Is there an undeclared war raging in cyberspace?
Does apparently politically-motivated, possibly state-sponsored hacking in recent years constitute acts of war?
The attacks on Google and others in China last year, on Georgian and Estonian targets two years ago, on the Tibetan government in exile as reported in the recent Shadows In The Cloud reportare they cyberwarfare, or something else?
The question came up at the first Worldwide Cybersecurity Summit in Dallas, Texas earlier this month, where 400 security experts and industry leaders from dozens of countries met to palaver. The conference was sponsored by the EastWest Institute.
Some experts said yes, its warfare call a spade a spade some said no, the term is used too loosely and to no good advantage.
Larry Clinton, president and CEO of the Internet Security Alliance (ISA), who was at the summit as a presenter, says it may be the wrong question altogether.
Clinton and his organization, an inter-sectoral industry association dedicated to developing a sustainable system of worldwide cyber security, believes that a lot of issues related to Internet security, including this one, need a radical rethink.
To be fair, the question as raised at the summit is more than just semantic. Underlying it is the issue of how to respond to attacks and who should be doing the responding.
If they are acts of war, surely the responsibility to protect against, prevent or counter them devolves to government, diplomats, ultimately the military.
But as Clinton points out, even incidents that seem most clearly to warrant being characterized as cyberwarfare such as the attacks in Estonia and Georgia in 2008, which were widely believed to have been sponsored if not perpetrated by the Russian government dont really conform to traditional definitions.
No war was declared. Identifiable nation states did not act against each other so far as we know.
If [those attacks] were state sponsored, but not carried out by the traditional apparatus of state, by armies, then they would seem to be illegal [under existing conventions] and should be outlawed, Clinton says.
Except this doesnt really get us anywhere which is partly his point.
And in more recent cases implicating the Chinese government, one strong possibility is that citizen cyber militias or espionage-crime gangs may have been involved, with the Chinese government not so much sponsoring as turning a blind eye to and possibly benefiting after the fact from the activity. Does the Geneva convention cover that?
Everything changes in a massively networked and digitalized world, Clinton says. Old definitions and assumptions including about warfare no longer hold. To try and apply them in cyberspace may be deflecting the conversation from more fruitful paths.
We need to understand that this is an orange and those are apples, he says. Its a different thing and it needs to be thought through in a different way.
Clintons organization in fact doesnt have a position on whether the Google and Shadows-In-The-Cloud attacks are warfare or not. But the debate does underscore something ISA is very concerned about: a fundamental disconnect, on a couple of levels, in the dialog between government and industry on the issue of cyber security.
Each has different priorities and agendas, Clinton points out. Government agencies typically focus on finding out who is responsible for cyber attacks so they can pursue and catch them. Private sector organizations dont care so much whos responsible, they just want them to stop.
This has a couple of implications, including in the crucial area of information sharing. Both sides agree its important to be sharing this information [about cyber attacks], Clinton says. But its not happening.
The reason? Both sides believe the other side cannot guarantee security. Information the government holds is subject to freedom of information requests. Information held by multi-national corporations could leak.
Google cant turn over proprietary, confidential information to government that Microsoft is going to find, Clinton says. And government doesnt want to give information to internationally-based companies where some of those international employees could leak the information and compromise a criminal investigation.
Does this impede resolving the problem? Yeah.
ISA believes there is a solution, one that, again, involves a radical rethinking.
Rather than focusing on and sharing information about how attackers breach security, counter-espionage or anti-crime efforts should concentrate on what happens after the breach.
Weve been looking at the problem all wrong, Clinton says. Weve been trying to protect the cyber perimeter, but we cant its too large. Determined attackers will always find some way in.
However, once an attacker is inside the network, we have a lot more control. Most attacks are only successful when the attackers get back out of the system. If youre trying to steal proprietary information or national secrets, you have to get out of the vault first. And we have good systems for detecting whats happening once theyre inside the vault.
To protect and to serve
Tracking where data goes when it leaves and it typically goes to a finite number of command and control centers, all of necessity, with registered identities on the Internet is much easier than predicting and protecting against attacks that could come from anywhere, by any means. Both sides could simply alert each other about unauthorized traffic to sites implicated in cyber espionage.
If we just shared information about the get-away car, Clinton argues, it would circumvent the problems.
Were not exactly sure if this will satisfy government concerns. To tinker with the metaphor a little, wouldnt it be a little like telling the bank manager the location of the robbers hideout?
At a much higher level, ISA has proposed a new social contract between government and industry to ensure that the sustainable system of worldwide cyber security is built and maintained.
We know how to build security systems, ISA argues, but we need to get buy-in from all concerned parties. Everyones cyber security is dependent on everyone elses, but right now, there are too many weak links in the cyber security chain because companies and governments dont invest enough.
In a white paper submitted to the White House last year and available for download here, ISA argues that what is needed is a new social contract, an agreement with government similar to the ones in place a century ago in the U.S. that led to the build-out and maintenance by the private sector of electrical grids and road systems.
Bottom line: government should, as they did then, provide incentives tax breaks, loan guarantees, etc. to encourage companies to invest in cyber security.
The idea is not without merit. The challenge will be to convince government this is a high enough priority to warrant its attention and a share of its scarce resources. Good luck on that.
Gerry Blackwell is a veteran technology journalist based in Canada. He writes monthly for eSecurityPlanet on the topic of cyber security.