February 15, 2011
White House Advisor: Use of Term Cyberwar "Terrible"
By Michael Hickins
White House cybersecurity coordinator Howard Schmidt said that policymakers and others should stop "conflating... cyberwar with cyber-espionage with cybercrime."
Talk of an "Internet kill-switch" [1] to be used in the event of cyberwarfare has reemerged in light of recent events in Egypt, and coincides with a new federal initiative intended to improve security for individual Internet users. [2]
According to Mr. Schmidt, securing the information superhighway involves too many factors to be lumped into a single bucket. Resolving online criminality like identity theft should be treated differently than protecting the electric grid from sabotage by foreign powers or online espionage, but war-like rhetoric may threaten the U.S.'s ability to deal with any of these issues effectively, he warned.
"Words do matter. When we start throwing out these things, like we're in the midst of a cyber war, or that cyber war is around the corner, there's a lot of [those things] that don't actually apply, so we really have to define what it is that we're talking about."
Mr. Schmidt made these remarks during a discussion with two industry cybersecurity experts [3] -- British Telecom cybersecurity chief Bruce Schneier, and Microsoft executive Scott Charney.
It was in fact Mr. Schneier who kicked off discussion of the war-like rhetoric, claiming that this is part of a turf war to determine which federal agency would have control over cybersecurity, abetted by "exaggeration and distortion" by a "military industrial complex that does that quite well."
"Metaphors matter here," he added. "All these examples [of online sabotage] aren't really warfare, but if you call them warfare, a different set of psychological buttons get pushed. To the police, we are citizens to defend. To the military, we are a population to be subdued, or at least to get out of the way and not make trouble."
The examples to which Mr. Schneier referred include suspected instances of online sabotage against Estonia in April 2007 [4] and against Georgia in 2009, [5] and the so-called "ghostnet" surveillance network [6] of the U.S. power grid.
According to Mr. Schneier, companies like Booz Allen Hamilton, which is participating in a public debate on cybersecurity matters tomorrow at RSA, a security industry conference, are ratcheting up the rhetoric for their own economic benefit. Booz Allen Hamilton vice president "Mike McConnell [has] made a lot of money in cyber war contracts... Talking up cyber war is what he does; it's in his political and economic interest to do it," said Mr. Schneier.
Asked to respond to Mr. Schneier's comments, a Booz Allen Hamilton declined to make Mr. McConnell available. A spokesman said via email that Mr. McConnell, a former Director of National Intelligence, delivered the "same messages of concern about the vulnerability of our cyber infrastructure" during his public service and "before returning to Booz Allen. As a longstanding intelligence professional, McConnell has an awareness across the full spectrum of classification, and sees it as his duty in public service to foster the right kind of discussion so the nation's leadership can debate and mitigate the risks," the statement said.
Mr. Schmidt, the White House cybersecurity coordinator, deplored the "terrible use of the word 'cyberwar'."
Mr. Schneier also asserted that the Department of Defense "won" the turf war over "who's in charge of national security in cyberspace... the U.S. cyber-command is sort of co-located with the [National Security Agency] and it has the same head.
Microsoft's Mr. Charney noted that the United States "has tried to come up with one over-arching strategy [for securing cyberspace]... but there are really four different ones." He said that cyber crime, corporate online espionage, online sabotage of national infrastructure, and military espionage online all need to be dealt with separately.
[1] http://www.networkworld.com/news/2011/013111-egypt-kill-switch.html
[3] http://blogs.wsj.com/digits/2011/02/15/cyber-security-czar-defends-government-role/
[4] http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia
[5] http://voices.washingtonpost.com/securityfix/2009/08/twitter_facebook_google_attack.html
[6] http://blogs.forbes.com/firewall/2011/02/11/a-brief-history-of-chinese-cyberspying/