You may have seen a headline like this recently: “Risks of cyber war 'over-hyped' says OECD study”. Maybe you breathed a sigh of relief, or renewed your determination not to let the military-industrial complex scare people into ill-advised schemes to “protect” the Internet.
I scratched my head. I’m on record as thinking that Stuxnet clearly establishes the likelihood of cyberwar in the future. Stuxnet proved just how easy it is to sabotage a sophisticated control system with malware. Surely governments won't ignore the military advantage to be gained from cutting off electric power in its adversary’s territory. A moment’s thought shows that cyberweapons will be part of war for the foreseeable future.
So how can the OECD, a prestigious think-and-do-tank for thirty or so of the world’s richest nations, simply dismiss this likelihood as “hype”?
It wasn’t easy.
As far as I can see, the whole thrust of the report depends on the notion that "cyberwar" must be defined as something that happens only in cyberspace, and that such a conflict -- in which the combatants only use computers to attack each other -- is unlikely.
Okay, you might say, but about cyberattacks by hostile governments on our electric grid using weapons like Stuxnet? Is that possibility "over-hyped"? Oh, that kind of attack, say the authors, that’s not cyberwar, that's just cyberweapons. And as for cyberweapons, well, the prognosi is grim: “It is a safe prediction that the use of cyberweaponry will shortly become ubiquitous.”
So when the lights go out, we can apparently draw comfort from the fact that we aren’t in a cyberwar, we’re just freezing in the dark because of cyberweapons.
What gives? Are the authors of the OECD report just fusty academics intent on enforcing peculiar distinctions that no one else shares? And did the press just fail to grasp the point about, you know, cyberweapons becoming ubiquitous soon?
Or was the report written to produce misleading headlines?
Here’s one clue: The word “over-hyped,” which the BBC headline puts in quotes, doesn’t appear in the report at all. That seems to be the spin put on the report by the authors after it was released.
Here’s another, in this quote from the report:
Analysis of cybersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language.… Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.
The bolded sentence is the authors’ attempt to back up their claims of hype. Their target is probably Richard Clarke, who recently told NPR : “The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes.”
So why is this an exaggeration? Because, say the OECD authors, cyberespionage is simply a “technical method of spying,” while cyberwar is a war that's fought only in cyberspace. So Clarke is guilty of exaggerating because he doesn’t subscribe to the OECD authors’ weird and unintuitively narrow definition of cyberwar.
Worse, and almost laughably, the authors have entirely missed Clarke’s point about keystrokes. Here’s his full quote:
The difference between cybercrime, cyber-espionage, and cyberwar is a couple of keystrokes. The same technique that gets you in to steal money, patented blueprint information or chemical formulas is the same technique that a nation-state would use to get in and destroy things.
Clarke is saying, accurately, that anyone who can get into a system to steal money or secrets can cause the system to fail with a couple more keystrokes. That’s important , because everyone agrees that cybercrime and cyberespionage are rampant. If those things are easy and common, then it’s a near certainty that cyberwarfare will soon be easy and common as well. Of course, if they understood Clarke's point, the OECD authors might have acknowledge its force.
One last clue that there might be an agenda at work here: The authors are academics from Britain, with a pretty clear set of leanings. Here’s a line from one author’s an online bio: “Since 1998 Dr Brown has variously been a trustee of Privacy International, the Open Rights Group and the Foundation for Information Policy Research and an adviser to Greenpeace, the Refugee Children’s Consortium, Amnesty International and Creative Commons UK.” Somehow, I’m guessing that not one of those organizations thinks that we should spend more time preparing for cyberwarfare.
The authors accuse others of "hype" and "heavy lobbying" to move the public. It sounds like those are topics on which the OECD authors have real expertise.
I was asked to comment on the OECD report today because of that "cyberwar is impossible" tone. I found this in the 121 page report:
"A pure cyberwar, that is one fought solely with cyber-weapons, is unlikely. On the other hand in nearly all future wars as well as the skirmishes that precede them policymakers must expect the use of cyberweaponry as a disrupter or force multiplier, deployed in conjunction with more
conventional kinetic weaponry. Cyberweaponry of many degrees of force will also be increasingly deployed and with increasing effect by ideological activists of all persuasions and interests."
Not much to disagree with there!
-Stiennon
Posted by: Stiennon | Jan 17, 2011 at 09:19 PM
I haven't had time to come up with a fully developed, critique proof classification of my own, but I would argue that the national risk from cyber-espionage has been vastly under-hyped. Who needs to blow up our remaining factories with kinetic weapons if they can just steal our intellectual property and compete them out of existence? It's cheaper and easier, less detectable, and maybe already a fait-accomplis, but the result is the same. We lose real world options and they gain them, solid steps toward loss of economic sov, and (as an afterthought) physical sov, when we're too weak to care any longer.
Also, now that the StuxNet (cyber+kinetic) genii is out of the bottle, its re-use is coming soon.
Posted by: Frank Sudia | Jan 18, 2011 at 12:57 PM
Easy enough to figure; if you call it cyberwar, well, that implies sovereign states, intentional policy, attempts to interfere with the functioning of foreign governments, all the kinds of things that imply an armed response.
If it's just cyberweapons, well, anyone can use a weapon, right? That Hamas is launching Katyushas into Israel doesn't mean that Israel should send bombers to Moscow.
Posted by: DensityDuck | Jan 20, 2011 at 04:48 PM
I'll also point out that you don't need hackers to steal IP. The naivete of many businessmen would be charming if it weren't so damaging. My uncle talked about how easy it was to work with Chinese factories. I asked him how he was sure that they weren't stealing his designs and selling cheap knock-offs to the Chinese market. "Oh, we signed a contract saying they wouldn't do that!" :sigh:
Posted by: DensityDuck | Jan 20, 2011 at 04:50 PM