Is there an undeclared war raging in cyberspace?

Does apparently politically-motivated, possibly state-sponsored hacking in recent years constitute acts of war?

The attacks on Google and others in China last year, on Georgian and Estonian targets two years ago, on the Tibetan government in exile as reported in the recent Shadows In The Cloud report—are they cyberwarfare, or something else?

The question came up at the first Worldwide Cybersecurity Summit in Dallas, Texas earlier this month, where 400 security experts and industry leaders from dozens of countries met to palaver. The conference was sponsored by the EastWest Institute.

Some experts said yes, it’s warfare – call a spade a spade – some said no, the term is used too loosely and to no good advantage.

Larry Clinton, president and CEO of the Internet Security Alliance (ISA), who was at the summit as a presenter, says it may be the wrong question altogether.

Clinton and his organization, an inter-sectoral industry association dedicated to developing “a sustainable system of worldwide cyber security,” believes that a lot of issues related to Internet security, including this one, need a radical rethink.

To be fair, the question as raised at the summit is more than just semantic. Underlying it is the issue of how to respond to attacks and who should be doing the responding.

Who's fight?

If they are acts of war, surely the responsibility to protect against, prevent or counter them devolves to government, diplomats, ultimately the military.

But as Clinton points out, even incidents that seem most clearly to warrant being characterized as cyberwarfare – such as the attacks in Estonia and Georgia in 2008, which were widely believed to have been sponsored if not perpetrated by the Russian government – don’t really conform to traditional definitions.

No war was declared. Identifiable nation states did not act against each other – so far as we know.

“If [those attacks] were state sponsored, but not carried out by the traditional apparatus of state, by armies, then they would seem to be illegal [under existing conventions] and should be outlawed,” Clinton says.

Except this doesn’t really get us anywhere – which is partly his point.

And in more recent cases implicating the Chinese government, one strong possibility is that citizen cyber militias or espionage-crime gangs may have been involved, with the Chinese government not so much sponsoring as turning a blind eye to – and possibly benefiting after the fact from – the activity. Does the Geneva convention cover that?

Everything changes in a massively networked and digitalized world, Clinton says. Old definitions and assumptions – including about warfare – no longer hold. To try and apply them in cyberspace may be deflecting the conversation from more fruitful paths.

“We need to understand that this is an orange and those are apples,” he says. “It’s a different thing and it needs to be thought through in a different way.”

Clinton’s organization in fact doesn’t have a position on whether the Google and Shadows-In-The-Cloud attacks are warfare or not. But the debate does underscore something ISA is very concerned about: a fundamental disconnect, on a couple of levels, in the dialog between government and industry on the issue of cyber security.

Each has different priorities and agendas, Clinton points out. Government agencies typically focus on finding out who is responsible for cyber attacks so they can pursue and catch them. Private sector organizations don’t care so much who’s responsible, they just want them to stop.

This has a couple of implications, including in the crucial area of information sharing. “Both sides agree it’s important to be sharing this information [about cyber attacks],” Clinton says. “But it’s not happening.”

The reason? Both sides believe the other side cannot guarantee security. Information the government holds is subject to freedom of information requests. Information held by multi-national corporations could leak.

“Google can’t turn over proprietary, confidential information to government that Microsoft is going to find,” Clinton says. “And government doesn’t want to give information to internationally-based companies where some of those international employees could  leak the information and compromise a criminal investigation.”

“Does this impede resolving the problem? Yeah.”

ISA believes there is a solution, one that, again, involves a radical rethinking.

Rather than focusing on and sharing information about how attackers breach security, counter-espionage – or anti-crime – efforts should concentrate on what happens after the breach.

“We’ve been looking at the problem all wrong,” Clinton says. “We’ve been trying to protect the cyber perimeter, but we can’t – it’s too large. Determined attackers will always find some way in.”

“However, once an attacker is inside the network, we have a lot more control. Most attacks are only successful when the attackers get back out of the system. If you’re trying to steal proprietary information or national secrets, you have to get out of the vault first. And we have good systems for detecting what’s happening once they’re inside the vault.”

To protect and to serve

Tracking where data goes when it leaves – and it typically goes to a finite number of command and control centers, all of necessity, with registered identities on the Internet – is much easier than predicting and protecting against attacks that could come from anywhere, by any means. Both sides could simply alert each other about unauthorized traffic to sites implicated in cyber espionage.

“If we just shared information about the get-away car,” Clinton argues, “it would circumvent the problems.”

We’re not exactly sure if this will satisfy government concerns. To tinker with the metaphor a little, wouldn’t it be a little like telling the bank manager the location of the robber’s hideout?

At a much higher level, ISA has proposed a new ‘social contract’ between government and industry to ensure that the “sustainable system of worldwide cyber security” is built and maintained.

We know how to build security systems, ISA argues, but we need to get buy-in from all concerned parties. Everyone’s cyber security is dependent on everyone else’s, but right now, there are too many weak links in the cyber security chain because companies and governments don’t invest enough.

In a white paper submitted to the White House last year and available for download here, ISA argues that what is needed is a new ‘social contract,’ an agreement with government similar to the ones in place a century ago in the U.S. that led to the build-out and maintenance by the private sector of electrical grids and road systems.

Bottom line: government should, as they did then, provide incentives – tax breaks, loan guarantees, etc. – to encourage companies to invest in cyber security.

The idea is not without merit. The challenge will be to convince government this is a high enough priority to warrant its attention – and a share of its scarce resources. Good luck on that.

Gerry Blackwell is a veteran technology journalist based in Canada. He writes monthly for eSecurityPlanet on the topic of cyber security.