Cyber War's "Nuclear" Deterrent Identified
The verbal combat on whether the United States will win or lose a cyber war or whether we're in one will likely continue for the foreseeable future. But one of the leading cybersecurity thinkers in Washington, James Lewis, says pronouncements that we are in a cyber war or face cyber terror conflate problems and make effective response more difficult.
In a paper entitled The Cyber War Has Not Begun, just released by the public-interest policy group Center for International and Strategic Studies, where Lewis is a senior fellow, he writes:
"Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a 'cyber war.'"
The rhetoric on cyber war loudened last month when former National Intelligence Director Michael McConnell told Congress that America would lose a cyber war if one were held now. Richard Clarke, a security adviser to both Presidents Bushes and Clinton, in a book to be published next month, writes that a cyber war puts America at greater jeopardy than it does any other nation. White House Cybersecurity Coordinator Howard Schmidt, on the other hand, pooh-poohed the idea of a cyber war in an interview with GovInfoSecurity.com.
"Uncertainty about how much the Americans know and how good they are at attribution [the ability to identify assailants] makes attackers cautious. Fear of retaliation, including kinetic retaliation, for attacking the American homeland is a threshold that no nation has been willing to cross. Call this deterrence if you like."
At the core, Lewis writes, America faces four kinds of cyber threats: economic espionage, political and military espionage, cyber crime and cyber war. The one caveat to the dismissal of cyber-war hype is that the harm from espionage and cyber crime is often unseen and hard for citizens to recognize, he writes, adding:
"Some analysts believe that without exaggeration we may never see the United States take this threat seriously. Other analysts, even gloomier, believe we will not take the threat seriously until there is some cyber disaster, whatever that would be.
Lewis sees merit to these arguments, but danger, too, because the most likely results are either overreaction or miscalculation or a blasÃ© dismissal of the risks. Neither is preferable.