Security Alert

By Tony Bradley, PCWorld | Feb 20, 2012 6:32 am PST

About | Practical security advice

When Is a Cybercrime an Act of Cyberwar?

There is growing talk of cyberwar, as opposed to run-of-the-mill cybercrime. There are also terms that lie
somewhere in the middle like cyber espionage, and cyber hacktivism--which is sort of like cyber terrorism
for good guys. At the heart of the debate is an attempt to define the scope of an appropriate response to each
type of threat.

Former U.S. cyber-security tsar Richard Clarke describes scenarios in his book Cyber War: The Next Threat
to National Security and What to Do About It of nationwide power blackouts, poison gas clouds and burning
oil refineries, aircraft dropping from the sky and crashing subways. Those are the types of attacks that would
seem to clearly indicate an act of cyberwar, but there are also many nuanced attacks in between that muddy
the waters.

What is the goal of the attack: profit, information, or inflicting damage?

What Is In a Name?

The problem is that there are subtle semantic differences in the way different parties apply the terms
cybercrime, cyberwar, cyber espionage, cyber hacktivism, or cyber terrorism. There is no clear consensus,
which complicates the process of determining what level of law enforcement or government should be
engaged to address a given attack.

Richard Stiennon , chief research analyst at IT-Harvest and author of Surviving Cyberwar, explains that the
methods used can be identical. That means it takes a deeper investigation into the goals and motives of the
attack to assign a label to it.

Mike Reagan, CMO of LogRhythm, believes that the lines are definitely getting blurred, but the distinction
matters in terms of defining whether an incident is the responsibility of law enforcement or the military.
“Cyberwar could be characterized as the use of cyber weapons to destroy enemy capabilities and/or
populations. Cyber-crime could be defined as the use of cyber weapons/tools to execute a criminal act
driven by any number of reasons.”

Stiennon draws some distinctions in the definitions as well. A cybercriminal is generally motivated purely
by profit. That is a different goal than cyber espionage, which seeks to access intellectual property for
military or industrial strategic advantage, or cyberwar, which focuses on actually sabotaging infrastructure,
disrupting critical systems, or inflicting physical damage on an enemy.

Take Away the “Cyber”

Andrew Storms, director of security operations for nCircle, suggests a fitting and helpful analogy. “Remove
the prefix from ‘cyber crime’ and apply the same judgment used in other contexts. Does stealing some cereal
from the corner market constitute a crime or an act of war against the market owner? This analogy holds true
even at larger scales; does a data breach at a Fortune 500 company call for the FBI or the Marines?
Storms also draws a parallel between the naval blockade during the Cuban Missile Crisis, and a denial-of-
service (DoS) attack against a nation’s infrastructure. The point being that its possible to have state-
sponsored hostilities or acts of aggression that don’t cross the line to become an “act of war”.

Stiennon points out, though, that even tracing an attack to its source may not clarify the matter. “The
difficulty is that the attacker could be a lone wolf like the Comodo Hacker, a street gang like the Nashi, or
an organized terrorist cell--none of which fall into a Clausewitzian definition of war.”

Does It Really Matter?

At a panel discussion on cyber war at a recent media event hosted by Kaspersky, Alex Seger, head of the
Economic Crime Division of the European Council, expressed his opinion that the semantics of defining
cybercrime vs. cyberwar are largely irrelevant. Seger says that rather than focus on definitions we should
focus on the attacks: methodologies, targets, and consequences--regardless of attribution.

This is true depending on your perspective. At the level where PCs are compromised, and sensitive data is
exposed, it is somewhat irrelevant why it happened. What matters is that it did happen, and the focus should
be on mitigating damage from the incident and implementing defenses to prevent it from happening again.

Unless you happen to be (or work for) a defense contractor handling top secret information, or a part of the
critical infrastructure managing things like water treatment facilities, natural gas pipelines, or air traffic
control, the odds are probably slim that a given cyber attack will qualify as cyberwar.

You don’t really need to concern yourself with how to label the attack, though. Ultimately, it is hard to
imagine any act of cyberwar that wouldn’t also be a violation of existing laws. In that sense, all cyberwar is
cybercrime, but not all cybercrime is cyberwar.

If your business experiences a cyber attack of any sort, it is best that you engage the appropriate authorities
at your local level, and leave the cybercrime / cyberwar debate to law enforcement, government agencies,
and politicians.