Ten days ago, on Nov. 24, online security firms revealed the existence of a powerful computer virus called Regin. A tool of espionage (pdf), the bug displayed all the hallmarks of nation-state backing, researchers said. Suspicion immediately fell on the US and Israel.
The following day came news of a massive intrusion into the systems of Sony Pictures Entertainment. Several pre-release films were leaked, along with detailed personal records and communications of employees. An estimated 100 terabytes of data were stolen, and some 40 gigabytes have so far been leaked. Investigators pointed the finger at North Korea (paywall).
Unsurprisingly, there has since been much hand-wringing about cyberwarfare, with one prominent right-wing American website declaring that “The first cyber war is under way.”
It is precisely this sort of hype that Thomas Rid, a professor of security studies at King’s College London, and Robert M. Lee, an active-duty US Air Force cyber-warfare operations officer, warn against in their paper “OMG Cyber!” (pdf), published in the most recent issue of RUSI Journal, a well-regarded peer-reviewed academic journal of defense and security topics.
Rid and Lee argue that hype makes for bad policy. As defense budgets have shrunk, cyber is one area where funding has grown. That leads to perverse incentives, encouraging worry in order to gain and preserve funding. Since cyber is where the money is, all threats are re-labelled cyber-something. That means “it is ever harder to say when something clearly is not cyber-related,” the authors write.
“What we are seeing is espionage and practices and techniques that are easy to understand both technically and politically,” says Lee. “By hyping them into something they are not we fail to respond appropriately. Our policies, our technologies, our education, [and] our military’s readiness are being focused on a classification and understanding of the problem that does not align with the reality.”
Such reinterpretation of traditional threats can escalate conflict. A NATO official said earlier this year a cyber-attack would be covered by Article 5 of the treaty, which calls upon all member states to come to the defense of any member under attack. However, the official did not say what would count as an attack and what the response would be, suggesting it is meant as a deterrent. But that creates confusion. Does intrusion count? Espionage? From the paper:
[T]he vast majority of cyber-attacks also do not fall into NATO’s remit in the first place: espionage and cyber-crime are problems for intelligence agencies and law enforcement, not for a military alliance. For militants and the Kremlin, the subtext is clear: cyber matters; better up your game. NATO—among others—is escalating a problem that someone else will have to solve.
More than the usual suspects
The cyberwarfare hype does not arise solely from defense officials attempting to protect their turf and budgets. Security vendors have a vested interest in making cyber-threats seem pervasive in order to sell their products. And some of the responsibility for creating the hype falls on privacy activists and journalists who have helped give GCHQ, Britain’s signals intelligence agency, a profile and mystique matched only by James Bond, says Rid.
“[Edward] Snowden and the journalists covering this in a rather naïve way helped created the image that GCHQ and NSA [the US National Security Agency] are all-powerful, perfectly efficient surveillance machines that can see everything, penetrate everything, and know everything they want,” says Rid. “And that’s just laughable.”
The original impetus for the paper came from Lee and some of his frustrations as a practising officer. (Lee is also a PhD candidate at King’s College; Rid is his supervisor.) Lee has previously expressed his frustration in a similarly sarcastic “children’s book” about protecting the systems that control utilities and heavy industry. It was, he said at the time, “a bit immature of myself.” An academic paper, albeit formatted as Buzzfeed-style listicle, is perhaps a slightly more grown up way of expressing that frustration.
Rid, for his part, is a well-known skeptic, and author of the book “Cyber War Will Not Take Place,” in which he argues that cyberwar is not the threat it is made out be. They make an unlikely pair—an academic and an officer—arguing against the militarisation of cyberspace. That may also be what gets them heard.