Exploiting the Term CyberattackMaking the IT Environment Seem More Dire than It Is
"This is wrong on so many levels that it almost defies analysis," James Lewis, senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, says in an article posted on the CSIS website. "A more precise accounting would show that there have been no cyberwars and perhaps two or three cyberattacks since the Internet first appeared."
Lewis, a member of GovInfoSecurity.com's advisory board, characterizes nearly all reported cyberincidents as annoyances, crimes or spying. The only incidents he deems as cyberattacks would be those that cause physical damage or disruption of critical services, such as Israel's alleged digital assault to disrupt Syrian air defenses and the Stuxnet attacks that crippled Iranian centrifuges believed to be used to produce nuclear-weapon-grade plutonium. "A better way to identify an attack is to rely on 'equivalence,' where we judge whether a cyberexploit is an attack by asking if it led to physical damage or casualties. No damage, no casualties, means no attack," Lewis says.
No damage, no casualties, means no attack.
Most of earlier discussions on the usage of cybersecurity language have centered on the term cyberwar. In an interview I had last year with Howard Schmidt, the White House cybersecurity coordinator questioned whether such an event could exist (see Howard Schmidt Dismisses Cyberwar Fears). "A cyberwar is just something that we can't define," he said. "I don't even know (how a) cyberwar would benefit anybody. Everybody would lose. There's no win-lose in the cyberrealm today. It affects everybody; it affects businesses, it affects government, so number one, there's no value in having one."
The Kinetic Connection
Others believe cyberwar can exist, but only as part of a wider, kinetic war. "Not everything that happens in cyberspace is an act of war," said James Miller, principal deputy assistant secretary of defense for policy (see Placing Limits on Cyber War). "As we think of the role of cyberspace in supporting military operations, and the role of cyberattacks as ... the front-end of a kinetic military attack, then we would think about the potential for responses that are not limited to the cyberdomain."
When I spoke last year with Richard Stiennon, author of Surviving Cyberwar, he differentiated cyberwar from cyberattacks (see Cyberwar: Defining It, Surviving It): "When we see these types of attacks in conjunction with a kinetic attack, then it has passed the gateway, to me, to be accepted as cyberwar, and obviously that occurred Aug. 8, 2008."
What happened that date? Russia invaded South Ossetia, a breakaway part of Georgia. But Lewis dismisses that intrusion, as well as the one Russians staged against Estonia in 2007, as a cyberattack:
"The Estonian incident had a clear coercive purpose, and it is worth considering whether the denial-of-service exploit against Estonia could have become the equivalent of an attack if it had been extended in scope and duration. The exploits against Georgia, while undertaken with coercive intent and closely coordinated with Russian military activities - and a useful indicator of how Russia will use cyberwarfare - did no damage other than to deface government websites."
It seems Lewis defines cyberattack the way others describe cyberwar, a component of a broader kinetic war. "Cyberattacks will likely be used only in combination with other military actions, but they will be part of any future conflict," Lewis writes. "We can regard them as another weapons system, with both tactical and strategic uses, similar to missiles or aircraft that can be launched from a distance and strike rapidly at a target."
I'm with Lewis in his definition of cyberwar, but I'm not sure about his narrowly focused use of cyberattack. Still, when using the term cyberattack, we must be clear what we're addressing.
A newspaper website report last week about a breach that took down the website of the Pacific Northwest National Laboratory (see Cyberattack Shutters Energy Department Lab) cited a lab spokesman as saying the lab's external computer network receives 4 million cyberattacks a day. Perhaps the network receives 4 million daily probes that aren't authorized, but attacks? No way.