We cannot attack another country as a result of a cyberattack unless the attribution is clear, we need proof. We cannot call anything a cyber attack because it is not clearly defined. We do not have clear definitions of many issues in cyberspace, therefore we cannot act. This has been our mantra in the computer security world, the world of information security, of cyber warfare, of information assurance or… the list is exhaustive of what to call what we do. The fact is our US State Department cannot sign many treaties in cyberspace and we cannot establish a lot of cooperation because there is a lack of a definition or there is no established threshold for most of what we deal with. Part of that problem is that as soon as the ink dries, which is almost instantaneously, most of the conditions will change. More pings means there is either more traffic, more noise or it is an attack. As soon as we’ve decided, it changes. Everything must be black or white, 1s and 0s, off or on, up or down.
Washington DC and politics do not work that way. Every piece of legislation has a background, a nuance and/or a meaning – m0st of the time the public will never have a complete understanding of what the bill is all about. Backroom deals, backscratching, teaming, alliances, caucuses, committees, parties, friendships, history and unspoken meanings – they all impact every action by a politician. Freshman politicians are often accused of being naive and perhaps they are, but they will quickly have things explained to them and they will play the game or their political career will be as a first termer.
Someone questioned a cyber piece I wrote as being unduly politically biased and I agreed, much to his annoyance. When it comes to Washington DC, politics and politicians, cyber does not fit.
I suggest we consider alternatives to many of our 20th century conveyances. Instead of definitions we embrace Wiki-type definitions, which can change and all parties can add, change, delete or suggest alternatives. Instead of set standards we use 21st century tools, instead of a set number we can establish a dashboard, which all parties can suggest dynamic thresholds. We need to accommodate non-state actors in negotiations, laws and actions. We need to embrace new tools for our new environment.
Welcome to the 21st century.
- U.S. Lacks Adequate Defense Against Cyber Attacks, Experts Warn (huffingtonpost.com)
- McAfee, Intel working to protect energy utilities from cyber attacks (zdnet.com)
- Government role in Stuxnet could increase attacks against US firms – Computerworld (computerworld.com)
- Could Iran Wage A Cyberwar On The U.S.? (wnyc.org)
- Wag the Cyber Dog (imperva.com)