The Lexicon Wars and Impediments to Cybersecurity

Saturday, October 08, 2011

Joel Harding

94ae16c30d35ee7345f3235dfb11113c

I was recently discussing cyberwar in a security forum on LinkedIn.com.  My perspective was the complete opposite of many in the forum. 

I was stunned and had to sit back and contemplate the situation.  I’ve been brewing this over in my mind for the past decade but it finally came back to haunt me.  I was actually accused of being a 20th century thinker. 

I took umbrage with that statement (inside joke to anyone who was with me during initial discussions at JTF-6 back in the early 1990s).

My takeaway is that the cybersecurity folks in the forum were thinking emotionally, they would certainly be aware if someone was attacking and doing damage to their network simultaneously with other networks, so they thought surely this constitutes an “act of war”! 

Before you disagree…  riddle me this:

  • What is cyberwar?
  • How do conventional laws apply in a virtual world?

I could make a lengthy list of all the terms and questions myself and other so-called experts have discussed over the past 15+ years and to which we still do not have official definitions, that we do not have an agreed upon definition, and to which we honestly have no hope of ever determining a right way, never mind the right way, to our cybersecurity and warfare problems in cyberspace.

The definitions would be useless only moments (in relative terms) after we have an agreed upon solution.  My good friend, Dr. Richard Forno, wrote his doctoral thesis and has based much of his career on the intricacies of “incident response”.  I recall, not so fondly, how in the late 1990s all the cyber experts quite literally fought about how to define an incident.

It’s almost laughable in a way.  Highly educated and very professional people fighting about a definition?

Fast forward ten+ years and now I am being attacked how I define war in cyberspace.  I caught myself before I began hurling invectives and insulted friends.  I began to realize their definition of war in cyberspace was an emotional issue from a cybersecurity perspective, whereas my definition is based upon years of splitting hairs about actual official definitions of cyberwarfare, cyberwar or war in cyberspace (the last is my preferred term).

Someone posited that anytime someone penetrated their network, that was considered cyberwar.  I disagree, that would be an intrusion.

Someone said by stealing the information in my network, that would be considered cyberwarfare. I disagree, that would be theft of intellectual property or a cyber crime.

Someone claimed that denying, degrading or destroying data on a network would be cyberwar.  I admitted, that would be bad, but by no stretch of the imagination would one single incident be considered a cyberwar.  Yes, it honestly would depend on the targeted network.  Doing this on the WhiteHouse.gov domain would definitely be considered an act of war, whereas at tinyminds.com (I made that up) it would probably be a pain in the butt.

Kevin Coleman published a terrific little book called “Cyber Commander’s Handbook“, I highly recommend it! Kevin actually gave me a hardcopy years ago, for a book review.  By the time I finished reading it I realized that many of the definitions in the book are obsolete, outdated or wrong. 

Not because the book isn’t brilliant, it is, but because by the time the ink dried on the page the definition(s) had changed.  He also started out with close to 32 attack ‘types’ and the last time I checked he has about 49 (I’d call him and ask but by the time I typed it here it would have probably changed).

This sets the stage for my next wild assertion:  we need a new way of making, posting and agreeing upon definitions, thus freeing us to work on a problem and avoid getting stuck in petty definitional wars.  We also need to begin establishing thresholds.

Wikipedia is a great way to get a community to come together and agree on a term, post issues, and discuss them (posting the good, the bad and the ugly) and finally agreeing on one pretty good agreed-upon definition for term.  No, it’s not perfect. 

There have been cases where a Wikipedia page is used to push an agenda, to attract customers and to be a sounding board for some extreme or out of the ordinary positions. This definition, of course, will change.  For instance, everything changed after Stuxnet.

Let’s take Wikipedia one step further.  I believe the term ‘cyberwar’ is incorrect, there is a basic flaw in the assumption that there is landwar, airwar, seawar or spacewar.  Instead we wage war on land, sea, air, space and in the cyberspace domains, culminating in war. 

Let’s assume the correct term is ‘war in cyberspace’, it is more doctrinally correct (according to the Joint Electronic Library of the Joint Staff, Pentagon).  So…  let’s define an act of war in cyberspace. Would that be 1 ping per second against dtic.mil?  10 pings per second?  100 pings per second?  10,000 per hour? 

How about using nMap?  How many incomplete commands sent in a second?  Per hour, per year? What else?  An actual penetration?  Placing a payload in a data stream? Copying information?  Copying intellectual property?

I propose a non-static means of proposing definitions and then creating a fluid threshold…   ten per second, 100 per second, 1 million per second.  If the proposal has fixed data threshold points one can quantify, by this definition, an act of war in cyberspace.  Who should host it? 

Government is the obvious choice but they do not have the incentive and certain they are way too scared to make any radical proposals like that. DARPA, IARPA?  They seem obvious but lately they don’t appear to be pushing the envelope in the cyber world. DHS?  As soon as I stop getting sick… 

I propose a University get the contract, preferably one here in Washington DC.  I have the perfect person in mind to head up the program. Contact me, let’s see if we can make it happen.

The greatest drawback to this creating a definition with fluid thresholds is an ever increasing threshold.  Reach the limit, raise the limit.  Next?

Got anything better? Your ideas are solicited.

Related articles:

Update:  I just found this article which bears out my approach:  Evolving threats driving security strategy & investing globally

Cross-posted from To Inform is to Influence

Possibly Related Articles:
15318
Network->General
Military
Government Cyberwar Cyber Security Stuxnet Network Security Definitions
Post Rating I Like this!
Default-avatar
Jordan Wilkerson I am currently in Dr. Forno's Cybersecurity program hosted at UMBC, and this has article has touched on a major component of the program. In fact, there is a class entitled "Cyber Warfare" that emphasizes research into weaponizing systems, determining the threshold of war in cyberspace (i.e. when something can be defined, when it can't), etc...

I personally feel that you can have a static definition of cyber warfare based on it's impact of a country's citizens. The theft of corporate data may have a trickle down effect on people as consumers, but it would not have the same kind of cascading effects of the power grid being attacked. A direct impact on government institutions, public welfare facilities, or energy sources could all be put into that category.

Also, for someone to say "they attacked my network, therefore that is cyberwar", please remind them that despite what their ego may tell them... they, and thereby their network, are not as important as they may believe. The loss of corporate emails, in my opinion, is a first world problem (think not enough staples in the printer), but an attack that would try and send us into a third world mode of functioning is over the threshold to be considered an act of war, in my opinion.
1318185137
94ae16c30d35ee7345f3235dfb11113c
Joel Harding Absolutely agree, Jordan, you can and may have a static definition of cyber warfare but the thresholds must change periodically. It is almost too nebulous to say 'cause grave damage to', because the 'grave damage' threshold changes, almost daily.

You are absolutely spot on to the ego aspect of warfare in cyberspace.

One of the biggest problems of the use of the term cyberwar is attribution, once again. There are tools available to find the origin of attacks but it takes human intelligence to make the link between the keyboard and a government directive. We are darn good at the cyber part of the equation; the human intelligence part is difficult, at best. I've heard rumors of a new way of assessing attribution... I won't hold my breath.
1318185919
A22d865efb1586145b9b6e7c6c7d9853
Sara Hald The same problem occurs when trying to define the word "terrorism". It has been impossible to reach international and in many cases even national consensus on a common definition (US being a prime example of the latter). This makes it difficult to cooperate on the legal side, since someone may be a terrorist by one country's definition but not even a criminal by another country's. The same issue is very much at play regarding cyberwar, and there are few areas where international cooperation are as essential as in the prevention (or execution) of warfare.
1318238899
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven I believe I witnessed the Linkedin discussion you refer to and would agree with your assessment. I didn't agree with most of the responses you got either and feel that you have a lot of very valid points. As far as I could tell you stayed very polite and this kept the discussion from derailing entirely.

As to lexiconic wars, I am sure we are hardly the first or the last to experience such a thing. What worries me is not just that people quibble over meaningless trivial differences, but that there are a number of influential security people who flat-out deny that the problem exists based on semantics. It also bothered me that you received such hostile responses simply because you disagreed with their views.

This last thing is not new. I've seen this happen in a lot of other scientific fields such as Physics, where whole research branches get ostracised simply because they go off the beaten path. How many discoveries did we miss because people are forced to tow the party line?

Whatever we do to move forward in establishing the lexicon, I feel that we should void it of emotion and not force the issue upon people. Whatever we do, we should not halt progressive initiatives simply because we cannot agree on the wording.
1318252335
Default-avatar
Jordan Wilkerson @Don, Could NOT have said it better Don. A large part of the problem I see in cyber security and the cyber war arena though is a lack of definition. As Joel already touched on, there was a point in time (I probably wasn't born yet, sorry Joel / Dr. Forno) where many were emphasizing a need to define what things like critical infrastructure, cyber war, etc... meant. It is because these were not defined then, that we have these kinds of problems now.

The main issue is that management in an organization, who typically have no general interest outside of work in this area, don't see an incentive, I'm sorry, an R.O.I. for putting time, energy, resources into this. Mainly because the implications of defining what something is causes a snowball effect of spending. I.e. if the DHS says, "industry X must secure their critical infrastructure", well if management sat down and defined 13 SCADA systems as critical infrastructure, now they have to pour tons of money into securing them (Hope that makes sense).

It always boils down to this mentality that money is more important than preventative measures. This translates to "the more money I have, the more likely no one will mess with me". We had that same mentality prior to 9/11.

Basically what I'm trying to say is that it IS critical to define these terms, and set the thresholds well enough to evolve as technology evolves, because the bottomline is that if we define these terms companies and technologies will start emerging that are built around security, not companies that build security around themselves.
1318261743
Default-avatar
Phil White For good or bad there is a team of people at the EastWest Institute trying to come up with standard definitions for "cyber" terms between the U.S. and Russia for things like treaties. The resulting document is called "Russia-U.S. Bilateral on Cybersecurity: Critical Terminology Foundations" and is avaiable here (50 page pdf):

http://www.ewi.info/cybersecurity-terminology-foundations

For example, they define Cyber War as:

an escalated state of cyber conflict between or among states in which cyber
attacks are carried out by state actors
against cyber infrastructure as part of
a military campaign

(i) Declared: that is formally declared
by an authority of one of the parties.
(ii) De Facto: with the absence of a
declaration.

You really need to read the original form in the document though (including the Russian version) to really understand the definition.

Kind of interesting and pertinent to this discussion.
1318353037
A966b1b38ca147f3e9a60890030926c9
Chris Blask Using the wrong words has the same technical impact as linking the wrong library or creating inaccurate DNS entries. Accurate human-language taxonomy is no different than accurate coding.

We're still (and as you say, always) figuring out which are the right words.

This spring I attended a session with Daniel Noyes from ICS-CERT on the topic where a lively discussion ensued. Yesterday Daniel sent me this link below outlining the Joint Chiefs' view of taxonomy for cyber war - http://www.nsci-va.org/CyberReferenceLib/2010-11-Joint%20Terminology%20for%20Cyberspace%20Operations.pdf - as yet another interesting view on the issue.

I won't attempt to boil this ocean in a comment, but I would encourage folks to engage in the discussion.

1318809695
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.