There has been much discussion lately about “cyberwarfare”. This article “US Should go on Cyber Offensive” in the BBC represents the typical media slant on the issue…
A US Air Force officer has told the BBC that his country should create an offensive botnet to target any forces that launch a cyber-attack against it. Speaking on Radio 4′s The Report, Col Charlie Williamson said the US was currently in “defensive mode” on cyber-warfare and that needed to change.
This concept has been proposed publicly before by Col. Williamson as reported in the Armed Forces Journal “Carpet Bombing in Cyber Space“, which I blogged about at the time (here), in the article Col. Williamson stated…
The world has abandoned a fortress mentality in the real world, and we need to move beyond it in cyberspace. America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.
Of course this has caused a tsunami of navel-gazing through the information security digerati as they opine about the ridiculousness of an offensive botnet. From the perspective of information security, and those that deal with cybercrime, the concept has many drawbacks – both logistical and technical – both political and commercial – and could easily be abused.
But regardless of one’s stance on the technical validity of a military grade botnet what is more interesting to me is the amount of misinformation that is being generated on the topic of ‘cyberwarfare”. There is no doubt that we live in a highly connected and economically interdependent world. The dynamics and technologies of warfare have changed dramatically over the decades, but the realities haven’t; War is hell.
There is no Skynet. There is no digital chess board where real military conflicts are played out only in bits and bytes. Cybergeddon is not upon us. A cyber attack is not one of the top 3 most critical threats we face behind nuclear war and a bomb in one of our major cities (here). Warfare today is still a very human experience even though future military conflicts will include cyber targets, but they will still be military conflicts. Perhaps this has been an argument of semantics among those who argue what military policy should be in relation to cyber assets or critical infrastructure, perhaps, but I would suggest that there are four fundamental concepts that must be understood before one can even engage in a conversation on cyberware:
1. It is highly unlikely that we would experience warfare isolated only to the digital realm, if it was truly warfare it would be evident to all that there was a military conflict in action, and if warfare was purely “cyber” then technology, as we know it today, would be radically different.
2. IT security professionals generally lack the military and political expertise to make policy decisions on “cyberwarfare”, however some of them are quite qualified to discuss cybercrime.
3. Cyberwarfare and cybercrime are fundamentally different and require, in many cases, drastically different approaches.
4. It serves little purpose to continue the policies of misinformation, propaganda, and fear inciting that we currently seem to be embracing.
My grandfather fought and died in Korea, my uncle was a US Naval Doctor, my step-father served this country as a member of the intelligence community during the cold war and my brother has been entertaining our troops as an active member of the USO tour for many years.
As for me I have never served in our armed forces, I have never stood face to face against an enemy in defense of our country, I have never had to make a life or death decision where the outcome impacts hundreds of thousands or millions of lives. I have nothing but the greatest admiration for those that have sacrificed on behalf of our freedoms and for those that have had to make the decisions that can drastically change the dynamic of an entire generation.
At the end of the day all any of this means is that I, like so many of my peers and colleagues in the information security industry are not adequotely informed, nor do we possess the requisite experience to decide in what fashion the military should respond to protect our nations interests. But we can all have an opinion and there are many to thank for that.