Research by: Steven Elliott
Date: 07/25/2010; Final Version: 8/14/2010
TEASER/TITLE: Cyberwarfare: Fact or Fiction
“There is no cyberwar,” stated Howard Schmidt, the cybersecurity czar for President Obama; however in a Washington Post article Michael McConnell, the former Director of the National Security Agency (NSA), wrote “the United States is fighting a cyberwar today, and we are losing.” (Singel 2010, McConnell 2010). These contrasting statements represent a critical quandary in the cyber security field: whether or not cyberwarfare exists. The opposing sides are adamant that they are correct and wish to implement different security strategies dependent upon their beliefs. The conflict is not disputing the vulnerability of the United States’ network infrastructure or cyber attacks on numerous corporations and nations but rather the definition of cyberwar. Both camps cite a wide variety of evidence to support their drastically differing opinions but both will need to come to a consensus in order for the U.S. to work towards a more secure future.
· The cyber security community is divided on the definition and implications of the term “cyberwar”.
· Experts that do not believe war can be fought entirely in cyber space argue that government and military expansion into cyberspace would cause massive privacy violations.
· Some cyber security experts desire the capability to retaliate if there were a cyber attack on the U.S.
· The government and military has already started moving towards an expansive definition of cyber space with the creation of Cyber Command, the NSA’s Perfect Citizen program, and the new bill asserting that protecting cyber space is a national asset.
Cyberwar has created a division amongst information security specialists – not regarding the existence of cyber attacks but rather the term itself.
WHY THE TERM “CYBERWAR” CONCERNS EXPERTS:
Those opposed to the term “cyberwar,” such as Bruce Schneier, a cyber security expert, claim that “if we frame the debate in terms of war, we accept the military's expansive cyberspace definition of ‘war’” (Schneier 2010).
The author of Inside Cyberwarfare, Jeffrey Carr, believes that a war cannot be fought entirely in cyberspace, but rather that cyber warfare techniques are a tool that the military can use to gain the advantage in a conflict (Greenberg 2010). In short, he does not believe that any type of war occurs until “metal is flying through the air” (Greenberg 2010).
Richard Stiennon defines cyberwar as “using networks and computers and applications and the people that run them coincident with more traditional means of warfare, such as invasion and missile launches” (Chabrow 2010).
Carr, Schneier, Stiennon, and many other cyber security experts are concerned that the NSA and the military will overstep privacy boundaries if all cyber attacks are considered to be cyberwar.
Marc Rotenberg, the executive director of the Electronic Privacy Information Center, states “Our argument is that we have to be very careful about allowing a single, secret, unaccountable government agency, which has been fighting for 25 years to take control of Internet security, to become the dominant authority for the Internet, which is what will happen if you accept the proposition that the threat of cyberwar has not been grossly exaggerated” (Rotenberg 2010).
WHY USING THE TERM “CYBERWAR” MAY BE APPROPRIATE:
Richard Clark, the author of Cyberwar, also believes that cyberwar has begun and that the U.S. should start preparing.
NATO has formed a Cooperative Cyber Defence Center of Excellence in Estonia in response to cyber attacks on that nation. Israel, China, Russia, and the U.S. are only a few of the nations that have formed special military units to respond to cyberwarfare.
On June 8, 2010, ABC hosted a debate about the statement “The Cyberwar Threat Has Been Grossly Exaggerated,” the consensus among the studio audience was that the threat of cyberwar has not been exaggerated.
o Pre-debate: Yes (Exaggerated)-24% No (Not Exaggerated)-54% Undecided-22%
o Post-debate: Yes-23% No-71%, Undecided-6%
Many other security experts including Mike McConnoll, the former Director of the NSA, claim “the effects of full-blown cyberwar are much like nuclear attack[s]” (The Economist 2010).
o “In a nation as free and as wonderful as ours is, leading the world in human rights and privacy and civil liberties, it's getting the debate framed right to mitigate the risk, to protect the nation consistent with our values and our laws” (Mike McConnell, 2010).
STRATEGIC PLANNING ASSUMPTIONS
· The NSA will start to “detect cyber assaults on private companies and government agencies running [sic] critical infrastructure” with a new program entitled “Perfect Citizen” (Gorman 2010). This program demonstrates that the government believes that cyberspace defense is within its jurisdiction.
· New U.S. legislation could be implemented to ensure that the government takes responsibility for cyber attacks. For example, the ‘Protecting Cyberspace as a National Asset Act of 2010’ S.3480 is a bill introduced to Congress in June 2010. (Community Central 2010)
· Congress and the U.S. military will ultimately need to define cyberwar and the consequences of cyberwarfare attacks on the United States.
· Regardless of the definition of cyberwar, thousands of attacks are being deployed on the private sector and government networks. These important networks will need to be secured (as much as currently possible) or cyber attacks will result in the loss of sensitive data.
The differing opinions concerning cyberwar represent a challenge for security professionals. Some private sector companies may believe that the government should be responsible for securing cyber space and, in turn, slacken security procedures. Other companies may benefit greatly from the cyberwar hype by receiving millions of dollars in government contracts. (Schneier 2010) Many of those opposed to cyberwarfare point out that Mike McConnell is an Executive Vice President with cyberwar contractor Booz Allen Hamilton (Doesburg 2010). The constant argument over cyberwar will not likely disappear. Those that believe that there is a cyberwar will highlight the attacks on Estonia, Georgia, South Korea, the United States, Google, and Lockheed Martin and argue that the government should prepare itself for cyberwar. On the other hand, those opposing the concept of cyberwar argue that nationalist hackers could have performed many of those attacks, that blocked websites are simply an annoyance, and that stolen data is actually espionage, not war.
While the definition of cyberwarfare is still a hot debate topic, the cyber security community agrees that gaping holes in United States’ network infrastructure need to be fixed.
Bruce Schneier noted that “the threats are real; the threats are serious; cyber space is not a safe place” (Schneier 2010).
General Keith Alexander, the Director of the NSA, Commander of the U.S. Cyber Command, and a proponent of the cyberwar concept, stated that “looking at a nation’s perspective, what’s on those networks that we have got to secure? Well it’s our intellectual property, it’s the future of our country, it’s the future of our industry, [and] it will make up the future of our nation. We have got to protect it.” (Alexander 2010).
There is a clear consensus that U.S. networks are unsecure and the government, private industries, and private citizens need to work towards securing their networks and avoiding unsafe Internet practices. The cyber security community understands the potential threat to the U.S., but in order to move towards a comprehensive cyber security strategy, the cyber security community must come to a consensus on the definition of cyberwar.
· The cyber security community will need to continue to define and reach consensus on the term “cyberwar”. Definitions and industry standard protocols will focus the community on fixing unsecure networks.
· The United States needs to create a comprehensive strategy for securing its networks.
· Private corporations, especially those involved with critical infrastructure, must focus on improving cyber security.
· The government should take responsibility for cyber warfare but should also avoid massive violations of privacy.
· Educating Internet users in basic security practices will help reduce the risk of a successful cyber attack.
Alexander, Keith B. "Video: Cybersecurity Discussion with General Keith B. Alexander, NSA Director, Commander Cyber Command." Speech. Center for Strategic and International Studies. 3 June 2010. Web. 28 July 2010.
Chabrow, Eric. "Defining, Surviving Cyberwar." Government Information Security News,GovInfoSecurity.com. 26 May 2010. Web. 28 July 2010.
"Cyberwar: War in the Fifth Domain." The Economist. 1 July 2010. Web. 28 July 2010.
Doesburg, Anthony. "Anthony Doesburg : Cyberwar? It's a Phoney War, Says IT Expert." NZ Herald. 2 Aug. 2010. Web. 03 Aug. 2010.
Gorman, Siobhan. "U.S. Program to Detect Cyber Attacks on Infrastructure - WSJ.com." The Wall Street Journal. 8 July 2010. Web. 28 July 2010.
Greenberg, Andy. "The Real Meaning Of Cyberwarfare." Forbes.com. 3 Mar. 2010. Web. 28 July 2010.
McConnell, Mike. "Mike McConnell on How to Win the Cyber-war We're Losing." Washingtonpost.com. 28 Feb. 2010. Web. 03 Aug. 2010.
"New Cybersecurity Bill Introduced in US." Continuity Central. 15 June 2010. Web. 28 July 2010.
Rotenberg, Marc, Bruce Schneier, Mike McConnell, and Jonathan Zittrain. "The Cyber War Threat Has Been Grossly Exaggerated." Debate. Intelligence Squared U.S. 8 June 2010. Web. 28 July 2010.
Schneier, Bruce. "The Threat of Cyberwar Has Been Grossly Exaggerated." Schneier on Security. 7 July 2010. Web. 28 July 2010.
Singel, Ryan. "White House Cyber Czar: ‘There Is No Cyberwar’." Wired News. 4 Mar. 2010. Web. 28 July 2010.