RSA: Defining cyberwar is just as hard as fighting it
Are we in the midst of a cyberwar? And if we are, how do we go about "winning" it? Better yet, is a cyber war more like the "War on Drugs" or the "War on Terror" - wars that have no winner or loser and no end?
Cyberwar was the center-stage topic of the afternoon keynote at the RSA Conference in San Francisco today. And experts who know a thing or two about security - including Michael Chertoff, the Secretary of the U.S. Department of Homeland Security from 2005 to 2009 - were on stage to debate the significance of cyberwar and cybersecurity.
There was a general agreement that the word "cyberwar" is a scary word, largely because it's too encompassing. Consider the Google hacking attack out of China that made headlines in early 2010 as an example. Was that attack the result of a cyberwar? Or was it an act of espionage? Maybe it was just a bunch of students in China trying to make some sort of political statement.
The distinctions are important because they address the first obstacle in knowing whether or not a cyber attack should even be considered an act of war. Chertoff says we're not in a cyberwar now but that "we'd be foolish not to recognize that we could find ourselves in one." Certainly, a physical war in the 21st Century is sure to have a cyber element - but how major does that have to be? Chertoff said something that destroys a major system - such as taking down the electrical grid - would be an act of cyberwar. But can the act of spreading a virus through email spam really be in the same category?
And therein lies one of the biggest problems in the U.S. as a it relates to being prepared for the cyberwar. We're not prepared. Networks aren't secure. Companies and individuals treat network security - even something like putting a password on their WiFi networks - with a cavalier attitude.
So what's the answer? Legislation or policy out of Washington that regulates network security. Can you imagine a TSA for the Internet? Such a suggestion generated a lot of laughs from the keynote audience. But think about it.
If the U.S. faced a major cyberattack - one that took down the electrical grid and resulted in loss of life or one that attacked the banking system and led to an economic emergency, wouldn't there be an expectation for the government to step in. At that point, the question becomes: what is the government authorized to do and, more importantly, what is it capable of doing?
So where does that leave us? Panelist Mike McConnell, Executive Vice President at Booz Allen Hamilton, suggested that, unfortunately, we're just waiting for something bad to happen so we can react. We might get the legislation right, McConnell said, but "odds are we'll wait for a catastrophic event to occur and then we'll overreact."
But before we start getting into a panic about our cyber-readiness for a cyberattack in a cyber war, panelist Bruce Schneier, Chief Technology Security Officer for BT, warned that we are not just sitting back, waiting for something bad to happen. He said:
There are an enormous amount of things being done securely on the Internet. I don't think we're stuck. I think we're getting better every year.
And for those that don't believe it, consider that there are thousands of people in San Francisco this week having these discussions, showcasing their solutions and partnering to make the Internet safer.
Related coverage: