I was browsing CircleID the other day and came across Bruce Schneier’s article on cyberwar. Schneier’s article, and the crux of his point, is that the term cyber war and the threat of cyber warfare has been greatly exaggerated. The real problem in cyberspace is not the threat of cyber warfare wherein a foreign government, or possibly non-state actor, conducts a cyber attack on another nation. Instead, the cyber threat is really that of things like online crime. The people who assert that cyber war is a problem are those in the military who are hyping the threat in order to gain contracts from the government (ie, it’s about the money) or gain control over others (which ultimately leads to money). In other words, the threat of a hostile government attacking us is small and that these threats are distracting us from the real problem – criminals in cyberspace.
Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. Traditional hacking, without a profit motive, is still a threat. So is cyber-activism: people, most often kids, playing politics by attacking government and corporate websites and networks.
These threats cover a wide variety of perpetrators, motivations, tactics, and goals. You can see this variety in what the media has mislabeled as "cyberwar." The attacks against Estonian websites in 2007 were simple hacking attacks by ethnic Russians angry at anti-Russian policies; these were denial-of-service attacks, a normal risk in cyberspace and hardly unprecedented.
A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear.
Similar attacks against Georgia, which accompanied an actual Russian invasion, were also probably the responsibility of citizen activists or organized crime. A series of power blackouts in Brazil was caused by criminal extortionists -- or was it sooty insulators? China is engaging in espionage, not war, in cyberspace. And so on.
Is Schneier right? Are the cyber threats more benign than we think?
I think that Schneier is correct in asserting that most attacks that are done are financially motivated, or examples of hacktivism (a portmanteau of the words hacking and activism). They are probably not examples of a foreign government attempting to shut down the infrastructure of the United States, or of that other foreign government. Yet the attacks on Georgia in 2008 and Estonia in 2007 were not done by mere teenagers, nor is it akin to getting in line at the DMV.
The attacks in 2007 ultimately had their responsibility claimed by one of the commissars of the Nashi, a Russian youth organization with ties to the Kremlin. Konstantin Goloskokov was the one claiming he drove it, and he was an assistant of Sergei Markov, a politician in the Russian Duma. Furthermore, the attacks did more than shut down the DMV, they shut down all Internet traffic into Estonia. In addition, during the Georgia attacks, the DOS attacks on that country’s Internet web sites prevented the Georgian government from communicating with the outside world. They resorted to using Google Blogspot in order to do so. So, this is not mere teenagers causing a ruckus, but instead are people with nationalistic views with the ability to hurt a country’s infrastructure if they try hard enough.
I suppose my point is not so much that cyber warfare is the problem, but deeply embedded botnets that exist for criminal purposes, and hostile actors with nationalist views can get together and do a lot of damage in a short period of time. It may not be a state actor, but if the state is aware of the potential for threats and turns a blind eye, that doesn’t mean that their liability is eliminated. The word for this is negligence.
It is this potential for collisions in the online crime/nationalist arena that has the military community in the United States up in arms. Those in the military tend to see threats where none potentially exist, but on the other hand, they’re supposed to see threats where none potentially exist because once in a while, they are right. It is a cost/benefit ratio. What happens if no defenses are built and no attack comes vs what happens if no defenses are built and an attack is executed?
His other point, that the term cyber warfare is strewn about ad nauseum, is correct. China did not declare cyber war on Google this year. The term is being used colloquially in the sense that there was a war between the Montagues and the Capulets, or a war between Donald Trump and Martha Stewart, or a war between me and my intestines last night after I had some bad pizza. It’s more like a feud where one side engages in dirty tactics. That China engages in espionage to steal secrets from Google is not war conducted in cyber space, it’s China protecting their turf. It’s not much different than Venezuela nationalizing their oil industry, except nobody calls that conventional warfare (they call it socialism).
So, is there a cyber warfare problem? Maybe. It is state sponsored malicious intent? Less likely. Is there a problem with cyber crime? Definitely. Is this a recipe for disaster? Probably.