Analysis: Prepare for cyber war. But what does it mean?

Governments in the UK, US and elsewhere are prioritising cyber security as it becomes apparent that the internet can be a dangerous place. There is plenty of talk of cyber war, but little consensus as to what the term actually means.

Governments in the UK, US and elsewhere are prioritising cyber security as it becomes apparent that the internet can be a dangerous place. There is plenty of talk of cyber war, but little consensus as to what the term actually means.

There seems to be more agreement about what cyber war is not. According to IT security experts, cyber war is distinct from criminal activity aimed at financial gain, espionage aimed at commercial advantage, and espionage aimed at stealing information about military hardware.

Michael Chertoff (pictured), former US Secretary of Homeland Security says IT security threats are best thought of as a spectrum of challenges ranging from theft to espionage, to destruction of data, IT systems and physical entities.

Lower level attacks will be tolerated, depending on consequences, but there is a theoretical point at which the consequences will demand action from government, he says, but it is difficult to say where the shift occurs.

"What constitutes cyber war, depends on scale and genesis," he told attendees of the RSA Conference 2011 in San Francisco.

But, says Bruce Schneier, chief security technology officer at BT, destruction alone cannot be used as a criterion for cyber war.

"In some instances. attacks that cause destruction may simply be some form of cyber criminal activity. Classifying an attack as being an act of cyber war depends on who is carrying out the attack and why," he told RSA Conference.

Despite the ambiguity of the term cyber war, Chertoff says it is helps to underscore the risk by reflecting the severity of the consequences. Cyber attacks are not only about IT systems, but could conceivably result in the loss of life.

The good news is that while state actor are best equipped to carry out such devastating cyber attacks, they are the least likely to do so because of the power of other nation states to retaliate in kind.

But while there is a potential cold war situation of mutual power of destruction acting as a deterrent, the big concern voiced by most security experts is the potential of non state actors to acquire such capabilities.

"The problem is that the world is used to the model where, except for criminal matters, force is dealt with by the state, but in cyber space, there are no bystanders because attacks are taking place on the networks and computers of individuals, so the familiar categories no longer fit," says Chertoff.

The other problem is that there is no single fix, he says, because threats to supply chains, insider threats and network attacks all require different remedies.

For this reason, there has to be an appropriate legislative framework, says Mike McConnell, executive vice-president at consultancy firm Booz Allen Hamilton.

"We need to understand the vulnerabilities to business and the global economy and then ensure we have measures in place to mitigate the risk," he told RSA Conference 2011.

Schneier suggests the inflexion point may be the point at which the market will not mitigate the risk.

Business will secure against risk up to the value of the business, but no further, he says, and that is the point at which government will have to take over to fill the gap.

But, says McConnel, history has shown that governments typically wait for a catastrophic event before taking action.

Chertoff suggests the problem should be tackled one step at a time. Rather than trying to solve it all at once, stakeholders should identify specific problems such as insider threat or threats to the supply chain and then find ways to mitigate those risks.

McConnel says the publication of thousands of secret US diplomatic cables by whistleblowing site Wikileaks, highlighted the issue of insider threat.

"Public and private organisations have to start thinking about disaffected people on their networks who may want to compromise those networks or information stored on them for their own purposes," he told RSA Conference 2011.

Lessons ought to be learned from the use of cyber attacks in Estonia in 2007, says Chertoff, and governments considering smart grids should ensure they are using IT architectures that are conducive to security, and enable compartmentalisation akin to the watertight compartments in warships.

"It would be foolish not to recognise that we could get into a cyber war, because there is no doubt cyber will be a domain of conflict in any act of war that will be capable of destroying systems and will not be dealt with by market forces," he says.

It is important for governments to consider that in such a situation, what they are capable of doing and what they are authorised to do, says Chertoff.

McConnel agrees that a cyber element is likely to be a part of any future kinetic war, as demonstrated during Russia's incursions into Georgia in 2008.

It is conceivable, says Schneier, that in future conflicts, cyber attacks may be the first wave of aggression that will be followed by air attacks and ultimately military action on the ground.

In the face of cyber war, says Chertoff, it is clear that governments need to resolve who is responsible for what, as well as put in place policies on what would be a reasonable response to cyber attack.

McConnel believes informed dialogue and debate should be directed at encouraging governments to address these issues before it is too late, but Schneier says the concern is that this debate is taking place too far down the command chain.

There is also too much risk that experimental cyber weapons may be unleashed on the internet by accident, says Schneier, and that is why there is a need for international agreements and treaties.

At the very least, there should be agreements that create on obligation to give warnings of such threats and attempt to disable them, says Chertoff.

If there is any consensus around cyber war, it is this: Although the term is over-used and over-hyped, the threat is real - Stuxnet has proved that physical damage can be caused by cyber attack - and governments ought to be preparing an appropriate defence capability.

But, according to the US government and military, while the public sector is doing all that is possible from its side to secure cyber space, the private sector has an important role to play as well.

"We need the help of [the IT] industry because cyber security is a team sport that brings together government, industry and international allies," General Keith Alexander, commander of US Cyber Command told RSA Conference 2011.

US deputy secretary of defence, William Lynn, also called for greater collaboration between government and the private sector in tackling cyber threats and appealed to the information security industry for help in developing technology to ensure government and business stay ahead in the cyber arms race.

Read more on IT for government and public sector