Share

Related Links

  • Sophos
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • 53% UK population concerned about nation-state cyber attacks
    A new survey of attitudes aiming to illustrate consumer awareness of the privacy and security implications of cyber attacks indicates a high concern among the British public over the specific danger of nation-sponsored attacks – effectively cyber war.
  • Video interview: Cyber battles more important than cyber war
    Drew Amorosi, deputy editor of Infosecurity magazine, interviews Canon Europe's director of information security at Infosecurity Europe 2013.
  • Interview: Dorothy Denning
    In her heart a true academic, Drew Amorosi tracks down Dorothy Denning – renowned information security researcher and trainer of today’s cyber warriors
  • NATO lays out cyber-war rules of engagement
    A new handbook created for NATO has set out 95 black-letter rules of cyber warfare that, among other recommendations, states that governments should refrain from launching attacks on civilians, hospitals, nuclear power stations, dams and dykes.
  • Majority of Americans fear cyber war is imminent
    A national survey of Americans shows that a majority fear that cyber warfare is imminent and that the country will attack or be attacked in the next decade. In addition, Americans believe both the government and private sector networks are ill-prepared for a surge in cyber conflict.

Top 5 Stories

Feature

Comment: There’s No Such Thing as Cyber War

01 August 2013
Chester Wisniewski, Sophos

Chester Wisniewski of Sophos wages battle on the term ‘cyber war’

Too often, journalists, politicians, and security professionals are quick to declare ‘cyber war’ at the earliest signs of hacking or intelligence gathering between opposing states. True war consists of tragedy and tangible, kinetic impact. It involves injury and death, not just an exchange of information.

It has become increasingly difficult to read the news without spotting alarmist headlines such as, ‘Cyber 9/11’, ‘Cyber Pearl Harbor’, and ‘Hackers: 21st century nuclear weapons’. It is time that we ratchet back the hype, take an honest look at ourselves, and ask: “When did it become acceptable to equate actions that do not cause loss of human life to war?”

I am not the first to hold this viewpoint. In 2010, Howard Schmidt, former cybersecurity coordinator and special assistant to President Obama, declared in an interview with Wired magazine, “There is no cyberwar… I think that is a terrible metaphor.”

In February 2012, Thomas Rid, a reader in War Studies at King’s College London and expert in technology, deterrence, and cybersecurity, published a paper in the Journal of Strategic Studies titled, ‘Cyber War Will Not Take Place’. In the paper, Thomas asserts that never has an act labeled “cyber warfare” met the criteria for what the world considers an actual act of war. He explains, “In an act of cyber war, the actual use of force is likely to be… [a] complex and mediated sequence of causes and consequences that ultimately result in violence and casualties.”

Despite such sentiment, the security community continues to propagate hyperbolic terminology. A Google search for the term “cyber war” and its synonyms returns an impressive 8.5 million results.

In 2013, I propose that we retire this inaccurate and insensitive language. In its place, we should use phrases that more sensibly describe the nature of events. While expressions such as “cyber campaigns” are inarguably less dramatic, frankly, so is what we’re talking about here when compared with actual war.

At Sophos, we avoid scare-tactic messaging and negative imagery such as locks or tentacled virus-like cartoons intended to scare enterprises into adopting our security offerings. We have too much respect for our customers to do so and take our responsibility as security professionals very seriously – central to which requires providing an accurate assessment of the threat landscape.

While advocating that we adjust our language, I don’t mean to suggest that we lessen our diligence. Threats on critical infrastructure and enterprise networks are very real and not to be taken lightly. But the next time a nation is caught cyber-spying or meddling with the effectiveness of an industrial site, let’s keep its true impact in perspective and remain mindful of the way in which we report it. Would such actions cause the same devastation as a true act of war? It is highly unlikely and, accordingly, is inappropriate to label as such.

My grandfather was shot twice in World War II and was preparing to ship off to the Pacific theatre at the time the war ended. I don’t imagine he would compare Stuxnet to the experience he had defending freedom. For that reason alone it is time to stop. We should think better of our veterans.

As much as it might make me feel important to imagine Sophos as the one company capable of separating the world from ‘cyber Armageddon’, I know that, in actuality, the world is far from it – and that’s a good thing.


Chester Wisniewski is a senior security advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. Since joining Sophos in 2003, Wisniewski has worked exclusively in security-related engineering work. He previously served at Fortune 500 organizations as a sales engineer, security consultant and network architect. In his current post, Wisniewski works closely with SophosLabs to study threats in-depth and provide informational seminars, blogs and other publications to customers and the public on securing their networks and data against evolving threats.

This article is featured in:
Business Continuity and Disaster Recovery  •  Compliance and Policy  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×