I've been mulling over writing a "cyber war" piece for several months - ever since Bejtlich started a series of posts last July on the topic, coupled with my reading of Richard Clarke's book, Cyber War. However, I've held off, mainly because I've been somewhat on the fence with the whole topic. On the one hand, yes, nation-states are conducting operations online, though they primarily fall under the heading of "espionage" and are not "attacks" per se. On the other hand, we have some suspicious situations (e.g., Georgia, Estonia, Google's "Operation Aurora," Stuxnet, Israel's bombing of the Syrian nuclear facility) that seem to clearly lean in the direction of being "cyber warfare" (or, offensive) operations.
Part of the problem I face in thinking about this topic is trying to separate the FUD-driven rhetoric from the realities of the current threat landscape. Those generals and politicians (one in the same?) behind the creation of the US Cyber Command provide a good example of hype and noise intended to generate false concern in order to further a clearly political agenda: formation and funding of Cyber Command. Ironically, all of this FUD highlights what is a clear problem: that the US Military is largely focused on offensive operations, neglecting the home front where we're most vulnerable (see my prior post "Missing the "Defense" In DoD?").
My conclusion, however, is that offensive operations that would qualify as "cyber warfare" are being conducted. These are offensive operations designed to steal information, plant misinformation, disrupt operations, and install back doors toward supporting future operations. Information or electronic warfare as concepts have been around for ages, and this extension into the so-called "cyber" realm is neither a stretch nor unrealistic. I think it's imperative that we all understand and accept the more generic notion that any form of offensive operation against online targets should be considered "cyber warfare."
And yet, not everybody seems to be understanding this perspective. My friend Raf recently wrote a post "Cyber War - Why It's Idiotic" in which he says that he and Marcus Ranum think this whole "cyber war" notion is stupid because there's no "destruction." Unfortunately, this really amounts to getting hung-up on semantic and dictionary games. Using a narrow definition of "war" like he has ignores that "information warfare" has been around for a very long time. The semantic nuance that I think gets missed (I certainly missed it originally - see my posts "Supposition and the Drum Beat of (Cyber)War" and "Cyber War and the Value of FUD") is the difference between a War (as in WWI, WWII, etc.) and warfare (i.e. offensive activities). Also, narrowly defining offensive activities then as only being things that are "destructive" is a bit disingenuous and misleading, since the term is itself a wee bit subjective. More importantly, many offensive operations (warfare) do not simply have the objective of "destruction," but rather seek to disrupt, interrupt, influence, steal, etc. Espionage, for example, is a key part of intelligence, which is a key part of military operations, and yet by your definition it would not be included (note I'm not talking about corporate espionage here).
Bejtlich has had several posts on the topic and, over time, I've come to agree with much of it, but not without struggling to come to grips with things a bit. It's worth reading it all. The rhetoric around "cyberwar" is absolutely idiotic, as is the almost-exclusive focus on offensive operations. That our critical infrastructure is completely exposed is nothing new, and it is absolutely a cause for concern. However, none of this is earth-shattering, nor is it really a "game changer" of any sort. We're not really seeing anything new, per se, just growth and maturity of attacks and various types of military operations. So, we have a new name for it - big deal! The simple fact is that nation-states are absolutely undertaking online espionage, snooping, and interference against each other. Oh, and btw, it's not just or adversaries, but also our allies. Anyway...
Check out Bejtlich's posts:
http://taosecurity.blogspot.com/2010/07/cyberwar-is-real.html
http://taosecurity.blogspot.com/2010/07/joint-strike-fighter-face-of-cyberwar.html
http://taosecurity.blogspot.com/2010/07/little-more-on-cyberwar-from-joint-pub.html
http://taosecurity.blogspot.com/2010/09/why-neither-us-nor-china-admits.html
http://taosecurity.blogspot.com/2010/09/why-russia-and-china-think-were.html
And then add in there a few references on Stuxnet, just for giggles (see my Stuxnet piece here). And then take a read through The New Yorker's recent article "The Online Threat: Should we be worried about a cyber war?". And then remind yourself that "There Is No "Win"". Finally, check out the CSO Online article "How Your Business Can Avoid Being Collateral Damage In A Cyber War" for some useful guidance on better protecting your assets.
