In the article at ITPro, Tom Brewster wisely changes his tune from ‘this is war’ to outright questioning that fact. I agree, as do most experienced people who have a background in National Security, as well.
Why is this not a cyberwar? Besides the obvious legal definitions where this doesn’t even remotely resemble a war (no declaration of war nor is there an ‘act of war’ as in the US Code), there is certainly no death and destruction.
So the IT department at MHI is going to have to put in a ton of overtime while maintaining evidence for computer forensics.. Where’s the damage?
Which leads me to a the question: What will a cyberwar look like if it’s even possible? Two factors will be discussed here. Targets and thresholds.
Forget about your silly little network where you work. If you’re getting hammered, deal with it. Let’s look at the big picture. Nation State warfare. What are the critical pieces which can cause a nation to drop to its knees? It is called critical infrastructure. In the United States it is identified in Homeland Security Policy Directive HSPD-7.
Critical infrastructure are the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.
Depending on when and where you look on the DHS website, here are those critical assets: Agriculture and Food, Banking and Finance , Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Government Facilities, Healthcare and Public Health, Information Technology, National Monuments and Icons, Nuclear Reactors, Materials and Waste, Postal and Shipping, Transportation Systems and Water.
I am not going to pretend to be an expert on critical infrastructure. What I am going to do, however, is propose a ‘threshold’ be established. This relates back to a previous post where I proposed that definitions need to be virtual.
The threshold I am proposing is something along the line of establishing a percentage of any one critical infrastructure and if it is not available, this would be considered an act of war by the United States.
For instance, if 15% of all government IT networks, Domain Name Servers and other critical components are rendered unusable or inaccessible, this might be a point where we declare that the US is ‘in a state of war’ to preserve our national information network and enable our national economy. 10% of the water reservoirs. 10% of the banks. The devil, again, is in the details, DHS has a huge job here.
For this to be possible DHS, who has this responsibility for the US government, must track all critical infrastructure and determine the percentage of systems that are not functional. Once we have established thresholds then we can advise our senior leaders if a certain amount of cyber attacks meets a definition of an act of war.
Now I’ve thrown a marker on the wall. Who at the national level is going to run with this?
Cross-posted from To Inform is to Influence