Talks among world experts about what constitutes cyberwar grow cold
United States should open cyber defense strategy talks to a public debate, much like it did with nuclear weapons, security firm says.
A cyber Cold War might be in full swing among nations, requiring more openness in policy discussions about cybersecurity, according to a report released on Tuesday.
"Computer scientists and international relations experts are not talking to each other right now" about potential strategies to address the threat of a cyberwar, said Richard Clarke, former special adviser to President George W. Bush on cybersecurity.
Clark's statement was included in a report released by Good Harbor Consulting, a strategic planning and corporate risk management firm, on behalf of security vendor McAfee. In the report, Clarke, now chairman of Good Harbor, contrasted the lack of a clear doctrine for cyber defense to the development of the U.S. nuclear strategy after World War II, when civilians, most outside of government, created a strategy outlining the appropriate use of nuclear weapons. Officials debated the strategy publically and later incorporated it into national policy.
"We know that cyber weapons are being used. It's a reality," said Paul Kurtz, who led Obama's cybersecurity transition team and is a partner at Good Harbor. "But what does that mean? We need some way of evaluating what's happening in order to frame [the national] response, and we have to take this discussion outside the classified confines of government. What would our response be to cyberwarfare? Who are our partners? Government is very reluctant to talk openly about these issues."
Kurtz said one reason for government's lack of transparency regarding a cyber defense strategy is that it hasn't been developed yet, and federal officials are reluctant to engage in any public discussion with companies or international partners until they have established a basic framework.
Among the biggest hurdles to developing a strategy is defining what constitutes an act of cyberwar, according to the report. Good Harbor recommends considering four factors to determine whether a cyberattack is an act of war:
--What is the source of the attack? Was it carried out or supported by a nation-state?
--What were the consequences of the cyberattack? Did it cause harm?
--What was the purpose of the attack? Was it politically motivated?
--How sophisticated was the cyberattack? Did it require customized methods and complex planning?
Cyberattacks against Estonia in 2007 and against Georgia in 2008 both could be reasonably defined as acts of war because they were motivated by clear political reasons. In the case of Georgia, it was generally accepted that the source of the cyberattacks was Russia. The attack shut down the governments.
The cyberattacks against Estonia were targeted against Web sites operated by the Estonian parliament, banks, ministries, newspapers and broadcasters amid conflicts with Russia.
By comparison, attacks that took down multiple federal Web sites on July 4, 2008, including those run by the State, Transportation and Treasury departments, showed no solid evidence that they were sponsored by a nation-state, were not politically motivated, resulted in limited consequences and were not sophisticated, according to the report. Therefore the attacks, as defined by Good Harbor's criteria, were not likely an act of cyberwar.
"A lot of people are jumping up and down and saying, 'The age of cyberwar is here,' but we need to try to evaluate the situation in a context that people find meaningful, to find a way to better understand what is happening around us," Kurtz said.
NEXT STORY: CISOs assess the assessors