Establishing the rules of engagement around cyber war should be a top priority for governments, says Michael Chertoff,...
former US secretary of homeland security.
People around the world need to understand the rules the of the game so they know what action will evoke what response, he told the RSA Europe 2010 conference in London.
"Failure to do so could result in an event so catastrophic that we will not be able to shrug it off," he said.
Although not quite at the same level, he said, the threat of cyber war demands that we define a strategy in the same way we did in the 1950s to deal with the nuclear threat.
"The nuclear strategy of deterrence made it clear to potential aggressors that other nuclear powers would respond in kind," said Chertoff.
The consequences of attack are well-defined in the physical world, he said, but they are poorly defined in the cyber world.
Without a doctrine, everyone is left to guess and we are in a state of uncertainty, said Chertoff, and uncertainty is one of the greatest threats to peace.
"We need to develop a set of rules soon to begin the process of stabilising the situation," he said.
For example, said Chertoff, we can agree that if an attack is on critical infrastructure and that lives are in danger, the target has the right to disable the attacking platform.
It follows, he said, that countries are far more likely to police platforms within their borders in that situation than if there is no obvious consequence for not doing so.
"By setting rules, we can adjust incentives to make countries take responsibility for what is going on within their borders," he said.
But the consequences should be proportional to the attack, said Chertoff.
"While theft is bad, murder is worse, and the first could not justify action against a whole country, while second would," he said.
To establish this set of rules, said Chertoff, countries have to look at the threat, decide what the doctrine should be, and see if that is supported by law.
Where commonalities with other countries exist, he said, this would be the basis for international treaties.
"Countries could agree on zero-tolerance for attacks on air traffic control systems and financial trading systems, for example," he said.
Another important reason for establishing these principles, said Chertoff, is to enable technical innovation to ensure greater security.
"People can't innovate unless they know what they are trying to achieve," he said.
The time has come to lay down a direction of innovation, said Chertoff, with at least five principles to consider.
All stakeholders should think about moving to networks within the internet for which authentication and responsibility are the price of entry, developing rules about active defences, architecting a system that makes doing the right thing easy, certifying hardware and software as threat-free, and making all critical systems extremely resilient.
Government definitely has a role to play, he said, not in policing the internet, but in setting best practices, sharing network defence capabilities with the private sector, and driving positive change as a big customer of IT.
Chertoff called on IT professionals to unite to form the critical mass required to get organisations and government to move forward on building a doctrine for cybersecurity in the 21st century.