Too often, journalists, politicians, and security professionals are quick to declare ‘cyber war’ at the earliest signs of hacking or intelligence gathering between opposing states. True war consists of tragedy and tangible, kinetic impact. It involves injury and death, not just an exchange of information.
It has become increasingly difficult to read the news without spotting alarmist headlines such as, ‘Cyber 9/11’, ‘Cyber Pearl Harbor’, and ‘Hackers: 21st century nuclear weapons’. It is time that we ratchet back the hype, take an honest look at ourselves, and ask: “When did it become acceptable to equate actions that do not cause loss of human life to war?”
I am not the first to hold this viewpoint. In 2010, Howard Schmidt, former cybersecurity coordinator and special assistant to President Obama, declared in an interview with Wired magazine, “There is no cyberwar… I think that is a terrible metaphor.”
In February 2012, Thomas Rid, a reader in War Studies at King’s College London and expert in technology, deterrence, and cybersecurity, published a paper in the Journal of Strategic Studies titled, ‘Cyber War Will Not Take Place’. In the paper, Thomas asserts that never has an act labeled “cyber warfare” met the criteria for what the world considers an actual act of war. He explains, “In an act of cyber war, the actual use of force is likely to be… [a] complex and mediated sequence of causes and consequences that ultimately result in violence and casualties.”
Despite such sentiment, the security community continues to propagate hyperbolic terminology. A Google search for the term “cyber war” and its synonyms returns an impressive 8.5 million results.
In 2013, I propose that we retire this inaccurate and insensitive language. In its place, we should use phrases that more sensibly describe the nature of events. While expressions such as “cyber campaigns” are inarguably less dramatic, frankly, so is what we’re talking about here when compared with actual war.
At Sophos, we avoid scare-tactic messaging and negative imagery such as locks or tentacled virus-like cartoons intended to scare enterprises into adopting our security offerings. We have too much respect for our customers to do so and take our responsibility as security professionals very seriously – central to which requires providing an accurate assessment of the threat landscape.
While advocating that we adjust our language, I don’t mean to suggest that we lessen our diligence. Threats on critical infrastructure and enterprise networks are very real and not to be taken lightly. But the next time a nation is caught cyber-spying or meddling with the effectiveness of an industrial site, let’s keep its true impact in perspective and remain mindful of the way in which we report it. Would such actions cause the same devastation as a true act of war? It is highly unlikely and, accordingly, is inappropriate to label as such.
My grandfather was shot twice in World War II and was preparing to ship off to the Pacific theatre at the time the war ended. I don’t imagine he would compare Stuxnet to the experience he had defending freedom. For that reason alone it is time to stop. We should think better of our veterans.
As much as it might make me feel important to imagine Sophos as the one company capable of separating the world from ‘cyber Armageddon’, I know that, in actuality, the world is far from it – and that’s a good thing.
Chester Wisniewski is a senior security advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. Since joining Sophos in 2003, Wisniewski has worked exclusively in security-related engineering work. He previously served at Fortune 500 organizations as a sales engineer, security consultant and network architect. In his current post, Wisniewski works closely with SophosLabs to study threats in-depth and provide informational seminars, blogs and other publications to customers and the public on securing their networks and data against evolving threats.