AusCERT2013: Cyberwar of words

Powered by SC Magazine
 

Conventional warfare isn't cyber.

Flip through the cyberwar headlines over the last decade and you'll find that governments and members of the cybersecurity industrial complex have taken to using terms like 'active defense', 'maginot line', and 'preemptive warfare'.

These are phrases borrowed from conventional warfare that Tenable chief security officer Marcus Ranum says don't make sense in network-centric warfare.
AusCERT2013

"That's really the problem in a nutshell," Ranum says. "The terminology that gets used for cyberwar doesn't really map at all - it just seems to. There's a danger in accepting that the terms map when they really don't because it amounts to obscuring the real situation by talking in terms of analogy."

He's not being a linguistic puritan; he's concerned that if the industry doesn't use the wealth of technological terms already available, then it risks confusing the highly contentious issues in cyberwar which could lead to dire mistakes.

"When we allow our vocabulary to deny our actions, it makes it much easier for unhealthy choices to be made," he says.

He singles out an offender in the phrase 'active defense'. This concept is rooted in maneuver warfare that is essentially dependent on a defender's units being quicker and more agile and their command and control to be superior than their enemy in order to facilitate the defence of a larger area by fighting while falling back.

In cyberspace, you can't stage a fighting retreat. So the analogy falls over.

"When you dig beyond the details of the bad analogy it starts to sound like what's really being discussed is no 'active defense', it's 'offense' or 'pre-emptive attack'," he says.

'Pre-emptive attack' is also misused Ranum says because you can't "meaningfully pre-empt an attack".

The discourse may highlight that public perceptions on cyberwar are being manipulated. And if those behind the rhetoric want to promote a position on cyberwar, such as the need to attack an entity before it launches an attack of its own, then it should be discussed in terms that are open and frank.

Self-licking ice cream cone

Ranum sees a rising cybersecurity industrial complex as a threat to the security community because the creation of offensive tools puts pressure on those working to defend against them. When the defensive side catches up, then new offensive technologies are needed.

"This is certainly happening at the expense of the security industry: those of us on the purely defensive side are going to have to deal with the offensive contributions of our peers, backed by government money," Ranum says.

"We learned a few things from Stuxnet: namely, that professionalised weapons are being developed and they work. It's a virtual certainty that Stuxnet was developed by people who consider themselves to be computer security practitioners."

The advancement of the offensive side of security deserves to be thoroughly considered, and this includes the use of cyberwar rhetoric. Ranum for his part has devoted the last half decade to raising awareness on the issue.

"There are a lot of people that are cheerfully building 'big brother' for the governments, or encouraging the militarists to weaponise cyberspace; that's why I'm concerned that we not allow our vocabulary to become corrupted in the service of militarism."

Copyright © SC Magazine, Australia


AusCERT2013: Cyberwar of words
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1117

Vote