February 16, 2011

Expert: Cyber Warfare Threat Is Exaggerated

Bruce Schneier, a leading security expert, said recently that the threat of cyber warfare is greatly exaggerated.

He claims that emotive rhetoric around the term does not match the reality.

He said that using sensational phrases like "cyber armageddon" only inflames the situation.

Schneier, security officer for BT, is due to address the RSA security conference in San Francisco this week.

He told BBC News that there was a power struggle going on, involving a "battle of metaphors."

He suggested that the notion of a cyber war was based on several high-profile incidents from recent years.

They include blackouts in Brazil in 1998, attacks by China on Google in 2009 and the Stuxnet virus that attacked Iran's nuclear facilities.

He also pointed out the hacking of Republic vice-presidential candidate Sarah Palin's email.

"What we are seeing is not cyber war but an increasing use of war-like tactics and that is what is confusing us."

"We don't have good definitions of what cyber war is, what it looks like and how to fight it," said Schneier.

Howard Schmidt, cyber security coordinator for the White House, agrees with Schneier's point of view.

"We really need to define this word because words do matter," Schmidt told BBC's Maggie Shiels.

"Cyber war is a turbo metaphor that does not address the issues we are looking at like cyber espionage, cyber crime, identity theft, credit card fraud."

"When you look at the conflict environment - military to military - command and control is always part of the thing."

"Don't make it something that it is not," Schmidt told a small group of reporters on the opening day of the conference.

Last month, a report by the Organization for Economic Cooperation and Development concluded that the vast majority of hi-tech attacks do not deserve the name cyber war.

The issue is likely to receive a lot of attention at RSA this week as panels seek to define what is and what is not cyber warfare.

"Stuxnet and the Google infiltration are not cyber war - who died?" asked Schneier at the event.

"We know what war looks like and it involves tanks and bombs."

"However all wars in the future will have a cyber space component."

"Just like we saw in the Iraqi war we [the US] used an air attack to soften up the country for a ground offensive."

"It is probably reasonable you will see a cyber attack to soften up the country for an air attack or ground offensive," he added.

Schneier claimed the heated rhetoric driving policy in might not be appropriate.

"The fear is that we are going to see an increased militarization of the internet," he said.

The FBI and Department of Defense recently squared off over who got to control defense in cyber space and the multimillion dollar budget that goes with the job.

Schneier said the defense department won the battle.

He also said there was a worrying trend of politicians who try to introduce legislation as a way to deal with the issue as nothing short of knee-jerk politics.

The Cybersecurity Enhancement Act was introduced last week in the Senate, following confirmation by oil companies and NASDAQ officials that their computer systems were repeatedly hacked by outsiders.

"My worry is these ill thought-out bills will pass," said Schneier.

Talk of drawing up the equivalent of a Geneva Convention of cyber space has been gaining attention.

The proposal was raised by international affairs think-tank, the EastWest Institute at a security conference in Munich last week.

Schmidt said he is skeptical because he does not believe every country will sign up to an agreed set of standards.

"I don't know that a treaty is going to solve anything at this juncture."

"Not everyone thinks about this unilaterally around the world. We can't do this by ourselves," he said.

Industry commentator Declan McCullagh, who is chief political writer for CNET.com, believes the idea of doing nothing is untenable.

"Before we get to the stage of having to launch a cyber war, and that will eventually come, lets have a public discussion about what this involves," he told BBC.

"A Geneva Convention for cyber war makes sense at least to start that discussion."

"What that would do is put certain types of attacks off the table like you are not going to target the enemy's hospitals or certain types of civilian systems that innocents depend on for their livelihood."

"I don't think everyone is going to respect it, and maybe the US won't respect it at times, but at least it starts the discussion and will probably have a positive effect," McCullagh told BBC.

This year marks the 20th anniversary of the RSA event, which started as a purely technical cryptography conference and has evolved into a broader forum that includes issues of policy and governance.


On the Net: