The Lexicon Wars or Impediments to Cybersecurity
Image via Wikipedia
I was recently discussing cyberwar in a security forum on LinkedIn.com. My perspective was the complete opposite of many in the forum. I was stunned and had to sit back and contemplate the situation. I’ve been brewing this over in my mind for the past decade but it finally came back to haunt me. I was actually accused of being a 20th century thinker. I took umbrage with that statement (inside joke to anyone who was with me during initial discussions at JTF-6 back in the early 1990s). My takeaway is that the cybersecurity folks in the forum were thinking emotionally, they would certainly be aware if someone was attacking and doing damage to their network simultaneously with other networks, so they thought surely this constitutes an “act of war”! Before you disagree… riddle me this:
What is cyberwar?
What is an attack in cyberspace?
How do the laws of armed conflict apply in cyberspace?
How do conventional laws apply in a virtual world?
I could make a lengthy list of all the terms and questions myself and other so-called experts have discussed over the past 15+ years and to which we still do not have official definitions, that we do not have an agreed upon definition, and to which we honestly have no hope of ever determining a right way, never mind the right way, to our cybersecurity and warfare problems in cyberspace.
The definitions would be useless only moments (in relative terms) after we have an agreed upon solution. My good friend, Dr. Richard Forno, wrote his doctoral thesis and has based much of his career on the intricacies of “incident response”. I recall, not so fondly, how in the late 1990s all the cyber experts quite literally fought about how to define an incident.
It’s almost laughable in a way. Highly educated and very professional people fighting about a definition?
Fast forward ten+ years and now I am being attacked how I define war in cyberspace. I caught myself before I began hurling invectives and insulted friends. I began to realize their definition of war in cyberspace was an emotional issue from a cybersecurity perspective, whereas my definition is based upon years of splitting hairs about actual official definitions of cyberwarfare, cyberwar or war in cyberspace (the last is my preferred term).
Someone posited that anytime someone penetrated their network, that was considered cyberwar. I disagree, that would be an intrusion.
Someone said by stealing the information in my network, that would be considered cyberwarfare. I disagree, that would be theft of intellectual property or a cyber crime.
Someone claimed that denying, degrading or destroying data on a network would be cyberwar. I admitted, that would be bad, but by no stretch of the imagination would one single incident be considered a cyberwar. Yes, it honestly would depend on the targeted network. Doing this on the WhiteHouse.gov domain would definitely be considered an act of war, whereas at tinyminds.com (I made that up) it would probably be a pain in the butt.
Kevin Coleman published a terrific little book called “Cyber Commander’s Handbook“, I highly recommend it! Kevin actually gave me a hardcopy years ago, for a book review. By the time I finished reading it I realized that many of the definitions in the book are obsolete, outdated or wrong. Not because the book isn’t brilliant, it is, but because by the time the ink dried on the page the definition(s) had changed. He also started out with close to 32 attack ‘types’ and the last time I checked he has about 49 (I’d call him and ask but by the time I typed it here it would have probably changed).
This sets the stage for my next wild assertion: we need a new way of making, posting and agreeing upon definitions, thus freeing us to work on a problem and avoid getting stuck in petty definitional wars. We also need to begin establishing thresholds.
Wikipedia is a great way to get a community to come together and agree on a term, post issues, and discuss them (posting the good, the bad and the ugly) and finally agreeing on one pretty good agreed-upon definition for term. No, it’s not perfect. There have been cases where a Wikipedia page is used to push an agenda, to attract customers and to be a sounding board for some extreme or out of the ordinary positions. This definition, of course, will change. For instance, everything changed after Stuxnet.
Let’s take Wikipedia one step further. I believe the term ‘cyberwar’ is incorrect, there is a basic flaw in the assumption that there is landwar, airwar, seawar or spacewar. Instead we wage war on land, sea, air, space and in the cyberspace domains, culminating in war. Let’s assume the correct term is ‘war in cyberspace’, it is more doctrinally correct (according to the Joint Electronic Library of the Joint Staff, Pentagon). So… let’s define an act of war in cyberspace. Would that be 1 ping per second against dtic.mil? 10 pings per second? 100 pings per second? 10,000 per hour? How about using nMap? How many incomplete commands sent in a second? Per hour, per year? What else? An actual penetration? Placing a payload in a data stream? Copying information? Copying intellectual property?
I propose a non-static means of proposing definitions and then creating a fluid threshold… ten per second, 100 per second, 1 million per second. If the proposal has fixed data threshold points one can quantify, by this definition, an act of war in cyberspace. Who should host it? Government is the obvious choice but they do not have the incentive and certain they are way too scared to make any radical proposals like that. DARPA, IARPA? They seem obvious but lately they don’t appear to be pushing the envelope in the cyber world. DHS? As soon as I stop getting sick… I propose a University get the contract, preferably one here in Washington DC. I have the perfect person in mind to head up the program. Contact me, let’s see if we can make it happen.
The greatest drawback to this creating a definition with fluid thresholds is an ever increasing threshold. Reach the limit, raise the limit. Next?
Got anything better? Your ideas are solicited.
Related articles
- Pentagon Can Not Win a Cyberwar Claims Author (blogs.wsj.com)
- Cyberwar: The defense community can’t figure out how to define it. (slate.com)
- Cyberwar: Definition, Hype & Reality (livescience.com)
- Is Cyberwar Real or Just Hype? (techland.time.com)
- US and Russia “reset” their cybersecurity relationship (arstechnica.com)
Update: I just found this article which bears out my approach: Evolving threats driving security strategy & investing globally
Joel, thanks for the plug for the Cyber Commanders Handbook. In 2011 we renamed version 2 the eHandbook and only publish it electronically for the reason you stated. Version 3 should be available early next year and we will make sure you get a ecopy.
Interestingly enough, one organization that uses version 2 of the Cyber Commander’s eHandbook in their training program recently asked us if there was anyway we could update it quarterly. That would be a first a living eBook. I am not sure we can do quarterly but may be able to do it every six months.
Thanks, Kevin!
Your book is an excellent resource! This is a great leap in the right direction, otherwise it’s all conjecture.
I wrote this just for you. The law of Cyber-Warfare | Stuxnet change the face of warfare.
http://uscyberlabs.com/blog/2011/09/18/law-cyber-warfare-stuxnet-change-face-warfare/
We differ but I still stand by my original quote ..When someone is in your network your at war – when someone steal your identity your at war, when someone steals you intellectual property your at war.
Thanks, Richard!
I think I’ll agree to disagree at this point!
The link back should give you some hits
Your first mistake was getting into a discussion on a LInkedIn forum, Joel. Other than that, good article.
Thanks, Jeff.
As we have seen, the lexicon wars are killing us. We need a new way of making definitions so they don’t get in the way.