RSA Conference: The Fog of Cyber-War
What exactly is a cyber-war, and are we in the middle of it?
Here at the RSA Conference, it depends whom you ask. A panel-featuring former Department of Homeland Security Secretary Michael Chertoff, security guru Bruce Schneier, former National Security Agency Director John Michael McConnell, and James Lewis, director and senior fellow of the Center for Strategic and International Studies' Technology and Public Policy Program-discussed Wednesday the murkiness of determining what constitutes cyber-war and how the government should respond was laid bare.
More than just mere wordplay, the meaning behind the metaphor of a cyber-war is relevant because it shapes thought processes about security and the proper response, Schneier contended.
"But when you invoke the war metaphor, you invoke a set of ways to think about security," he said. "When you invoke the crime metaphor, it's a different [one]. To the police, we are the public to protect; to the military, we are civilians to stay out of the way. And things you'd accept during a war, you wouldn't accept from the police. The police have more constraints. So whether it's warrantless eavesdropping or giving the president an Internet kill switch, whether we're at war or whether it's a police problem, you have different answers to those questions."
Cyber-war, he added, is a "sexier term" than cyber-attack, and in an age when cyber-commands are being created all over the world, the term can generate enough public concern to justify bigger budgets.
It helps to think of the issue in terms of a spectrum of consequences, Chertoff said.
"The reality is we are probably prepared to tolerate different levels of intrusion depending on the consequences," he said. "Now it's really bad when your IP (intellectual property) is stolen, but we, as Mike (McConnell) pointed out, we lived through the Cold War; we had spies. When we caught spies, we didn't treat it as if it required response with nuclear weapons."
At the other end of the scale, however, is an attack on the country's electric grid that results in a loss of life and serious damage to the American economy, he said. Preventing or mitigating that may take a higher level of government involvement, he said.
"So to me, you almost have to look at it as a spectrum of consequences, and then decide where the balance needs to shift in terms of the degree of government energy and perhaps changing some of the balances with other considerations," Chertoff said.
There doesn't have to be total consensus on cyber-war, McConnell said.
"We had a Cold War that allowed us to build a deterrence policy and relationships with allies and so on, and we prevailed in that war," he said. "But the idea is the nation debated the issue and made some policy decisions through its elected representatives, and we got to the right place. So rather than say hyping it for a particular personal benefit, or economic benefit, I would say it's a part of the discussion."
"I would like to think we are an informed society, [and] with the right debate, we can get to the right place, but if you look at our history, we wait for a catastrophic event," he said. "I'm hoping that doesn't happen. But if we have the right debate and the right dialogue with our representatives and make our case, we might get the right legislation, but the odds are, we'll wait for a catastrophic event and overreact."
To Chertoff, the government needs to lay out the basic legal and policy architecture to provide a framework to enable organizations to innovate securely. Regulation and liability concerns have gotten organizations to take security more seriously, the panelists agreed, but the right harmony must be found between government and private-sector efforts.
"I think the U.S. government today treats a clearance as a privilege when in my view it should be a commodity, if you are willing to subject yourself to a review and an oath and you're going to protect the information," McConnell said. "The government needs to share the information it has about the vulnerabilities that it understands. I think if we have more people cleared and more people involved in sharing that information and understanding it...I think it will cause companies to invest in capabilities that we're going to need."
There's no doubt cyber-war is going to be a domain of conflict in a war between nation states, and it may get to the level of terrorists being sophisticated enough to be involved, Chertoff said. Cyber-war, he said, is something that destroys major systems.
"That's not going to be dealt with by market regulation," he said, "and that poses the harder problem for everybody, which is: When you are facing an attack and it's under way and everybody turns to the U.S. government and says stop it, what is the U.S. government authorized to do, and what is the U.S. government capable of doing?"
Those capabilities, he said, must be built in advance, and that is "probably where we are going to have a little bit more controversy."