How can we be at cyberwar if we don't know what it is?

Before plunging into a Cold-War style cyber arms race with our online enemies, the United States needs to decide just exactly what cyberwar is, who should fight it and how to do it.

A chorus of alarmists is raising the specter of cyberwarfare and urging the militarization of the Internet to ensure our national security against online attacks.

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime. Before we plunge into a Cold War-style arms race with perceived online enemies, we should engage in a public dialog and decide exactly what cyberwar is, who should fight it and how to do it.

Words have consequences. War entails specific risks and responsibilities and should not be entered into lightly. The Constitution lays out requirements for engaging in war, and the United States is a signatory to treaties that impose legal restrictions on conducting warfare, such as distinguishing between combatants and non-combatants and military and non-military targets. And once a nation engages in an act of war, it invites retaliation, regardless of its motives.

As of now, we have no workable definition of what constitutes cyberwar, and more often than not we lack the ability to accurately distinguish it from act of online vandalism.


Related stories:

Web site hacking: Terrorism or rogue diplomacy?

Is a digital Pearl Harbor in our future?


Recent comments by White House Cybersecurity Coordinator Howard Schmidt in a Wired magazine interview were a breath of fresh air. “There is no cyberwar,” Schmidt said. “I think that is a terrible metaphor and I think that is a terrible concept.”

What the United States and the rest of the world deal with on a daily basis in cyberspace typically are crime and espionage. These are bad things, but they are not warfare. James Lewis, who helped lead the Center for Strategic and International Studies’ study on cybersecurity for the 44th presidency, recently called cyberwar a “loaded term.”

“No one has yet entered into cyberwarfare,” Lewis said. Warfare consists of more than vandalism, inconvenience or even theft, he said. “As you move toward damage and casualties, then you cross the threshold.”

None of these reservations means that the threat of actual cyberwar does not exist. The United States and a number of other countries are actively pursuing the capability to wage cyberwar as well as defend against it. “They have done the reconnaissance, they have done the planning and developed the tools,” Lewis said.

A good way to prevent the use of these tools is to have a clear understanding of the rules under which they are to be used and the consequences for using them. To date we have not done a very good job of this. Former presidential advisor Richard A. Clarke, in his forthcoming book, “Cyber War,” likens the situation to the nuclear proliferation of the 1950s.

“In the first decade of the twenty-first century, the U.S. developed and systematically deployed a new type of weapon, based on our new technologies, and we did so without a thoughtful strategy,” he writes. “We created a new military command to conduct a new kind of high-tech war, without public debate, media discussion, serious congressional oversight, academic analysis, or international dialogue.”

Not only would such a dialogue help to define the conditions and rules for cyberwar, but they would free us to better deal with the very real threat of cybercrime. If we are not able to see cybercrime for what it really is, we will not be able to effectively deal with it. If the so-called war on drugs has taught us anything, it is that declaring war against a criminal activity is likely to fail.