Flip through the cyberwar headlines over the last decade and you'll find that governments and members of the cybersecurity industrial complex have taken to using terms like 'active defense', 'maginot line', and 'preemptive warfare'.
These are phrases borrowed from conventional warfare that Tenable chief security officer Marcus Ranum says don't make sense in network-centric warfare.
"That's really the problem in a nutshell," Ranum says. "The terminology that gets used for cyberwar doesn't really map at all - it just seems to. There's a danger in accepting that the terms map when they really don't because it amounts to obscuring the real situation by talking in terms of analogy."
He's not being a linguistic puritan; he's concerned that if the industry doesn't use the wealth of technological terms already available, then it risks confusing the highly contentious issues in cyberwar which could lead to dire mistakes.
"When we allow our vocabulary to deny our actions, it makes it much easier for unhealthy choices to be made," he says.
He singles out an offender in the phrase 'active defense'. This concept is rooted in maneuver warfare that is essentially dependent on a defender's units being quicker and more agile and their command and control to be superior than their enemy in order to facilitate the defence of a larger area by fighting while falling back.
In cyberspace, you can't stage a fighting retreat. So the analogy falls over.
"When you dig beyond the details of the bad analogy it starts to sound like what's really being discussed is no 'active defense', it's 'offense' or 'pre-emptive attack'," he says.
'Pre-emptive attack' is also misused Ranum says because you can't "meaningfully pre-empt an attack".
The discourse may highlight that public perceptions on cyberwar are being manipulated. And if those behind the rhetoric want to promote a position on cyberwar, such as the need to attack an entity before it launches an attack of its own, then it should be discussed in terms that are open and frank.
Self-licking ice cream cone
Ranum sees a rising cybersecurity industrial complex as a threat to the security community because the creation of offensive tools puts pressure on those working to defend against them. When the defensive side catches up, then new offensive technologies are needed.
"This is certainly happening at the expense of the security industry: those of us on the purely defensive side are going to have to deal with the offensive contributions of our peers, backed by government money," Ranum says.
"We learned a few things from Stuxnet: namely, that professionalised weapons are being developed and they work. It's a virtual certainty that Stuxnet was developed by people who consider themselves to be computer security practitioners."
The advancement of the offensive side of security deserves to be thoroughly considered, and this includes the use of cyberwar rhetoric. Ranum for his part has devoted the last half decade to raising awareness on the issue.
"There are a lot of people that are cheerfully building 'big brother' for the governments, or encouraging the militarists to weaponise cyberspace; that's why I'm concerned that we not allow our vocabulary to become corrupted in the service of militarism."
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
