Are We Engaged in a Cyberwar?

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

America is under virtual attacks, with key government, military and private-sector information systems being assaulted from abroad. But none of that means we're experiencing a cyberwar.

That's the reckoning of James Lewis, senior fellow at the public-interest policy group Center for International and Strategic Studies. "Spying and crime are not acts of war," Lewis said at last week's panel discussion - Cyberwar: Is Congress Preparing for the Common Defense? - at the State of the Net Conference sponsored by the Advisory Committee to the Congressional Internet Caucus. "I don't think we have seen a case of state-versus-state cyberwarfare. "

What would cyberwarfare entail? Some experts suggest that cyberwar - like kinetic war - must cause significant damage and disruption to critical physical infrastructures and human casualties, including deaths.

"We have not seen this type of kinetic attack. That does not mean that it won't happen if we get into a conflict with an advanced opponent," Lewis said. "They have done the reconnaissance, they have done the planning, they have built the tools to let them disrupt things like critical infrastructure. This will be part of warfare in the future. But we're in the stages before cyberwarfare. We are in the stages of people poking around. They're trying to figure out what are the rules, what are the thresholds, what's the other guy up to."

Conventional war has rules, and Congress should address the legal structure of cyberwarfare. "It's not like we're writing on blank slate here," said Greg Nojeim, senior counsel at Center For Democracy and Technology, a not-for-profit group that advocates a free and open Internet. "There are rules of war that would have to follow if there was an (cyber) attack."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Nojeim said the response to a cyberwar assault must be on a military target and have a military necessity. "You have to distinguish between combatants and noncombatants; your response has to be proportional to the attack," he said. "The whole area is very complicated and difficult to figure out what to do. I think that we ought to talk a lot more and focus a lot more on the defensive side than offensive side. We're not going to have so much clarity on the offensive side to act with the kind of authority you normally see in a military campaign."

Lewis said current laws governing warfare should apply to conflicts in cyberspace. "We just have to figure out how to apply them," he said.

The panelists differed on the strategy of cyberwarfare, with Nojeim favoring the United States take a more defensive posture, with Lewis calling for a combination of defensive and offensive capabilities.

Nojeim said the nation should harden its defenses to combat the threat of cyberwarfare. The current state of technology makes it difficult to identify with certainty the motive of an attack, where it originated or who launched it, he said. "We're not sure what's being seen is an attack or whether it's espionage," Nojeim said. "If it is an attack, we don't know for sure if it is a state actor or somebody else. And if we respond with attack, what collateral attack would be on us, on civilians in the country where we think the attack came from but are not sure and civilians in other places? So there is all of this uncertainty of what happened and what we should do about it."

Lewis said the United States had tried a defense-focused approach before, in the 1890s, when the government positioned the Navy only for coastal defense, which he characterized as a dreadful and utter failure. "A defense-only approach doesn't work," he said, adding that an offensive deterrence, like in the physical world, can act in the virtual world as well. "We have a (military) cyber command; how do we use it to increase deterrence? How do we take the offensive capability we have built and use it against some of these advance opponents, use it against other opponents. But we have to do it in the context of oversight and law and chain of command. I don't think a colonel or a two-star or even a three-star should be authorized to launch some sort of cyber attack. This is a big deal. Who makes the decision right now? It's not clear."

Nojeim agreed that Congress must define cyberwar-making powers. "When you look at the war-making power of the Constitution, the president has certain authorities as commander-in-chief; he's the one who decides how war would be waged. Congress is supposed to decide whether a war would be raged."