A great many people (expert and layman alike) have been fighting a war on Cyber Warfare semantics these last few months. Some argue that Cyber Warfare is really nothing more than cyber espionage, others even completely dismiss the notion that Cyber Warfare exists. Regardless of your opinion, Cyber Security in general and Cyber Warfare specifically are the talk of the town. Books are written, blogs are typed up and experts roar their opinions from every soapbox they can find. But whats the point?
Cyber Warfare only covers military networks
Every security expert worth his salt will agree with the simple
statement that Networks- and Systems security permeates every aspect of
today’s society, and it is woefully underappreciated. Everyday life is
controlled by all kinds of systems that find themselves connected to the
internet, whether they should be or not. To think that this fact has
gone unnoticed by military leaders all over the world is simple folly, and it is demonstrably false. Based
on books about asymmetrical warfare such as Unrestricted Warfare (Q.
Liang & W. Xiangsui, 1999), there is much to say about targetting
civilian systems during times of war, and so it would be unwise to think
that only military networks would be targets during a cyber war.
Cyber Warfare is really just Cyber Espionage
Some people argue that Cyber Warfare is just digital espionage, and at
best we could call it Cyber Espionage. This is probably based on China’s
numerous cyber espionage operations, but to think that this is the
limit of what cyber warfare can do is naive. Even though there is no
definitive proof -always a key issue in everything cyber- that it was
Russia, those DDoS attacks on Georgian government websites at the same
time their tanks came rolling across its borders were timely to say the
least. It could also certainly be argued that Stuxnet was politically
motivated. Seeing as how War is the “continuation of Politics by other
means”, this means it falls within the realm of cyber warfare.
Cyber Warfare doesn’t exist
This is the Big One; the Big Denial. Its generally backed up by saying
that the Cyber Warfare terminology is (mis)used to pull in a larger
piece of the government budget, or to cede more control to the military.
In some cases I’ve even seen this statement followed by several reasons
that confirm that Cyber Warfare does exist, but that we
shouldn’t call it that because it has such ‘negative connotations’. But
when 150+ countries worldwide are ramping up their militaries to deal
with Cyber Warfare, what is the point of such semantics? Sure, it can be
argued that Cyber Warfare is nothing more than IT Security with a
military flavor. In many ways it is. But is not the application of use most prevalent in determining the meaning of an action? Is intent
not the determining factor in a Murder or an Accident, the factor that
turns a kitchen knife into a murder weapon? The same can be said for
guns. One man using a gun to kill someone is murder. When battalions of
two or more nations engage eachother for political motives, this turns
it into War. The same reasoning can be applied to IT Security: If it is
used by one nation state to further its political will upon another
nation state, this is Cyber Warfare.
IT as a sector has historically been the realm of Geeks, Nerds and the Socially Awkward. You may not like it or agree with it, but this has been mainstream consensus for decades (though it is declining as technology becomes more common). IT Security as a specialization has historically been the realm of the Paranoid and the Technically Gifted in IT. You may not like it or agree with it, but this group is generally considered the Nay-Sayer of the IT world (though it is declining as Security becomes more important with the rise of internet connectivity). Cyber Warfare is a fringe area. A niche; a specialization in a specialization. Information Security is poorly understood by the mainstream populace, a fact well evidenced by the digital exhibitionism taking place on the various social networking sites. In fact, it is even poorly understood within the IT sector itself. How is the mainstream populace ever to understand how important Security is, if we can’t even reach consensus amongst ourselves?
I feel that it is important that all of us should stop arguing over Semantics and start working together constructively. It is important for the IT sector as a whole to form a united front if we are to positively influence the security habits of those who we aim to help.