RSA 2011: Time To Prepare For Cyberwar?


The Internet is the latest battleground and the nation could be on the precipice of falling into a full-fledged cyberwar that threatens national security, warned a panel of security experts at RSA Conference 2011.

Whether it's Stuxnet, the Google hack or Wikileaks, the Web and the shift in cyber threats have created could essentially be a new theater of war, said James Lewis, director and senior fellow, Technology and Public Policy Program, Center for Strategic and International Studies.

"Cyberwar. It's in the newspapers. And it's pretty tiring," Lewis told a room full of security professionals on Wednesday.

And as this war and new cyber threats continue to emerge, they have the potential to change the face of information security for both the government and the private sector and national security. But before the big red button is hit, it's important to define cyberwar, and determine if it really exists, Lewis said.

Former U.S. Secretary of Homeland Security Michael Chertoff said he's leery of the term cyberwar, and a line must be drawn between the theft of information and espionage and destruction of systems and loss of human lives.

Bruce Schneier, chief technology security officer at BT and security guru, agreed. Schneier said the term cyberwar is too loose. "It depends on who is attacking you and why they're attacking you," he said.

Still, Schneier said, the term war is sexy and the government's ability to push for budget to defend against a burgeoning cyberwar could be fueling the discussion and the hype.

"Overstating the threat is a good way to get people scared," he said.

Despite the definition, the consequences of a cyber conflict are real and can result in systems being taken out, market failures and other catastrophes. With that potential, it raises the question: "When you're attacked in cyberspace, who's protecting you?" Schneier asked.

Chertoff said laws and policy currently don't fit very well to cover the cyber threats that loom. And the idea of a cyberwar is a grey enough area that it's difficult to determine who would be considered civilians, who would enforce the laws and the rules and who would be charged protecting the public.

"The categories we're used to don't really work with this kind of threat," he said.

Regardless, the panelists agreed that protecting against a potential cyberwar requires both a change in technology and a change in policy to govern information security. And there won't be a one-size-fits-all solution.

"It's misleading to talk about a fix as if there's a simple solution and everyone will say 'ah ha, that fixes the problem,'" Chertoff said.

It is up to the government to incentivize companies and agencies to put protections in place to combat cyberwar, either by offering monetary incentives or the threat of fines and punishment for failure to fortify their systems.

"What we need are incentives to get companies to do the right thing," Lewis said.

Mike McConnell, executive vice president at Booz Allen Hamilton, said he fears, however, that it will take a catastrophe to spark a level of urgency and drive companies to protect themselves and the government to create policy.

Schneier suggested regulating results, not the technology.

Overall, however, Lewis said we're not yet engaged in a cyberwar, but it is indeed a threat that could come to fruition and it's time now to batten down the hatches and get prepared.

"We'd be foolish not to recognize that there isn't potential," Chertoff said, suggesting that the nation should be prepared to mitigate and defend against a cyberwar attack immediately.

McConnell added: "Do we go as far as creating a Department of Cyber? Maybe that's going a little too far."

Schneier suggested high level, open discussion between nations and countries is also necessary to protect against the threat of cyberwar.

"We are making progress," Lewis said. "I don't know if we're making progress fast enough."