On the securitymetrics list, Joel Rosenblatt recently posted a link to
an article by David Gerwitz and asked "Do you, as IT professionals,
have to get involved in the battles between nations?"
It is a good question, but the article he cites
confuses cyberwar and cybercrime. After all, not all cyber attacks are
cyberwar, if you understand war of any kind to require the use of force,
political objectives, and, arguably, nation states.
Given that
understanding of war, the metrics that the article cites are misleading.
Most data breaches are made for economic gain, not political advantage.
Therefore, the numbers cited about the cost of breaches, the growth of
incidents, and so forth, miss their mark. So do the numbers on the
growth of the amount spent on defense, given the apolitical nature of
the attacks and the attackers they are defending themselves against.
I
would make the further point that we have yet to see true cyberwar.
Attacks in Estonia, Georgia, Ukraine, and elsewhere have been examples
of how cyber attacks can affect political conflict. But were they truly
cyberwar? Nobody died. No long-lasting damage was done. Did these cyber
attacks, in the end, successfully advance any political goal? Arguably,
no.
That said, the article asks a larger question that does need
an answer. To paraphrase it: What responsibility must private
enterprise take in defense against attacks in cyberwar? In addressing
this list, Rosenblatt placed this question at the personal level when he
asked "Do you, as IT professionals, have to get involved in the battles
between nations?"
It is unlikely that anyone would argue that
private enterprise bears no responsibility. The question can then become
more precise: How much responsibility should lie on private hands and
how much should be assumed by the government? This has been debated
publicly, at length, for years. The White House has issued Executive
Orders to address the issue, and Congress has passed some legislation
and debated much more. Nonetheless, it not yet been answered.
Part
of the reason why the question remains open is that we don't have a
clear idea what cyberwar is. What do we need to prepare for? More Sony
attacks? Massive DDOS attacks like in Estonia? Attacks on industry like
the assault on power stations in Ukraine? Or something else?
The
truth is that we need to prepare for the last, for something not yet
seen in its entirety. Or perhaps not at all. Herzi Halevi, the Chief of
Israeli Intelligence, recently pointed out that the power of air warfare
did not become evident until World War II, about 40 years after the
airplane was invented. With that in mind, it is early days in the
development of cyberwar.
Drawing on the analogy with air power,
we can expect cyberwar to be of two kinds. 'Tactical' cyberwar will
directly affect the battlefield. The growing importance of digital
communication makes the importance of this aspect of cyberwar clear.
'Strategic' cyberwar is analogous to the use of Liberators and
Lancasters to bomb German industrial plants, railroad yards, dams, and
oil fields.
The former is clearly the province of government. The
latter is where the private sector comes in. A difference between
cyberwar and air war is that private enterprises can do much to protect
their assets against cyber attacks, but little to protect them against
air attacks. Indeed, when it comes to cyber attacks, the essential work
is out of the hands of government, though it can provide money and
information.
That is particularly true in the United States,
where private enterprise does not trust government and has little
inclination to work with it. There is less distrust elsewhere, so
government can do more. The Israeli government, for example, is
establishing a national CERT that will provide cybersecurity services to
private industry. With the American public and private sectors at
loggerheads, nothing like that can be done here and be effective.
And,
as it stands now, the money and information that government might
provide won't be available. Congress almost certainly won't provide
funds for defenses that private industry is not certain it needs.
Despite much effort and almost endless discussion, information has been
exchanged grudgingly at best.
What does this mean? The United
States is likely to remain unprepared for attacks made in strategic
cyberwar, barring some horrendous wake-up call.
So, following on
Rosenblatt's question, what is an IT professional to do for cyberwar?
Keeping in mind that not all cyber attacks are cyberwar and that many of
the tactics, techniques, and procedures of cyber attacks used by nation
states and private criminals are similar, I would tell the
professional: Keep on working to strengthen the defenses you are
responsible for. That may seem a small task to those who don't have to
do it, but it is essential. Those who make policy, in industry and
government, should do much more.
