn't. Because the sorts of tools that will deter a criminal, an opportunist,
won't deter an actual and an advanced persistent threat that will work to get around your tools.
The criminal is going to go somewhere else. If you have more security they'll go elsewhere. A spy
organization won't do that. A military will come in and shoot people. So it's fundamentally
different, what the attack looks like. Even though they're all using a denial-of-service attack or
they're all using a buffer overflow. When Israel attacked the Syrian nuclear power plant in 2007,
not confirmed but widely believed, that they used cyberattacks to disable the Syrian air defense
systems. Now, I would hope the Syrian air defense understands that their attacker isn't a hacker,
isn't a criminal. But is a highly motivated foreign intelligence organization that is supporting a
military attack. So, right, they both might have firewalls, but they're going to have very
different ways of looking at security.
Mike Mimoso: Great. Thanks, Bruce. Thanks for joining us today.
Bruce Schneier: Thank you.
Mike Mimoso: For more information, go to SearchSecurity.com.