Cyberwar hysteria took a hit in the form of rational criticism last week. Presenters at the RSA conference argued that this form of cyberfear is overblown:
"We are in the midst of a cyber war of words," Schmidt said. "Let's quit pointing fingers and start cleaning up the infrastructure."
Bruce Schneier sees category confusion:
"We are not necessarily seeing cyber war, but increasing use of warlike tactics in more general cyber conflicts," Schneier said. "I think that is what's confusing us."
He cited a Stuxnet computer virus evidently crafted to find and disrupt an Iranian nuclear facility as an Internet Age attack that smacks of warfare but arguably falls short.
"It is not war," Schneier said. "It is in the middle somewhere."
Instead of "war", maybe what's going on is "crime" or "spying":
The most prevalent cyber threat has been theft of information from networks, US Deputy Secretary of Defense William Lynn said...
Lynn also turned the old disdainful charge of bloggers as guys in pajamas to defuse the cyberwar meme:
"As you know better than I, a couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage," Lynn told the gathering of software savants.
There is IMO a significant misunderstanding about cyberwar and information warfare more generally. Apparently this includes even well known pundits and security analysts.
The cyberwar is part of a bigger picture...
First consider that the best information attacks remain undetected and undiscovered, and if detected are deniable or at least difficult to trace or unconfirmed. When detected, attackers may disappear or be very difficult or impossible to trace with certainty beyond a general point of origin or network used in an attack.
Information attacks target information storage, transmission, and processing systems...this is the basic definition. Of course this includes computer systems, but also human decision makers who process and transmit information -- HINT: that's us. Sometimes this is called social engineering in hacking circles, but what we are talking about is social engineering at scale.
The information war is on, and in part it is in and for your mind. Manipulation of financial markets, planting false news stories, hacking credit card accounts. Does this start to come into focus? It is about fear.
Remember that Psychological Operations are one of the techniques of information warfare along with cyberwar, which we read a lot about these days, and also economic warfare. Consider recent talk about "currency wars" in this framework. And oh yes there are still some "kinetic" techniques that might be called IW if they specifically target these same systems and networks.
What people believe about the "cyberwar meme" is correctly seen as being part of an information operation itself. Think about it. As just one example of how this might work, some people will believe almost any news story associated with the label "Wikileaks" at this point. How do we know that the Wikileaks cables contain no false stories? Who actually knows what's in those cables?
Grand deception and use of media to shape perception are not new ideas. Information warfare however does provide a new framework for thinking about and organizing these sorts of attacks. What we believe shapes reality.
Posted by: Peter Rothman | June 19, 2011 at 10:30