Last night I attended a panel discussion entitled, “Cyber-Terrorism/Warfare – The Emergent Threat: Strategies for Survival” at Boston University. While the cyber threat is not a new one, it is something that the intelligence community and the Department of Defense have more recently become invested in examining in some depth. One of the first questions raised to the panel involved defining the problem. What is the difference between cyber-crime, cyber-terrorism, and cyber-warfare? To give my own humble two cents, it would seem that the distinction is the same as in conventional operations. What distinguishes between criminal acts and terrorist attacks is the end goal. In crime, the action, for example robbing somebody, is the end goal. The point is to get the money. In terrorism, the end goal is beyond the intended target. There is a political message inherent in the act that is targeted at an audience beyond the victims. Additionally, cyber-warfare would also have a political motive, and to quote Clausewitz, the action would simply be a continuation of politics by other means. To make the distinction between cyber-warfare and cyber-terrorism, it would matter what the intended target was. Terrorism is usually distinctive from war because it targets noncombatants, or individuals not in a "declared state of war". Therefore, the attacks against the Marine barracks in Lebanon in 1983 that killed more than 200 servicemembers was considered terrorism, because the barracks, while being a military target, was housing Marines that were part of a peacekeeping force in the country, and therefore, not in a declared state of war.
The tricky part comes in when one tries to attribute a cyber-attack to a particular actor. Dr. Leonid Reyzin, a cryptology expert stated that our best defense against an attack is to harden our systems. Many government systems do not employ state-of-the art cryptology mechanisms (e.g., many sensitive systems currently use one password for numerous people). Additionally, he pointed out that life-critical systems, systems that if comprised could result in loss-of-life, should be completely disconnected from business networks altogether. He gave an example of a computer virus that spread through email systems, and eventually infected the business system of a nuclear power plant. Due to the fact that the power plant’s business system and critical systems were on the same network, the virus comprised and actually shut off the safety mechanisms of the plant.
Arthur Hulnick, a veteran of 30+ years in the intelligence community, stated that resources to address the cyber threat would best be spent on hiring the best and brightest people. He added that there were too many hurdles to hiring the right people in the intelligence community due to security concerns. Reliance on the polygraph and issues with traveling abroad or having foreign connections (despite the fact that you want bi-cultural or foreign language speakers that often have spent time in these places) prevent people from contributing to the effort.
Another question that was brought up to the panel involved the development of cyber-warfare doctrine. How can one reliably develop a strategy for engagement when there is the issue of attributing an attack to a particular state or actor? Is there a proportional response? Does one respond with offensive cyber capabilities against a country that may not have known their systems were breached? Is there a way to declare this policy for deterrence purposes? Joseph Wippl, another career CIA officer, stated that a robust international effort to share information and best practices would be the best preventive defense against cyber attacks. Dr. Robert Popp, a former DoD official in OSD and DARPA, stated that resources would best be allocated to develop offensive capabilities that could overwhelm our adversaries, hopefully providing some level of deterrence.
Overall, it was interesting and informative evening however, it seems that while there has been much discussion on the subject, there are many more questions than answers.