War or Ecological Disaster? The Search for a Cyber Analogy
There is a continual discussion in policy circles about whether cybersecurity should be discussed in terms of war or as the online equivalent of an ecosystem.
Advocates of the first analogy, mainly defense types and those who believe a cyber Pearl Harbor is coming, describe cybersecurity as involving attacks, compromises, and terrorism. Advocates of the second analogy, treating cyber infrastructure as an ecosystem, talk about holistic approaches to security and discuss cleansing the system, keeping it healthy and fighting infections.
To determine which analogy is right, one needs to look at the state of the cybersecurity problem more closely for similarities. Here is my quick rundown of the top five reasons why cybersecurity should be treated as one or the other.
The case for cyberwar:
1. The role of foreign operatives and state actors in cyberspace is well-documented (read The Cuckoo's Egg by Cliff Stoll).
2. War Games! Ever since watching the 1983 movie, I still awake to thoughts of a hack, the game Global Thermonuclear War, and how close movieland U.S.A. came to destruction.
3. The potential impact on our critical infrastructure in the event of a cyberattack -- whether by enemy states or terrorists -- is overwhelming. Indeed, many of us forget that the basis of many of our cybersecurity efforts today came out of the creation of the President's Commission on Critical Infrastructure Protection, created by President Clinton in response to the Oklahoma City bombing.
4. The military and associated computers are prime targets for attack from hackers.
5. The Pentagon is treating cyberspace as a battlefield, a domain, or global common where "no one state controls but on which all rely."
The economic case for an ecosystem approach:
1. It is becoming more apparent that cyberspace is similar to an environmental ecosystem where integration, collaboration, and interdependencies rule.
2. Like environmental law, cybersecurity law has faced challenges in assessing responsibility, and creating regulatory schemes that aren't overly burdensome to ensure that production and innovation are not stifled.
3. Groups like LulzSec and Anonymous are not state actors or terrorists (as far as we can tell). Indeed, by all accounts, they are more like Matthew Broderick's character David Lightman from War Games.
4. The majority of critical infrastructures and, more broadly, computer networks are not government systems but in the hands of the private sector. As such, the government has to balance coming down with a heavy hand (a la military force) with voluntary efforts to keep systems operating.
5. Economic considerations drive much of the cybersecurity decisions being made in the U.S. As companies determine corporate information security spending decisions, they do so as part of an economic decisionmaking process.
Thus, both approaches have merit. But for the majority of cyber problems, the ecosystem approach is more realistic. Like many of our nation's assets, our IT and cyber technologies are critical to our nation's security and must be protected. While not thought of regularly, our enemies could break pipelines or use chemical attacks to poison our waters in an environmental attack, thereby using ecosystem warfare against us. We don't, however, think of the day-to-day environmental protection space as a national security space.
Granted, cybersecurity is different because it can be used and manipulated remotely. The real question for policymakers is this: Are we more concerned about foreign actors injuring our critical infrastructure or the constant drum of computer hacking and data breaches that has been prevalent over the past several months?
It is a question not easily answered, as evidenced by how slowly Congress has acted in moving cybersecurity legislation.