It’s easier to talk about mega breaches, such as the ones that ocured at Lockheed Martin and L-3, than pay attention of the thousands of small breaches that occur on hourly basis and affect smaller companies. The discussion regarding cyberwar might assist with very large and high-profile incidents, but is of little help for the small ones. This is problematic, because the smaller incidents could exceed the economic losses associated with mega breaches.
The Wall Street Journal described Pentagon’s report on its cyber warfare strategy, concluding that “computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.” A cyber incident that might be classified as such an attack is likely to to be big enough to produce or intend to product “death, damage, destruction or a high level of disruption.”
A few days prior to the WSJ article, Gene Spafford published his perspective on cyberwar, pointing out that:
“We’re losing billions of $$ worth of intellectual property per year to foreign intelligence services, foreign competitors, and criminals, and we have been for years. U.S. companies and taxpayers are effectively paying for the R&D that is supporting huge amounts of foreign development. And we are also seeing billions of $$ of value being bled from the economy in credit card fraud, bank fraud and other kinds of fraud, including counterfeit pharma and counterfeit electronics sales.”
Note that the incidents Gene describes are not the mega breaches that cyber warfare plans are likely to encompass. Gene characterizes the effects of the numerous threats were are failing to deal with as death by a thousand cuts. He points out that the U.S. military build up in cyber capabilities “does little to help civilian companies under attack within U.S. borders by unknown parties.”
Gene’s sentiment is reminiscent of Bruce Schneier’s concern with our fascination with the term cyberwar:
“If we frame the debate in terms of war, if we accept the military’s expansive cyberspace definition of ‘war,’ we feed our fears. We reinforce the notion that we’re helpless — what person or organization can defend itself in a war? — and others need to protect us.
If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it’s done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.”
As we debate whether or not cyberwar exists and what role we might play in it, let’s remember that cyber warfare encompasses only some of the many information security issues that affect us. Don’t forget to consider how we’ll deal with the numerous smaller data breaches: Individually they may fall below the threshold of a warfare event, yet burden the economy in a way that has a tremendous negative impact on all its legitimate participants.