Cyberwar: Definition, Hype & Reality
Part of Air Force Cyber Command at Barksdale Air Force Base in Louisiana.
CREDIT: U.S. Air Force
In this first of a three-part series, SecurityNewsDaily explores truths, distortions, confusions and likelihood of cyberwar. Click for Part 2: What Cyberwar Would Look Like and Part 3: Why Cyberwar Is Unlikely .
Last month, the White House released its official international cyberspace policy. The Pentagon plans to release its official doctrine for the use of cyberweapons soon.
These developments, along with last summer's discovery of the Stuxnet worm in Iran and the initiation of a military Cyber Command in the United States, have brought the concept of cyberwar to its highest level of prominence ever.
Yet despite worrying military thinkers for over 20 years, cyberwar remains a rarely practiced, poorly defined and widely misunderstood form of conflict.
Unlike conventional warfare, the ability to cause destruction with nothing more than 1's and 0's remains beyond the reach of most countries, and outside the interest of many more.
There are more countries that possess nuclear weapons than there are that have the robust offensive cyberwar capabilities needed to cause serious harm, even though cyberattacks require far less technical expertise and financial investment than atomic bombs.
Even among experts, the very definition of cyberwar varies widely.
Does it even exist?
Richard Clarke, the former special advisor to the president on cybersecurity, has broadly claimed that any attempt to penetrate a nation's computer systems constitutes cyberwar.
But Howard Schmidt, the current cybersecurity czar, has gone as far as saying that cyberwar does not exist since digital attacks fall short of any reasonable definition of war.
Most experts land somewhere in between, defining cyberwar as an attack that originates in cyberspace but causes real-world harm.
"Cyberwar has to meet the same threshold we'd hold any other war to," said James Lewis, senior fellow and director of technology and public policy at the Center for Strategic and International Studies in Washington, D.C. "So if someone spray-painted a government building with graffiti, we wouldn't call that an attack. And if someone is caught spying, that isn't war."
"There has to be physical destruction, and there have to be casualties," Lewis added. "If there aren't, it isn't an attack, and it isn't war."
This disagreement over what does or does not constitute cyberwar stems in part from the ambiguous policies of the countries that practice it.
By keeping the line between cyberespionage and cyberwarfare somewhat fuzzy, countries preserve their ability to justify retaliation at the time of their choosing while simultaneously avoiding any rigid commitments that could escalate a conflict into something more dangerous.
Currently, the U.S., Israel, the U.K., China and Russia are the only countries with proven offensive cyberattack capabilities. France, Germany, Iran and North Korea have smaller, but growing, programs, and another 30 or so countries, both rich and poor, have begun building these kinds of programs within their own military and intelligence organizations.
To overcome the natural robustness of targeted computer systems, effective cyberwar requires a lot of time, money and skilled professionals and thus the backing of a state.
"Hacktivist" groups such as Lulzsec and Anonymous , or the wide variety of organized-crime groups that use malware to make money, do not have the ability to launch attacks that would even approach the threshold of cyberwar.
"A 14-year old hacker cannot do damage to a country. It takes extensive infrastructure to perform this," said Sami Saydjari, chairman of Professionals for Cyber Defense, a group of security experts who describe the mission as "to advocate, advise and advance sound cyber defense policy for the United States of America."
"But even a Third World country has the capabilities to do it," Saydjari said. "A number of groups have done analysis or mock attacks, and we found it takes about three years and half a billion dollars to do strategic damage."
Hottest debate: Terrorism
In the gray area between states and criminals falls the most hotly debated category: terrorist organizations.
Terrorists have the desire to launch attacks that would qualify as cyberwar, but currently lack the capability to do so. The question of whether they will ever develop that capability sharply divides the security community.
For cyberwar hawks, the fear that Al Qaeda or Hezbollah could eventually attack the U.S. or its allies through cyberspace forms the primary justification for increased spending on cyberdefense.
To the cyberwar doves, fear-mongering and unnecessary military expenditure loom as greater threats to critical online systems than do terrorist groups that have historically relied on low-tech weapons such as box cutters and homemade explosives.