RSA: Defining Cyberwar And Rallying DefendersWe may not know exactly what cyberwar means but we know we have to work together to prepare our defenses.
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
General Keith Alexander, Commander of U.S. Cyber Command and Director of the National Security Agency, did not mince words in his keynote presentation at the RSA Conference on Thursday.
"Securing our nation's network is a team sport," he declared. "We all have to work together to make this happen. We need your help."
The word mincing occurred the day before, on Wednesday, during a panel discussion on the definition of cyberwar.
The panelists -- former Department of Homeland Security chief Michael Chertoff, former NSA Director and Director of National Intelligence Mike McConnell, and BT CTO Bruce Schneier, along with moderator James Lewis, Director of the technology and public policy program at the Center for Strategic and International Studies -- demonstrated a surprising degree of unanimity about the problems that come with referring to any computer-driven conflict as a cyberwar.
Chertoff acknowledged there's a difference between war and cyber threats, suggesting a line should be drawn between espionage and physical destruction. At the same time, he said cyber conflicts could produce consequences as substantial as the repercussions of warfighting.
Schneier observed that war is sexy term. "It's being talked up because that's what sells," he said. He also observed that overstating the threat was a good way for government agencies to secure funding, a claim that Chertoff and McConnell seemed to ready to challenge, though neither really engaged with a counter-argument.
Schneier pointed to comments made on Tuesday by Microsoft's Scott Charney as an apt description of the issue. Charney observed that security professionals face an ongoing problem trying to figure out who should respond to cyber attacks because they often don't know who is attacking and why. Is the attack coming from a foreign military, a criminal hacking group, a disgruntled former employee or meddling kids? Answering that question makes a difference in how the government or private sector organizations respond, but it's not always easy to come up with an answer.
Thus we have ongoing jurisdictional confusion and gaps in responsibility when it comes to cyber defense.
"The categories we're used to don't really work with this kind of threat," observed Chertoff, who argued that it's misleading to talk about a single fix. He advised breaking cybersecurity down into discrete problems, like protecting the supply chain and securing the financial system, rather than searching for a monolithic solution.
Schneier questioned whether war is really the right metaphor for cyber conflicts, noting that as a society we're terrible at actually declaring war during an armed conflict but too quick to do so when it's not really a war, like the "war" on drugs.
The problem with relying on war as a metaphor is that cyber defense isn't always delivered in the context of a war. "Things you'd accept during a war you wouldn't accept from the police," he said.
The consensus seemed to be that cybersecurity will require high-level policy initiatives to establish norms for dealing with the spectrum of cyber incidents.
"We're at the brink of a cyberwar arms race because we're not dealing with this at a high enough level," said Schneier.
McConnell suggested such policies will be driven by disaster. "Look at history," he said. "We wait for a catastrophic event then overreact."
Alexander, during his speech, clearly had a more proactive solution in mind. In keeping with the remarks of William Lynn III, Deputy Secretary of Defense, who spoke on Tuesday at the security conference, Alexander pushed for partnerships, for private industry to work with the public sector to protect critical infrastructure and networks. And he called for better education, in terms of academics and public awareness.
"We need to create, with your help, a public demand for secure technology," he said.
If there were any security vendors in the audience opposed to the idea of creating demand for their products, they did not make their objections known.