Bruce Schneier, a legend among hackers and security experts, is having trouble convincing the world that the threat of cyberwar is overstated. In 2010, the year after the US launched a Cyber Command division of its military, he lost a public debate on the subject. And in October, US Secretary of Defense Leon Panetta said that the US should gird itself for a cyber Pearl Harbor. Yet Schneier is undeterred. Through countless essays, speeches and debates, he has tirelessly argued that what we should really be paying attention to is how we establish trust online, and failing that, what are the basic security measures which will help us cope with both cyberwar and the countless acts of cybercrime, cyberhooliganism, cyberterrorism, and cyberespionage that happen every day.
Data on just how much damage cybercrime occurs is patchy, but data on cyberwar is even worse because “there’s been no cyberwar, so the data does not exist,” Schneier says.
It’s an arresting assertion. Is it really possible, given all we’ve heard about the coming cyber 9/11, cyber Armageddon—and even a cyber Katrina requiring a cyber FEMA—that cyberwar remains a mere hypothetical? And yet that seems to be the case.
As Thomas Rid explained in Foreign Policy:
Indeed, there is no known cyberattack that has caused the loss of human life. No cyberoffense has ever injured a person or damaged a building. And if an act is not at least potentially violent, it’s not an act of war.
Separating cyberwar from cybercrime
That’s not to say that our connected world isn’t increasingly beset by attacks over the internet. Recently, an attack originating in Iran interfered with the office computers of Qatari and Saudi Arabian oil and gas production firms, wiping out files on 30,000 computers. US Secretary of Defense Leon Panetta called it the most destructive attack ever in the private sector.
Other attacks originating in Iran have targeted US banks. In 2007, the websites of banks, newspapers, and some divisions of government in Estonia were jammed up by an attack that flooded those sites with traffic, rendering them inaccessible. And some are describing Iran’s attempts at interference with energy companies and banks as a low-grade cyberwar.
But Schneier, who has been writing about the issue for nearly a decade, contends that defining every act of cybercrime as some variety of cyberwar is a rhetorical trap that could lead to escalation and worse. As he explained in 2007:
Although the goals are different, many tactics used by armies, terrorists and criminals are the same. Just as they use guns and bombs, they can use cyberattacks. And just as every shooting is not necessarily an act of war, every successful Internet attack, no matter how deadly, is not necessarily an act of cyberwar. A cyberattack that shuts down the power grid might be part of a cyberwar campaign, but it also might be an act of cyberterrorism, cybercrime or even–if done by some 14-year-old who doesn’t really understand what he’s doing–cyberhooliganism. Which it is depends on the attacker’s motivations and the surrounding circumstances–just as in the real world.
The world’s most sophisticated and invasive attack over the internet was an act of the US and Israel: the Stuxnet worm that caused Iran’s uranium-enriching centrifuges to spin so quickly that one in five was destroyed.
Aside from Iran’s rather sloppy virus attack on energy companies and the Stuxnet worm, almost all cyber attacks are waged with armies of “zombie PCs” that clog target websites with requests. These zombie botnets are accessible and dirt cheap—they can be rented for as little as $2 an hour—and there is ample evidence that most attacks employing them are carried out not by state actors but, especially in China, private citizens.
Framing every attack as a kind of cyberwar means leads to irrational responses, including pre-emptive cyber-attacks on US enemies. The problem with that policy, Schneier argued in 2007, is that you often don’t know where a cyber attack originated, raising the stakes for any counterattack, and what you’re experiencing is almost certainly not an act of war but a crime:
A cyber-security policy that condones both active deterrence and retaliation — without any judicial determination of wrongdoing — is attractive, but it’s wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.
The ignored threats: cyber-everything else
While cyberwar get all the attention, with its imagined threats of attacks on our electrical and transportation grid, consumers alone are losing an estimated $110 billion to cybercrime every year. Those numbers may be overblown, but even Schneier agrees that cybercrime is bad and getting worse.
“This is a big problem for individuals, small and medium size businesses,” says Schneier. In China, one sting netted a cybercrime gang accused of pilfering $48 million from small businesses; the money was then laundered through online games. Impersonating someone online is an easy way to defeat bank security measures–convincing a bank you’re a particular customer doesn’t require attacking the bank itself–and creative criminals have even discovered that they can steal money by synthesizing fake people who don’t exist in real life.
Cyberespionage is also an important and overshadowed issue: Lockheed Martin, the Pentagon’s top supplier, recently said that attacks on its networks and suppliers have increased dramatically and that 20% of them are considered “advanced persistent threats” aimed at stealing data or interfering with operations. On the whole, businesses are riddled with known threats and security holes that have yet to be closed.
Since cyber attacks can be carried out by such a wide variety of people with equally diverse motives, the way to defend against all of them is to concentrate on security—rather than an imagined war—and leave management of networks to the professionals, says Schneier.
“In general, businesses hand over specialized areas of infrastructure to specialists,” he says. “Food service, cleaning, tax preparation, and IT infrastructure and security are just like that. It makes no sense to do it yourself… Computing is a utility, and we need to start treating it that way.”
Everyone, even Schneier, agrees that cyberwar will someday be a component of warfare. It may even be a way for states like China to compete with the US without matching America’s enormous defense budget. But by touting threats that have yet to materialize, we’re not just missing out on more immediate threats; we may also be ignoring the basic security measures that all businesses should be taking to defend themselves against any cyber attack–whatever its origin and meaning.