Schneier also says that the war metaphor could affect the determination of who protects the networks that make up the Internet. Should it be the network owners or the government?
Again, in the real world, you are responsible for deciding what locks or alarm systems you want to buy for your own home; the police don’t supply you with a standard state-issued security system. Presumably, the more you value security or the more you have to protect, the more you’ll invest. But the decision is left to us as individuals. We make the decisions that are right for us, and we end up with the right amount of security. When it comes to securing the nation, however, we don’t get a choice, we get the U.S. military.
Even when the attackers may be foreign states, we should be careful with our response. A recent pronouncement from the Pentagon acknowledges that the U.S. reserves the right to use military force in response to a cyber attack. But according to cybersecurity researcher James A. Lewis, “The strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.”
That is, there is the possibility of a cyber attack so severe that it could result in casualties, thus qualifying as an act of war, but it is extremely rare and unlikely. That fact doesn’t stop the rhetoric in public debate, however.
For example, a distributed denial of service (DDoS) attack is a unsophisticated attack that prevents visitors from reaching a website. Some even refer to it as a legitimate means of political protest, much like a sit-in that prevents access to a building. Others say it’s more akin to vandalism, even if politically motivated, like when animal rights activists super-glue a lab’s locks, preventing access. In either case, we don’t talk about it in terms of war because the stakes are not that high.
State sponsored cyber espionage is a real concern, but even then, the war metaphor does not apply. Countries spy on each other all the time; it’s an understood fact of foreign relations. When it is uncovered, it is not cause for war. It is instead treated as a crime.
So maybe we should ease up on the war rhetoric. While we should realize that government networks and private networks need to be better secured, we shouldn’t panic. We should coolly examine where there is a role for government or military, and where the private sector is better equipped to meet the threat. What we should not do is make policy out of fear.