July 1, 2010
The rhetoric of cyberwar is heating up.
There's been a war of words lately over the meaning of war-specifically, cyberwar. What is it? How do we recognize it? When it happens, what's the appropriate response? These aren't academic questions. As the Defense Department stands up a new Cyber Command, the definition of war in the ungovernable expanse of the Internet is a fundamental problem, still unanswered.
Among the technological cognoscenti, two camps are taking shape, and their critiques and counterpoints-played out in blog posts, Twitter streams and op-eds-are giving way to personal invective. One camp holds that the United States is engaged in cyberwar right now, and it's losing. This war is being fought against shadowy hacker groups, some of which are employed as proxies by the United States' main strategic rivals, China and Russia. Every day, they make thousands of attempts to penetrate government and corporate computer systems. Those who ignore this persistent threat do so at the nation's peril, as hackers continue to steal vital information and disrupt operations.
The other camp holds that while malicious activity permeates cyberspace, the "cyberwar" label was cooked up by former government officials who now work for security consulting firms. They're in line to receive the billions of dollars in cyber defense spending forecast for the public and private sector in the next few years, and so these cyber Cassandras have an incentive to promote fear and obscure reality. They stand ready to ignite a cyber arms race by refashioning criminal hackers as marauding Internet soldiers.
What's missing from this debate is a better sense of what the real nature of a cyber threat is. Cyberwar is a legitimate term. But it's only narrowly applicable. In the United States, it describes computer-based attacks by the military on the computer networks of its adversaries to cause harm in the real world. That latter point is essential. In 2007, the military hacked into the cell phones of insurgents in Iraq in order to send them misleading text messages that lured them into traps. Ask the military's cyberwarriors how they view what they do, and they'll tell you a computer is a weapon, but not a lethal one on its own. The entire point of cyberwar is to cause some damage in the offline world. v Cyberwar is the wrong term to use when describing the thousands of attempts each day to steal information from sensitive government and corporate computer networks. This is espionage, plain and simple. When Google accused hackers in China of pilfering the company's trade secrets, that really was an allegation of industrial spying. When U.S. officials are warned not to carry any sensitive information on their laptops or phones when traveling in China-and preferably to leave all their electronic equipment at home-they're being schooled in counterintelligence. To call this "warfare" offers no remedy. What is the United States supposed to do when the Chinese government steals from an American company. Bomb Beijing?
The war of words over cyberwar is an important debate. But it's time to step back and take a deep breath. The distinction between war and espionage is only a first step, but it takes us in the right direction.
The Watchers: The Rise of America's Surveillance State. He covered intelligence and technology at Government Executive from 2001 to 2005.
July 1, 2010