Chertoff advocates cyber Cold War

Chertoff advocates cyber Cold War

Summary: Governments need to agree 'rules of the road' for cyberattacks and cyber espionage similar to those for Cold War-era nuclear deterrence, according to the former US secretary for Homeland Security

TOPICS: Security

Governments should formulate a doctrine to stave off cyberattacks similar to the Cold War-era principle of nuclear deterrence, according to former US Department of Homeland Security secretary Michael Chertoff.

'Rules of the road' for dealing with cyberattacks should include agreed principles on how to react to sustained cyberattacks on critical national infrastructure, Chertoff told a press conference at RSA Conference Europe on Thursday. "[President Eisenhower's workshopping exercise] Project Solarium gave us the theory of deterrence, where rules of the road were clearly understood," he said. "An attack on the US or its allies with a nuclear weapon would be responded to with overwhelming force."

Chertoff told ZDNet UK at the conference that cyberattacks on critical national infrastructure could put thousands of people at risk. "I can envision attacks with catastrophic consequences, with serious loss of life," said Chertoff. "If someone took down an air-traffic control system, we would have devastating loss of life."

Read this

Siemens: Stuxnet infected 14 industrial plants

The malware, which targets software used by critical infrastructure companies, has infected industrial systems in Germany, but the UK appears to have escaped

Read more+

Chertoff said countries should be able to respond to cyberattacks "with overwhelming force". He conceded to ZDNet UK that ultimate attribution was difficult for cyberattacks, but said nation states should be able to act against technologies in countries being used as a platform for attack, regardless of whether that country itself is behind the attack.

"If you have a persistent series of attacks on critical national infrastructure, then you could make the argument that incapacitating the platform used to attack is something that you have to do," Chertoff told ZDNet UK. "If you take the rule that attacks against critical infrastructure enable you to take action against that proximate platform, that would give countries an incentive to take action to secure their platforms."

Policy-makers' lack of appreciation of technical considerations has led to cybersecurity policy not making adequate progress, according to Chertoff, who is now a security consultant.

"[Cybersecurity] is not a theoretical problem, this is a real problem," said Chertoff. "If we don't address this, then one day we'll have an event so catastrophic that it's difficult to shrug off."

National Air Traffic Services (Nats), the UK's main air-traffic control authority, told ZDNet UK on Thursday that it regularly reviews the security of its software and systems. "We are aware of the increasing threat posed to cybersecurity and our countermeasures are reviewed accordingly," said a Nats spokeswoman.

Successful attacks on air-traffic control systems are feasible, security expert and author Ira Winkler told ZDNet UK on Thursday. "The fact is that information security was never designed into air-traffic control systems," said Winkler.

Winkler pointed out that air-traffic systems were open enough to hand data over between different air-traffic control authorities, and that in the US a number of system updates had failed. He added that it was theoretically possible to break into databases that pinpoint the position of planes, and alter the data.

"You can manipulate the background databases, and air-traffic controllers won't see anything [amiss]," said Winkler. "It's not easy, but not impossible."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • He wants a cyber security firewall. Similar to the sea-wall around New Orleans. He wants to be in charge of that sea-wall, and if it breaks, he will be the King Canute figure and declare war on the sea, which he says is the way to prevent flooding.

    But first he need to convince people to build their cities on low ground next to deep water, so he can justify his sea-wall. This is because he's a lobbyist for the sea-wall industry.

    But I think we just should NOT put critical systems on low ground below sea level next to the sea.

    And we don't go connecting critical systems to public networks. Because that would be dumb. Technically incompetent, and criminally negligent.

    I don't need your sea wall, if we're not stupid enough to be next to the sea on low ground, and I think that if we are that dumb, and declaring war on the sea doesn't fix it.

    It's like saying the Irish sea won't flood if we attack Ireland. Or the McKinnon won't take a look at our server if we attack Britain. It's just mindless words said by talking heads.
  • Oh, I say, well payed sir!
  • Or even well played sir!