Cyberwar, the IT Professional, and Battles between Nations

On the securitymetrics list, Joel Rosenblatt recently posted a link to an article by David Gerwitz  and asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is a good question, but the article he cites confuses cyberwar and cybercrime. After all, not all cyber attacks are cyberwar, if you understand war of any kind to require the use of force, political objectives, and, arguably, nation states.

Given that understanding of war, the metrics that the article cites are misleading. Most data breaches are made for economic gain, not political advantage. Therefore, the numbers cited about the cost of breaches, the growth of incidents, and so forth, miss their mark. So do the numbers on the growth of the amount spent on defense, given the apolitical nature of the attacks and the attackers they are defending themselves against.

I would make the further point that we have yet to see true cyberwar. Attacks in Estonia, Georgia, Ukraine, and elsewhere have been examples of how cyber attacks can affect political conflict. But were they truly cyberwar? Nobody died. No long-lasting damage was done. Did these cyber attacks, in the end, successfully advance any political goal?  Arguably, no.

That said, the article asks a larger question that does need an answer. To paraphrase it: What responsibility must private enterprise take in defense against attacks in cyberwar? In addressing this list, Rosenblatt placed this question at the personal level when he asked "Do you, as IT professionals, have to get involved in the battles between nations?"

It is unlikely that anyone would argue that private enterprise bears no responsibility. The question can then become more precise: How much responsibility should lie on private hands and how much should be assumed by the government? This has been debated publicly, at length, for years. The White House has issued Executive Orders to address the issue, and Congress has passed some legislation and debated much more. Nonetheless, it not yet been answered.

Part of the reason why the question remains open is that we don't have a clear idea what cyberwar is. What do we need to prepare for? More Sony attacks? Massive DDOS attacks like in Estonia? Attacks on industry like the assault on power stations in Ukraine? Or something else?

The truth is that we need to prepare for the last, for something not yet seen in its entirety. Or perhaps not at all. Herzi Halevi, the Chief of Israeli Intelligence, recently pointed out that the power of air warfare did not become evident until World War II, about 40 years after the airplane was invented. With that in mind, it is early days in the development of cyberwar.

Drawing on the analogy with air power, we can expect cyberwar to be of two kinds. 'Tactical' cyberwar will directly affect the battlefield. The growing importance of digital communication makes the importance of this aspect of cyberwar clear. 'Strategic' cyberwar is analogous to the use of Liberators and Lancasters to bomb German industrial plants, railroad yards, dams, and oil fields.

The former is clearly the province of government. The latter is where the private sector comes in. A difference between cyberwar and air war is that private enterprises can do much to protect their assets against cyber attacks, but little to protect them against air attacks. Indeed, when it comes to cyber attacks, the essential work is out of the hands of government, though it can provide money and information.

That is particularly true in the United States, where private enterprise does not trust government and has little inclination to work with it. There is less distrust elsewhere, so government can do more. The Israeli government, for example, is establishing a national CERT that will provide cybersecurity services to private industry. With the American public and private sectors at loggerheads, nothing like that can be done here and be effective.

And, as it stands now, the money and information that government might provide won't be available. Congress almost certainly won't provide funds for defenses that private industry is not certain it needs. Despite much effort and almost endless discussion, information has been exchanged grudgingly at best.

What does this mean? The United States is likely to remain unprepared for attacks made in strategic cyberwar, barring some horrendous wake-up call.

So, following on Rosenblatt's question, what is an IT professional to do for cyberwar?  Keeping in mind that not all cyber attacks are cyberwar and that many of the tactics, techniques, and procedures of cyber attacks used by nation states and private criminals are similar, I would tell the professional: Keep on working to strengthen the defenses you are responsible for. That may seem a small task to those who don't have to do it, but it is essential. Those who make policy, in industry and government, should do much more.