DeepSec 2012 Talk: Wargames in the Fifth Domain
We asked Karin Kosina to illustrate her talk Wargames in the Fifth Domain:
“This is a pre-9/11 moment. The attackers are plotting.”
These are the words of U.S. Secretary of Defense Leon Panetta addressing business executives on the dangers of cyberwar two weeks ago in New York. And just in case this did not leave the audience scared enough, Panetta also warned about the possibility of an upcoming “cyber-Pearl Harbor”. A massively destructive cyberwar, it seems, is imminent.
Or is it? Is the world really on the brink of cyberwar? Time to panic and hide in our cyber shelters? – Well, I think things are slightly more complicated than that.
Before you dismiss me as a peace-loving hippie who views the world through rose-tinted glasses: There is no doubt that our emerging information society faces serious information security threats. There is no doubt that state actors are behind some of these threats. What I do doubt, however, is that invoking the spectre of Cybergeddon will bring us any closer to meaningfully dealing with these threats.
I think it is high time to take a critical look at the whole cyberwar debate. The majority of incidents that are usually brought up in this context are, in fact, not acts of cyber warfare but rather acts of cyber crime. And cyber crime is just that: crime, which is properly addressed within a civilian – not a military – framework. That does not mean that these incidents are not serious. But an act of, say, industrial espionage, no matter how grave the resulting monetary damage, is still an act of industrial espionage. It is not an act of war.
This is not idle nitpicking over semantics. How we frame the debate determines the potential outcomes and solutions. This is why it is so crucial to carefully differentiate between various incidents, perpetrators, and scenarios. What is an act of war? What would an act of war look like committed “in cyberspace”? What is the appropriate response – and what is not? In the absence of definite attribution, how can we even make that call? And if a serious incident is not an act of war, what is it, and how shall we deal with it? None of these questions can be meaningfully answered in a simple way, let alone a simplistic one.
Those of you who know me know that I do not often agree with former NSA Director Michael Hayden. But he did say something very pertinent about cyberwar: “Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon.” I could not agree more. It is my hope, then, that my talk can bring at least a bit more clarity and understanding to this debate.