Over the past week, the blog-sphere of the computer security world has been ambushed with some serious discussions about whether all of the talk going in the nation about the threat cyberwar is nothing more than hype. Some would argue it is being used as a scare tactic to push political and agency agendas, while others would argue that it is a valid and prevalent issue. In the world of information technology, this is often times an issue – important concepts, ideas, or issues are over-hyped and then dismissed. In some cases dismissing technology hype completely is valid (see NoSQL), while in others it could be very dangerous.
Richard Bejtlich over at TaoSecurity summarizes the argument of those that believe it’s all just cyberhype nicely:
Their argument is simple.
- The government wants to control the people, or obtain a resource, or pursue some objective that could not be reasonably achieved if transparently presented to the citizenry.
- The government “propaganda machine,” sometimes in coordination with “the media” and “big business,” “manufactures” a “crisis” whose only solution is increased government power.
- The people acquiesce in order to preserve their safety, and the government achieves its objective
It’s not too far-fetched to believe that politicians and intelligence agencies have some agenda of their own. It is also not too far-fetched to believe that the government uses propaganda and scare tactics to push those agendas – but that does not mean a threat does not in fact exist. Bejtlich goes on in his article to state that the cyberwar is in fact real, regardless of if it follows the traditional definition of “war”. In a followup article, he continues to support his argument by using a variety of political frameworks for defining what actually constitutes as war.
While Bejtlich obviously believes that cyberwar is in fact real, others such as renowned security professional Bruce Schneier has a different take on it all. In one of his recent articles, Schneier argues that the threat has been exaggerated. A number of government officials, have been quoted as saying that the cyberwar is a real and prevalent threat. According to Schneier, “…the entire national debate on cyberwar is plagued with exaggerations and hyperbole.” Schneier goes on to explain several examples of the overuse and misuse of the term cyberwar and states that we are in fact not a cyberwar. He believes that we should have a Cyber Command and be prepared for war having improved cybersecurity, but says that there is no more of a threat of a threat of a cyberwar than there is a ground invasion.
While Schneier presents a few valid and convincing points, I largely agree with Bejtlich, in that the cyberwar is in fact a real and an important threat that most certainly needs to be addressed. Yes politicians use rhetoric to sell the public on the need for change in policies. And yes agencies do oversell the threats to push their personal agendas. With no real definition for who has power in the case of cyber attacks, it is no surprise that every one wants control. Even if the threats are somewhat exaggerated, it does not mean the threats do not exist.
Attacks on classified networks, whether these be denial-of-service attacks or attacks used purely to obtain information are real threats. If it is known that our networks are vulnerable and not defended, a foreign agency can use this fact to their benefit to prevent communications when we really need them. It is surprising that Schneier would dismiss the attack on Estonian websites in 2007 as “simple hacking”. A denial-of-service attack, while simple in execution can cause a tremendous amount of damage when mission critical services are interrupted. Even if networks are being attacked as simple proof-of-concepts, it poses a real threat. Reconnaissance is the first step in covert warfare. This fact does not change in a cyber arena.
I feel it is hard to argue, knowing that our networks are being attacked on a regular basis (regardless of where the attacks are originating from), that there is not a cyberwar going on. It is imperative that we defend our networks, and imperative that we understand the consequences of failure. This is not to say I fully agree with the media and politicians who exaggerate the actual threat. There is no question of whether or not the threat has been exaggerated, but that does not mean we should entirely dismiss the threat or that a cyberwar does in fact exist.