Some commenters took me to task a bit for my recent assertion here at KoW that the US is not in the midst of a cyberwar. My argument – one I’ve consistently made over the last year or so, including again in an op-ed for The Guardian earlier this week – is that words matter when it comes to describing risks and threats, and they frame the debates thus engendered. Crucially, of course, they help shape the responses of politicians and practitioners tackling the situations in which they find themselves.
This is not a particularly controversial stance and I find myself a bit baffled why some people might find it odd that I think declaring a de facto cyberwar against Russia and China, amongst others, might not be a particularly useful line to take. Perhaps my detractors are right but the deputy director of the UK Office of Cyber Security (OCS), Air Commodore Graham Wright, seems to agree with me.
Computer Weekly reports that the government is developing a “‘national lexicon’ of cyber English”, which tortured phrase describes the OCS attempt to stem some of the more lurid reports filtering from security agencies into the international media. Specifically, Air Cdre Wright is quoted as follows:
“We talk about the numbers of attacks we suffer … Attack is where you degrade, deny, disrupt or destroy something. But there are times when we need to be very explicit. Was this really an attack or was it theft?
“Most of what people refer to as ‘attacks’ are the exfiltration of data, which is theft or espionage,” he said. “I haven’t seen any reports of attack. Everyone always reports an attack. In most cases it is not an attack, its theft and crime, its stealing data.”
The OCS hopes a national cyber lexicon would end inexact reports of cyber attacks while clarifying language the UK could use when talking to Nato partners about the actual but as yet unrealised possibility of cyber attacks by foreign powers.
Obviously, Wright is talking more about the tactical /operational level here but it doesn’t surprise me at all to hear that the OCS is trying to pick its way carefully through some tricky terminological territory before fleshing out its response regimes. Just as it matters at this level to be precise about the actions in question, so too does it matter at the strategic level. Whilst I understand the perspectives of some who feel that the White House, in dampening claims of global cyberwar, is playing a political game, are we also going to suggest that Air Cdre Wright is doing the same?
Update: Apologies – the first published draft of this went out with some dodgy HTML. Should be fixed now.
{ 6 trackbacks }
{ 4 comments… read them below or add one }
Have to agree on the words. Of course we don’t have many good definitions for a very new technology and very new crime, but if we officially and legally label something as war than the governments would be expected to respond, even if it wouldn’t be worth it.
I guess I was one of the detractors. I do follow the world of cyber, as it is an essential element of national security and, darn it all, it is interesting.
Is a hack-attack just some thrill seeker, attempted theft or is it an act of war?
Not all attacks are acts of war, that is a given, but given enough attacks, with analysis showing the true destructive aim of the attack, it becomes an act of war–such is the case with China and North Korea and their attacks against the US.
Think of it this way, if in November 1944, armed Japanese Zeros were making repeated runs at Pear Harbor but were intercepted and turned back, wouldn’t those attempts be considered an act of war? Of course. Same with cyber attacks because those attacks can cause physical damage and death, not to mention economic collapse and threaten national survival.
The challenge is to determine quickly if the attacks are deliberate acts of a hostile power or movement. Back to the analogy: We need to know if the incoming aircraft are a flight of 99′s (http://www.ninety-nines.org/), or Zeros. If Zeros, it is War.
Formerly Grant / Gunrunner,
Yup, you’re both right, although I dispute the analogy of the Zeros. It’s difficult to simply transfer analogies between the physical and the cyber domains. But, yes, it does matter what we call things, how we interpret them, and how we then decide to respond, and with what.
It’s worth pointing out that there’s a live debate in this field about attribution, which is hedged around with numerous ‘ifs’ and ‘buts’. One of the elements in this discussion is whether circumstantial evidence is sufficient to ascribe responsibility for attacks to particular actors. Evidence can look compelling but might turn out to be false, as it did last July, when DPRK looked the obvious culprit but seemed to have little to do with the events that compromised US and ROK assets. That matter is still unresolved.
If cyber is to be considered under the Laws of Armed Conflict, it has to meet the conditions of military necessity, distinction, proportionality, discrimination, perfidy, and neutrality. It is less than clear how these conditions are met and respected by cyber ops. So, I agree, there are big issues to tackle here, but I’m fairly certain that declaring war rather than a more nuanced approach is not useful at this stage.
I imagine we’ll start to get agreements on what is and is not acceptable shortly after the next big war. True there were some agreements on some weapons prior to their actual use in World War I (such as poisonous gas and submarines I believe), but those agreements didn’t hold up and new ones were needed after the end of the war. Similarly laws concerning whether cities can be bombed weren’t largely established (and broken when possible) until after the Second World War. In other words, war spurs legal developments as much as technological ones.
On that note has anyone written up what might be a viable agreement on the use of the internet and warfare?