Bruce Schneier: What is cyberwar?

Bruce Schneier: What is cyberwar?

Bruce Schneier: What is cyberwar?

Date: Feb 22, 2011

In this RSA Conference 2011 interview, Michael Mimoso, Editorial Director of the Security Media Group at TechTarget interviews Bruce Schneier, Chief Security Technology Officer of BT Group and tried to answer the question, "What is cyberwar?"

Read the full transcript from this video below: 
Bruce Schneier: What is cyberwar?

Mike Mimoso: Hi, I'm Mike Mimoso and I've got Bruce Schneier with me today. Hi, Bruce, how are you? Thanks for joining us.

Bruce Schneier: Yeah, thanks for having me.

Mike Mimoso: A lot of people are juxtaposing cyberespionage and cyberwar, and clearly there's a distinction there. Why do you think it's important to get that message out that those two can't be juxtaposed, can't be confused, and, how is it leading to confusion out there?

Bruce Schneier: I think there's a lot of confusion in definitions. And it's not just the general populous, it's us in security don't have a good definition. What is cyberwar? How does it start? What does it look like? How does it end? How do you fight it? What does a weapon look like? When you think of the examples of what cyberwar could be, a lot of examples of what has been cyberwar: Estonia and Georgia, things that happen in Brazil, Stuxnet, the stuff China is doing, some of the more politically motivated attacks. What we're seeing I think is a broad use of war-like tactics in broader cyberconflicts. So, whether it's espionage or a criminal attack or a government attack, or kids playing politics; they're all using the same stuff. They're all using the same vulnerabilities; they're attacking the same operating systems and we don't have a good definition.

Scott Charney made a point a couple of years ago that I think is really perceptive. What he said is that when you're attacked in cyberspace there's a variety of institutions that you can call on to defend you. The police, the military, Homeland Security, your corporate lawyers, a bunch of products and services you bought. And who has jurisdiction in any particular attack depends on two things: who is attacking you and why. In cyberspace when you're attacked the two things you don't know are: who's attacking you and why. That means when you're attacked you don't know. Is it a hacker? Is it a government? Is it a military? Is it politically motivated? Is it financially motivated? These things are largely opaque to you. So you don't know who to call. So a lot of these calls for cyberwar, I think come from the fact that one, these are war like tactics that have just become democratized. And two, you don't know who's attacking you so you assume the worst.

Mike Mimoso: Should we care whose attacking us, outside of obviously a political national security context? I mean, does it matter who is attacking us? I mean everybody kind of takes the approach of, "Well we're putting our defenses in place no matter what the threat is and we're trying to counter threats as opposed to whose behind them."

Bruce Schneier: Well, it depends on who the "we" is, right? The FBI cares. Is it my jurisdiction or is it DOD? Is it a criminal or is it a terrorist?

Mike Mimoso: Right.

Bruce Schneier: Who is attacking you? The attacks might be the same but the motivations, the objectives, the risk aversion, that's all different. So while we largely use the same tools, in many ways we shouldn't. Because the sorts of tools that will deter a criminal, an opportunist, won't deter an actual and an advanced persistent threat that will work to get around your tools. The criminal is going to go somewhere else. If you have more security they'll go elsewhere. A spy organization won't do that. A military will come in and shoot people. So it's fundamentally different, what the attack looks like. Even though they're all using a denial-of-service attack or they're all using a buffer overflow. When Israel attacked the Syrian nuclear power plant in 2007, not confirmed but widely believed, that they used cyberattacks to disable the Syrian air defense systems. Now, I would hope the Syrian air defense understands that their attacker isn't a hacker, isn't a criminal. But is a highly motivated foreign intelligence organization that is supporting a military attack. So, right, they both might have firewalls, but they're going to have very different ways of looking at security.

Mike Mimoso: Great. Thanks, Bruce. Thanks for joining us today.

Bruce Schneier: Thank you.

Mike Mimoso: For more information, go to

More on Security Awareness Training and Internal Threats-Information

  • canderson

    Insider threat prevention may demand more spending

    VIDEO - Video: Randy Trzeciak of Carnegie Mellon University suggests preventing insider threats may require more spending because they pose a greater risk than most external threats.
  • canderson

    Non-malicious insiders: The biggest insider threat of all?

    VIDEO - Video: Insider threats expert Randy Trzeciak explains why non-malicious insiders, particularly developers, pose as much risk to an enterprise as intentionally malicious insiders.
  • canderson

    Insider threat prevention controls to thwart data breach incidents

    VIDEO - deo: Randy Trzeciak reviews recent data breach incidents and details the insider threat prevention controls that may have thwarted those attacks.
  • Password reuse and password sharing prevalent in enterprises

    News - The high percentage of password reuse and sharing by employees leaves enterprises vulnerable to breaches, according to a recent survey from SailPoint Technologies.

    ( Feb 18, 2015 )

  • social engineering attack surface

    Definition - Social engineering attacks usually take advantage of human psychology: the desire for something free, the susceptibility to distraction, or the desire to be liked or to be helpful. The social engineering attack surface is the totality of an individual or a staff’s vulnerability to trickery.
  • Android vulnerability highlights Google's controversial patch policy

    News - WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.

    ( Jan 19, 2015 )

  • Cybersecurity awareness can reduce infection risk up to 70%

    News - A new study from Wombat Security and Aberdeen Group shows that boosting cybersecurity awareness and education among employees can reduce enterprise security risks and cost.

    ( Jan 14, 2015 )

  • social engineering

    Definition - Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: