Online security risks have become increasingly prevalent with the likes of Anonymous and LulzSec continuing to expose the sorry state of corporate network security, and policymakers are clamoring to “do something” to address the threat. Unfortunately, there is a tendency in Washington to employ the rhetoric of war when talking about cybersecurity, which is a very dangerous tendency.
For example, in a Washington Post op-ed today, Senators Lieberman, Collins and Carper argue for cybersecurity legislation, saying, “The alternative could be a digital Pearl Harbor — and another day of infamy.”
Their comments are not unique.
At his confirmation hearing last month, Defense Secretary Leon Panetta said that the “next Pearl Harbor we confront could very well be a cyber-attack.” Armed Services Committee Chairman Carl Levin has said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” And Bush administration cybersecurity chief Michael McConnell has famously warned that the United States “is fighting a cyber-war today, and we are losing.”
However, while the security problems recently making headlines are no doubt serious, they do not amount to war. War means tanks and bombers and mass casualties and buildings destroyed. War can threaten a nation’s existence. Yet despite what Sen. Lieberman and company say, there’s nothing to suggest that the cyber threats we’re confronting today are anywhere near as dangerous as World War II or the A-Bomb.
The problem with the war metaphor is that treating a cyber attack as an act of war, rather than a crime, invites a different governmental response. In the offline world, vandalism, theft, and even international espionage are treated as crimes. When you detect them, you call law enforcement, who investigate and prosecute and, most importantly, do so while respecting your civil liberties. In war, these niceties can go out the window.
War changes the options available to government, says noted security expert Bruce Schneier. Things you would never agree to in peacetime you agree to in wartime. Referring to the warrantless wiretapping of Americans that AT&T allowed the NSA to conduct after 9/11, Schneier has said, “In peacetime if the government goes to AT&T and says, ‘Hey, we want to eavesdrop on everybody,’ AT&T says, ‘Stop, where’s your warrant?’ In wartime, AT&T says, ‘Use that closet over there, lock the door, and just put a do not disturb sign on it.’”
article continues on next page…
Schneier also says that the war metaphor could affect the determination of who protects the networks that make up the Internet. Should it be the network owners or the government?
Again, in the real world, you are responsible for deciding what locks or alarm systems you want to buy for your own home; the police don’t supply you with a standard state-issued security system. Presumably, the more you value security or the more you have to protect, the more you’ll invest. But the decision is left to us as individuals. We make the decisions that are right for us, and we end up with the right amount of security. When it comes to securing the nation, however, we don’t get a choice, we get the U.S. military.
Even when the attackers may be foreign states, we should be careful with our response. A recent pronouncement from the Pentagon acknowledges that the U.S. reserves the right to use military force in response to a cyber attack. But according to cybersecurity researcher James A. Lewis, “The strategy sets a very high threshold that is derived from the laws of armed conflict for defining a cyber attack. Nothing we have seen this year would qualify as an attack using this threshold.”
That is, there is the possibility of a cyber attack so severe that it could result in casualties, thus qualifying as an act of war, but it is extremely rare and unlikely. That fact doesn’t stop the rhetoric in public debate, however.
For example, a distributed denial of service (DDoS) attack is a unsophisticated attack that prevents visitors from reaching a website. Some even refer to it as a legitimate means of political protest, much like a sit-in that prevents access to a building. Others say it’s more akin to vandalism, even if politically motivated, like when animal rights activists super-glue a lab’s locks, preventing access. In either case, we don’t talk about it in terms of war because the stakes are not that high.
State sponsored cyber espionage is a real concern, but even then, the war metaphor does not apply. Countries spy on each other all the time; it’s an understood fact of foreign relations. When it is uncovered, it is not cause for war. It is instead treated as a crime.
So maybe we should ease up on the war rhetoric. While we should realize that government networks and private networks need to be better secured, we shouldn’t panic. We should coolly examine where there is a role for government or military, and where the private sector is better equipped to meet the threat. What we should not do is make policy out of fear.