You may have seen a headline like this recently: “Risks of cyber war 'over-hyped' says OECD study”. Maybe you breathed a sigh of relief, or renewed your determination not to let the military-industrial complex scare people into ill-advised schemes to “protect” the Internet.
I scratched my head. I’m on record as thinking that Stuxnet clearly establishes the likelihood of cyberwar in the future. Stuxnet proved just how easy it is to sabotage a sophisticated control system with malware. Surely governments won't ignore the military advantage to be gained from cutting off electric power in its adversary’s territory. A moment’s thought shows that cyberweapons will be part of war for the foreseeable future.
So how can the OECD, a prestigious think-and-do-tank for thirty or so of the world’s richest nations, simply dismiss this likelihood as “hype”?
It wasn’t easy.
As far as I can see, the whole thrust of the report depends on the notion that "cyberwar" must be defined as something that happens only in cyberspace, and that such a conflict -- in which the combatants only use computers to attack each other -- is unlikely.
Okay, you might say, but about cyberattacks by hostile governments on our electric grid using weapons like Stuxnet? Is that possibility "over-hyped"? Oh, that kind of attack, say the authors, that’s not cyberwar, that's just cyberweapons. And as for cyberweapons, well, the prognosi is grim: “It is a safe prediction that the use of cyberweaponry will shortly become ubiquitous.”
So when the lights go out, we can apparently draw comfort from the fact that we aren’t in a cyberwar, we’re just freezing in the dark because of cyberweapons.
What gives? Are the authors of the OECD report just fusty academics intent on enforcing peculiar distinctions that no one else shares? And did the press just fail to grasp the point about, you know, cyberweapons becoming ubiquitous soon?
Or was the report written to produce misleading headlines?
Here’s one clue: The word “over-hyped,” which the BBC headline puts in quotes, doesn’t appear in the report at all. That seems to be the spin put on the report by the authors after it was released.
Here’s another, in this quote from the report:
Analysis of cybersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language.… Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.
The bolded sentence is the authors’ attempt to back up their claims of hype. Their target is probably Richard Clarke, who recently told NPR : “The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes.”
So why is this an exaggeration? Because, say the OECD authors, cyberespionage is simply a “technical method of spying,” while cyberwar is a war that's fought only in cyberspace. So Clarke is guilty of exaggerating because he doesn’t subscribe to the OECD authors’ weird and unintuitively narrow definition of cyberwar.
Worse, and almost laughably, the authors have entirely missed Clarke’s point about keystrokes. Here’s his full quote:
The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes. The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things.
Clarke is saying, accurately, that anyone who can get into a system to steal money or secrets can cause the system to fail with a couple more keystrokes. That’s important , because everyone agrees that cybercrime and cyberespionage are rampant. If those things are easy and common, then it’s a near certainty that cyberwarfare will soon be easy and common as well. Of course, if they understood Clarke's point, the OECD authors might have acknowledge its force.
One last clue that there might be an agenda at work here: The authors are academics from Britain, with a pretty clear set of leanings. Here’s a line from one author’s an online bio: “Since 1998 Dr Brown has variously been a trustee of Privacy International, the Open Rights Group and the Foundation for Information Policy Research and an adviser to Greenpeace, the Refugee Children’s Consortium, Amnesty International and Creative Commons UK.” Somehow, I’m guessing that not one of those organizations thinks that we should spend more time preparing for cyberwarfare.
The authors accuse others of "hype" and "heavy lobbying" to move the public. It sounds like those are topics on which the OECD authors have real expertise.