Security professionals need to take a hard look at the “spirit of the times,” the ideological atmosphere that surrounds us and our clients, and take a step back.
A most concerning part of the current scenario is that the presumptions around so-called “Cyber war” are taking hold, and slowly becoming part of “reality.” In general conversations about Security, it is not unusual to have this term applied indiscriminately as if it were not only adequate, i.e. corresponding to some real aspect of the world, but also as if the Security professionals had some sort of technical or advisory role in such a situation.
Even worse is the case when the assumed “Cyber war” is seen as an “opportunity” for Security consultancy, something that is a very debatable point. Less debatable is the fact that the general acceptance of “Cyber war” also seems to know who the enemy is and how to combat it.
Generic terms cause damage because they blur critical distinctions. So, for example, while it would be acceptable rhetoric to speak of “war against crime and fraud,” it is not so clear that there is strictly speaking a “war” against such problems. Using the term “war” in this context, leads to false perceptions in the public and the political debate, and ultimately to false solutions.
If it is a “war,” does it mean that fighting online bank fraud and other forms of crime is a matter for the military? Is it really a “war” if the objective is to impose civil penalties and economic barriers to such activities? Also, if one of the main criminal activities is industrial espionage, why would the correct answer be to have similar espionage programmes or perhaps an even more disruptive “penetration” of other nation´s networks?
Where does war begin and when will it end?
A light approach to these matters would ignore the fact that there are many Security experts who are opposed to this semantic confusion. People like Bruce Schneier, Ross Anderson, Peter Singer, and Thomas Rid have argued in very convincing ways that the threat of “Cyber” is being hyped and does not correspond to reality.
For example, Thomas Rid shows that all registered “cyber-attacks” never fit all characteristics necessary to classify them as acts of war: violence, instrumentality and political goal. In fact, he shows that cyber-attacks have always been done for espionage, sabotage or fraud, a “grey area” between war and criminality. Rid´s book is aptly titled: “Cyber War will not take place” (See: Journal of Strategic Studies, Vol. 35, February 2012).
Bruce Schneier has also shown how political struggles have generated alarming stories about Cyber-threats, and hacking, espionage and theft have been framed as acts of war. (See: “Threat of Cyber war has been hugely hyped,” CNN, July 8, 2010)
Not less convincing has been Professor Ross Anderson, who, cataloguing the costs of cybercrime shows that these come largely from the measures taken to “protect” the presumed targets, and suggests that the resources used in this area should be applied instead on finding and arresting the cyber-criminals. (See: Ross Anderson et al. “Measuring the cost of Cybercrime,” Workshop on the Economics of Information Security. June 2012.)
If these authors and arguments are not convincing, we should perhaps hear Howard Schmidt, ex-Microsoft Security Chief and White House Cybersecurity Coordinator, who in a Wired magazine interview in 2010 said: “There is no Cyber war. I think that is a terrible metaphor and I think that is a terrible concept. There are no winners in that environment.” Schmidt called instead for more efforts to fight online crime and espionage.
Now, even if we don´t want to hear these voices and arguments, we can still rely on our own analysis and conscience to arrive at a proper conclusion. For example, even if we assume that “Cyber war” is taking place, we should be certain that war is never an innocent affair or a “Hollywood-like” story where people are bad or good and it is “evident” who has to lose.
Do you remember the Mandian report purporting to show a vast Chinese spying operation? Do you remember that weeks later we had the Snowden revelations? In both cases we saw evidence of industrial espionage, and state actors involved in it. Nevertheless, were those revelations evidence of a “war”? And, if a “war” were declared, what would be the casus belli?
War, I repeat, is not an innocent affair, on any side; even on the side we might believe to be “on the right.”
As Security professionals out fundamental obligation is to protect the assets of our clients, but, as a medicine doctor would do, the primary rule would be “First, do not harm the patient,” as in the Hippocratic Oath. And we would tragically “harm the patient” if we confused the terms and blurred the boundaries between the actual problem and some politically charged fantasy story.
I am on the side of those who reject the rhetoric of “attack” and “defence” precisely because this harms our perception and misdirects the solutions. There is no Cyber-scenario where some cyber-weapons can be deployed against others, or where nations and organisations can “go to war.”
The Internet, with all its spaces and sub-spaces is but part of the global reality, and there are always human actors involved in acts of crime, espionage and fraud. The economic, political and truly social networks underlie the “virtual” social networks of the “connected” world; therefore, any real “war” in the Cyber realm would be a real war in the World.
Here is where our ethical compass should kick in: if we do not want global war, why would we indulge in unwarranted chatter about Cyber war?