What, when and where?
A proposed Cybersecurity Act of 2012 was voted down in the U.S. Senate this week. The aim of the bill, according to John Brennan, the president’s assistant for homeland security and counterterrorism, was to:
- Improve the sharing of information about potential cyber threats between government and private industry;
- Improve the protection of infrastructure (electricity, water);
- Improve funding and oversight of cybersecurity via the Department of Homeland Security;
Republican senators voted the bill down on several grounds, including that it allowed for too much government regulation and surveillance, and that private industry could do a better job than government. This caused an outcry among liberals nationwide (this Huffington Post blog post by Dave Aitel sums up the mood).
The merits and demerits of the actual wording of the bill notwithstanding, I think it is both irresponsible and unthinking to ignore the real and growing threat of cyberwar.
There are many ways in which the internet changes the nature of war, but two of them are particularly relevant here.
First, the anonymity of the internet and the difficulty in tracing malware back to its original source means if you are attacked, you may not know your enemy. You may mistake your enemy. You may mistake the threat.
Second, you don’t need an army or heavy weapons in order to engage in cyberwarfare. Compared to the expense of traditional warfare, you don’t need a huge budget. The U.S. government currently spends around $4 billion a year on cyber warfare, which sounds a lot until you compare it to an overall defense budget of between $1 and $1.4 trillion (according to Wikipedia). As Lin, Allhoff and Rowe point out in their article in The Atlantic entitled “Is It Possible to Wage a Just Cyberwar”?:
A target in cyberspace is more appealing than conventional physical targets, since the aggressor would not need to incur the expense and risk of transporting equipment and deploying troops across borders into enemy territory…
This means that it is not only governments who can afford to engage in cyberwar. Acts of online sabotage by individuals and small organizations may be called cyberterrorism rather than full-blown cyberwar, but they can be just as harmful to the target – and the consequences may be unknown, even by the perpetrators.
Moreover, a large, well-organized and properly funded organization or network (such as Al Qaeda) could potentially engage in cyberwar with a government or even a collection of governments.
These two factors lead to a situation where the blind are fighting the blind. In his fear and ignorance, each side thinks the other can see better than he, and has more sophisticated weapons than he.
In this situation, the one-eyed man is king.
We need to see more clearly in this dark, dangerous world. We need to keep our digital eyes open for potential threats. We need to see what tools our blind attacker has in order to avoid them.
As a libertarian I hate to say it, but we do need surveillance and joined-up thinking in order to protect ourselves and our critical infrastructure against cyber attack. We need some sort of Cybersecurity Act.
What’s next? Defense or offense?
The world may go many ways, but ultimately we cannot avoid cyberwarfare. The question is whether to take a purely defensive stance or whether to use cyber techniques to attack other countries, either covertly or openly as an act of war.
With our society becoming increasingly dependent upon technology and communications systems, and with sensitive information being made available in electronic format, there is no question that we need to protect ourselves against cyber attacks. Cyber attacks could easily disrupt electricity, communications and food supply networks, which would lead to not only governments and armies but to civilians suffering. As this excellent report in The Economiststates:
“Modern societies are ever more reliant on computer systems linked to the internet, giving enemies more avenues of attack. If power stations, refineries, banks and air-traffic-control systems were brought down, people would lose their lives.”
Air Force Col. Robert Garland, is quoted in the Wall Street Journal as justifying cyberwarfare as a tool of defense: “We have to be able to succeed against an enemy that wants to attack us in any way.”
However, the U.S. government appears to be making cyberwarfare a part of their military (rather than purely defense) strategy. In June, the first graduates of a new U.S. Air Force cyberwarfare course emerged, trained in how to hunt down electronic intruders, defend networks and launch cyberattacks. Robert Garland’s colleagues are more explicit about the aggressive angle: Lt. Col. Bob Reeves is quoted in the abovementioned article explaining that: “Our curriculum is based on attack, exploit and defense of the cyber domain.”
This talk is frightening. Aggressive cyberwarfare is tempting for cash-strapped governments and politicians who wish to pander to the public, since as Lin, Allhoff and Rowe rightly point out: “With cyberweapons, a war theoretically could be waged without casualties or political risk, so their attractiveness is great – maybe so irresistible that nations are tempted to use them before such aggression is justified.”
However, nobody knows enough about the potential consequences of releasing malware onto the internet. And if we stab blindly in the dark, we are only encouraging our opponents to stab blindly back.
People, probably innocent civilian bystanders, are going to get hurt. That is why we need to focus not so much on cyberwar but on cybersecurity – of defending ourselves against digital attacks, rather than on attacking others.Google+