Cyber-War Is an Overblown Non-Threat
24 Oct 2012
Yesterday, Mihoko Matsubara outlined how nation-states are increasingly using their offensive cyber-warfare capabilities to disrupt the interests and activities of their adversaries. According to Matsubara, the Stuxnet attack on Iran’s nuclear facilities points to a future in which cyber-war will be increasingly waged either alongside or in replacement of conventional capabilities. However, other experts disagree. They contend that the growing importance of cyber-warfare has been overhyped. In their view, it is extremely difficult to define just what constitutes a cyber-war. When does it start and when does it end, they ask? Who perpetrates it and why? These questions remain, as they always have, inherently difficult to answer.
As a result of such difficulties, the security technologist and author external pageBruce Schneier contends that we have not entered a cyber-warfare age. Instead, we are just seeing distinctly cyber-centered conflicts increasingly rely on war-like tactics. Moreover, because of the broader availability and access to these particular tools, cyber-conflicts are fast becoming ‘democratic’ – i.e., given the right materials, non-state actors have the potential to inflict as much damage in cyberspace as a traditional armed forces. For these reasons and more, it remains difficult to accurately assess the true nature of cyber-warfare without overhyping certain factors over others.
To support his thesis, which he laid out in a lecture given at the InfoSec Conference 2011, Schneier provides examples of the types of events that have been widely perceived as acts of cyber-war. These include denial of service attacks on Estonian government websites in 2007 and similar activities that occurred in the build-up to Russia’s invasion of Georgia in 2008. While Russia was immediately blamed for these attacks, in both cases the source or precise purpose behind them remains ambiguous. According to Schneier, this demonstrates just how easy it is to over-exaggerate the supposed threat of cyber-warfare.
[Resource Embedded:154138]
In the second video, Schneier provides further examples of cyber-activities that might be misperceived as acts of war. These include the deployment of Ghostnet, a surveillance network that spied on a veritable who’s who of those the Chinese government allegedly wanted to monitor. But while Ghostnet’s targeting of specific dissidents implies that Beijing was responsible for its use, it remains uncertain that the Chinese government was the sole perpetrator involved. Instead, Schneier believes that many cyber-attacks attributed to China are actually government tolerated rather than government sponsored. This, in turn, suggests that China plays host to a network of hackers that operate autonomously, but who nevertheless inform their government contacts when they find things of interest. Schneier argues yet again that these loose networks of state and non-state actors make defining and defending against acts of cyber-war difficult.
[Resource Embedded:154139]
In the third video, Schneier discusses the concept of Advanced Persistent Threat (APT), which he argues underpins politically motivated hacking. It is this offensively-minded type of threat, he argues, that is prompting governments across the world to make preparations for cyber-war. In doing so, however, there are the accompanying dangers of further militarizing cyberspace and forgetting that law enforcement agencies may be better suited to deal with cyber-conflicts than the military.
[Resource Embedded:154140]
Finally, Schneier explores how future 'cyber' treaties may help to clarify what actually constitutes an act of cyber-war. Such treaties could, for example, define what constitutes an offensive cyber-action as well as spell out the appropriate rules for cyber-engagements. Schneier also considers whether cyber treaties could be used to identify what constitutes a ‘cyber force’ and who would be authorized, within a command and control system, to undertake cyber-war activities. Third, cyber treaties could bring a degree of certainty to the early stages of a 'cyber arms race', thereby ensuring that cyber-war would continue to be seen as a relatively distant non-threat.
[Resource Embedded:154142]