"Sony leaks could lead to full-scale cyberwar," screeched a headline on The Australian's website on Wednesday morning. It was a piece by Rhys Blakely from The Times. "North Korea appears to be under cyberattack, days after President Obama pledged to respond to a devastating hack of Sony Pictures," he wrote.
"Experts were asking whether an episode that began when Sony revealed that it had been hacked last month was about to escalate into an all-out cyberwar ... South Korea said on Monday that its nuclear plant operator had been hacked, providing a sobering reminder of the stakes in a new era of cyberwarfare."
A new era of cyberwar? No, it's worse. An "all-out cyberwar".
Blakely isn't alone in this cyberwar hype.
"It looks like the great cyberwar with North Korea has begun, at least by proxy," wrote Sean Gallagher at Ars Technica. "If what was done to Sony Pictures Entertainment was in fact North Korean-directed cyber terrorism, it was extremely effective," he wrote, quoting terrorism expert Steve Sin as saying these cyber terrorists have been extremely effective.
"By a terrorist doing something, and us responding to it, the terrorist has already won," Sin said.
Over at cllbr, Frederic Guarino pondered whether the Sony hack represents "cyberwar's Pearl Harbor". "It's of course unclear at this point," he wrote -- which is fair enough, given there's no agreed definition of what actually constitutes a cyberwar, let alone a definition of what it means for something to be something else's Pearl Harbor.
Maybe matters would become less unclear for Guarino if he used words with established, concrete meanings.
Let me help.
First, rather than going down the rabbit hole of attempting to define "cyberwar", let's just focus on the "war" part.
Two years ago, Thomas Rid, professor in security studies at King's College London and author of the book Cyber War Will Not Take Place, told the Patch Monday podcast that war studies folks don't even count something as a war until 1,000 people have been killed. So far, nothing that's ever been labelled "cyberwar" has come close. Not even remotely.
"There has never been a casualty, there's never been significant damage that would compare with a conventional act of war. Because of that lack of physical impact so far, I think the term 'cyberwar' has still somewhat of a metaphorical quality. It's more like the War on Obesity or the War on Drugs," Rid said.
So much of the reporting fails to distinguish between the literal and metaphorical usages of "war". Calling an attack part of a "cyberwar" doesn't mean that a military or even a national response is required, no more than calling something the War on Obesity means that the air force can start napalming all the fat people. Although now that I think about it...
Second, people throw around the "cyber Pearl Harbor" line just a little bit too easily. In my view, for an attack to be comparable to the actual 1941 attack on Pearl Harbor, it would have to come without any indication that an attack was likely, and result in a devastating reduction in the nation's ability to defend itself.
Needless to say, neither of those apply to the Sony attack. It may have come as a surprise that North Korea was allegedly the attacker -- allegedly, because the jury is still out, although the evidence is getting stronger -- but we all know that every enterprise is under attack every day.
While Sony certainly took a hit -- a serious one that's likely to cost it another few hundred million dollars -- so far we're not seeing much evidence that the company has lost its ability to wage film-making. That may change, however.
So to answer Guarino's question: No, this was not "cyberwar's Pearl Harbor". Get a grip.
Which leads me to my third and final point, Blakely's line that "North Korea appears to be under cyberattack". We see this sort of thing scattered throughout the media every time there's a cyber story, like so many raisins in a Christmas pudding. And it's stupid.
Of course North Korea is "under cyberattack". Everyone on the internet is under attack, every single day of the year. Even my own modest pieces of the internet were "under attack" more than 20 times while I was writing this column. It's a completely useless statement -- unless it's qualified with some sort of description.
In this case, the description would be that North Korea's single international internet link is being hit with a distributed denial-of-service (DDoS) attack. "Experts estimate that only a few thousand people have access to the internet in North Korea, a nation with a population of about 25 million," Blakely wrote. In other words, it's the sort of thing that anyone with a few hundred dollars and a credit card could organise. In summary, so what?
None of this is intended to dismiss the scope and impact of Sony's data breach. It's a custard duck of fabulous proportions. This will be the standard case study in every infosec slide deck for years to come. But let's not turn it into something it's not, and it's not "cyberwar".
However, there are, of course, powerful motives for people to talk up the "cyberwar" aspect. For the media, it's the attention that leads to traffic that leads to revenue. For the military-industrial and information security industries, it's also about revenue -- because the more scared people are, the more defence technology they'll buy, and the fewer difficult questions they'll ask.