Waging "War" Against the Cyber Threat

15 March 2015

For generations, academics in the fields of philosophy, linguistics, communications and culture have debated the nuances of metaphor and rhetoric. But for those of us with an interest in the realm of cyber security and its proper practice, perhaps the more important question on which to dwell lies in determining when our use of a metaphor simply becomes the rhetoric?

At the crux of globally important issues, we find that public debate matters. Yet public debate too often occurs in an information vacuum – such as when a minimally-informed audience’s surface understanding of a metaphor or analogy hampers a truer, deeper understanding of the phenomenon itself. And so this article poses and begins to answer a provocative question: “What is the value of using a war metaphor to stoke public debate about cyber security?” I argue in three steps that the war metaphor, while provocative and tantalizing to some, may be detrimental to understanding the complex social and legal issues related to cyber conflict, and especially insider threat, that get overshadowed by the use of the term “war”.

To begin, let’s dissect the common vernacular of various metaphors used to define cyber security concepts. For instance, the term “cyberspace”, already embedded in the popular lexicon for a decade or so already implies a geophysical metaphor. For that matter, so does the phrase “the web”. Over time, we began to avail ourselves of other useful geophysical metaphors in discussing the “domain” we work in: “building a moat” around our systems or talking about “barriers to entry” and “back doors” and such; we didn’t want to “open the floodgates” to the bad actors; and Michael Wynne, in his capacity as U.S. Air Force Secretary, announced in 2006 that: “cyberspace is a domain in which the Air Force flies and fights”.

These early analogies helped the public understand effective cyber security regimes as mostly focused on protecting a “place” or “space” from unauthorized access. This initial geophysical metaphor applied because early efforts (pre-cloud, mostly) often included physical infrastructure security and information systems security as inter-related efforts. Such metaphors also seemed to simplify the virtual network complexity we were tasked with striving to protect, rendering it understandable. But it may also have over-simplified many of those same concepts in the mind’s eye, perhaps making the total effort seem deceptively simple.

As our security efforts improved to accommodate the increasingly complex nature of technical architecture, and as new global information security threats emerged, the geophysical metaphor was far too simplistic and incomplete. And so we turned to the world of science for help in describing this shift. The result: we were now dealing with “contagions” – “things were going viral” and we started to perform systems “health checks”. We needed to protect our systems from “viruses” by “cleansing” them and using “anti-virus” software to remain “infection-free”. We used “penetration tests” to detect “weakness” and “points of entry” into our systems and we began to practice “safe computing”. Almost instantly, the conceptual intrusion of the biomedical metaphor was complete. We had again prevailed in persuading the greater public that the systems-related protection tasks we undertake were as complex, serious and important as protecting their own health was – and worth significantly higher investments of time, energy and costs by organizations as a result.

One recent survey had these organizational costs growing in excess of 17% this year and has done so for consecutive years. Again, this newer and more expansive metaphor seemed apt, and had a larger purpose and value for us. Yet it wasn’t long before it too seemed incomplete, lacking the ability to capture intent.

A virus, while inherently aggressive, still emerges from nature and spreads biologically through organic mechanisms to enable disease and, perhaps, death. But a computer virus is not that: it is computer code that has been manipulatively created by humans to disrupt or destroy systems, often in intriguingly targeted ways. This suggests the biomedical metaphor was also incomplete; as any chosen metaphor likely is. It could not adequately explain a deliberately aggressive act, not associated with nature itself but derived from the deliberately threatening posture and actions of a perceived enemy. And so, the hunt for a new metaphor was underway.

Cyber professionals then began embracing a war analogy to describe our work world. They made a case for “digital warfare” with “nation states” promoting “cyber terrorism” and lawless “bad actors” engaging in “offensive cyber” with the sole intent of destroying our way of life. There is “threat escalation” to contend with, and corporate “war rooms” to repel “coordinated attacks”, and apparently new “cyber weapons” being born in top secret labs by the government-endorsed military-industrial complex. There seems no end to the positioning of this latest metaphor in the natural trajectory of the public debate about cyber security, and many important public constituencies believe we are now engaged in a cyber war. Are we?

Is this leap of logic appropriate, and this metaphor helpful to our cause of securing our digital activity? I suggest not in its entirety. One wonders if such inflammatory rhetoric isn’t mostly self-serving in our quest to satiate an appetite for increased professional importance.

No doubt we can all agree that a “clear and present” online danger exists; but it is debatable if that translates to being “at war”. Let’s examine this more carefully: it is true that cyber weapons exist and have already been used offensively. A good example is the July 2010, “attack” of a nuclear facility in Iran by a computer virus called Stuxnet. Although no responsibility was ever admitted to, it was widely suspected to be “act of cyber war” by the either the U.S. or Israeli governments (or both). Neither of these countries was at war with Iran, so the attack was, at best, sabotage or subversive, but does not meet any traditional definition of warfare.

Historically, acts of war were politically motivated and perpetuated by nations against each other, and were transparently authorized and publicly undertaken. In addition, “war” always involved killing opponents. Were the adversaries “at war” in the Stuxnet case? Or was this act, while admittedly an authorized covert effort, more properly characterized as cyber espionage, subversion or sabotage instead?

Looking at conflict in the 21st century, we have to realize that much of the violence today is unconventional, meaning it is not nation against nation with inherent “rules of engagement” but instead groups of radicals that are often difficult to identify such as terror sleeper cells around the world, or radicals hiding in plain sight among peaceful civilians. Such attackers exploit the weaknesses of those they oppose, and society’s near-total dependence on cyber connectivity has made it an appealing target for disruption. Terrorism is thus a better description for these acts than traditional Warfare.

Online efforts to spread propaganda, court public opinion, and to recruit to a cause, appear to be a current rendition of typical war tactics, but their more insidious motive is terror and chaos, for which the term “cyber terrorism” is more accurate. These literal distinctions are critical because times of war demands ruthless, exceptional activity that often suspends the rule of law. But espionage and subversion are – they are quite unexceptional actually.

Consider the defensive side of cyber: the Chinese have built entire systems to “protect” themselves from the free flow of information, which they perceive as “threatening” their society’s stability. Many would draw parallels to defensive weapons systems, but again, there may be a flaw in this analogy because this is an attempt to restrict flows of information, regardless of the country of origin and not specifically tied to any one nation or set of nations in conflict.

More frightening, and perhaps the reason our field initially leaned towards adopting a war metaphor, is that the motives of the actors involved have changed. While the intent of cyber hackers was primarily economic gain through theft of intellectual property or online digital assets, we now see political, religious and other activist motives for cyber interruptions. What happens when the purpose of a conflict is not to win a war but to continuously wreak damage? This would call forth the less inflammatory but more accurate metaphor of “cyber terror”.

Questions arise when we extend this idea: for instance, when countries like China willingly lend state-sponsored assets to local efforts designed to steal economically valuable information from private companies, why shouldn’t western nations do the same? But practically speaking, what if that descends into governments helping its national companies steal corporate secrets from companies in other nations? What would this new cyber regiment look like politically and practically? So many questions…

While the nuances of these positions are clear to those charged with national security who regularly identify a growing list of nation states supporting, directly and indirectly, efforts to attack private and government computer networks, perhaps we are missing an important point. It may be more crucial that these definitional nuances are understood by our all-important broader public constituency if we want to address the real looming cyber threats to come.

The war analogy, while having some utility descriptively, would seem to tilt the public perception once again toward the presence of definable external threats with clear geopolitical motives and our need to vigilantly guard against them, winning at our expense.

But, as most of us have come to realize, the bigger and growing threat we face is not an external threat but rather an internal one – from a trusted insider. Does this mean we are at war with ourselves? This risk arises from sophisticated social engineering efforts, especially related to ethno-centric, religious and cultural targeting of like insiders to corrupt cyber security practices. There is no doubt that many groups will use any tactic to accomplish their objectives and that their conduct, whether online or not, is supporting terrorism rather than oft-stated loftier goals such as gaining or protecting religious freedom.

This intentional disrespect for the rule of international law may actually be the act of war. And the analysis of that dilemma most often leads to the uncomfortable conclusion that international counter-measures are necessary in order to prevail against these tactics. But do any of us believe an offensive cyber war alone could ever be a path to victory in such a situation? Or is the use of offensive cyber tactics only a potent adjunct to a multi-faceted war that any nation or hostile group might declare and execute?

So we are clearly not at war in cyberspace in any traditional sense. Can you imagine the resulting public outcry and outrage that would arise if an organization actively decided to use ethnic, racial or religious criteria to profile their employee base as a way to counteract the rising threat of social engineering by those same targets to harm us from the inside out? What if individual religious affiliation were seen as an inherent employment risk factor to be actively explored during the hiring process? This is an almost unimaginable conversation to have in many countries where notions of political correctness prevent meaningful conversation, not to mention that civil rights and HR laws in most countries prohibit any open use of such tactics. Yet those national laws cannot prevent the use of nefarious and seditious tactics against us offensively by others. If we were “technically” at war, would this loosen our range of response?

But we are not at war and so we can’t respond in kind. And caution demands that a thoughtful, transparent public debate must occur – and soon – to answer questions such as: What practical, legal, and ethical boundaries should govern the actions of cyber professionals globally?

I believe the metaphors we choose professionally, and the rhetoric it creates, should be more nuanced and less inflammatory so that we get the result we all want: a truly safer online world. My theory is that this will only happen with educated public debate and coherent national action, and we can help or hinder that effort individually and collectively with a more considered and nuanced use of metaphoric language that, while perhaps still provocative, is also accurate.  

James Norrie is the Dean of Business and Justice Studies at Utica College in NY, which has the only dually-accredited cyber security & cyber crime programs in the United States.
© FrontLine Security 2015