The increasing threats of cyberwar are keeping U.S. officials busy alongside ongoing wars on terror and drugs. Recent incidents highlight the rising cyberwarfare concerns: Google reported espionage attacks originating from China, mysterious Internet traffic activities related to China, the Stuxnet worm targeting Iranian nuclear centrifuges, an attack on the WikiLeaks site following the release of classified U.S. documents, and the significant Internet attack on Estonia a few years ago.
To address these cyber threats, the U.S. has adopted military strategies for cybersecurity, establishing Cyber Command and placing national cybersecurity under the Department of Defense. However, relying solely on offensive strategies is not the best defense. Gary McGraw, CTO at Cigital and author, argues that more secure software, rather than cyber warriors, is essential to protect networks and online data. In his article, "Cyber Warmongering and Influence Peddling," McGraw emphasizes the need for secure software over offensive cyber capabilities.
The Problem with Cyberwar Hysteria
McGraw points out that blending cyberwar, cyber-espionage, and cybercrime into a single narrative confuses the public and policymakers. This confusion can lead to inappropriate responses, such as the overemphasis on offensive strategies by Cyber Command. He likens this approach to living in glass houses and focusing on throwing rocks more accurately, rather than addressing the defects in the systems.
Financial Incentives and Cybersecurity
McGraw acknowledges that financial incentives drive much of the cybersecurity rhetoric. The U.S. military-industrial complex is closely tied to the commercial security industry, which is only beginning to understand security engineering and software security. The previous focus on blocking threats with firewalls has failed, and the new paradigm should be building inherently secure systems.
The Real Threats: Cybercrime and Cyber-Espionage
According to McGraw, cybercrime and cyber-espionage are more significant threats than cyberwar. Cybercrime, in particular, is costing significant amounts of money. Effective cybersecurity should focus on building secure systems and limiting access to sensitive information, rather than solely developing offensive cyber capabilities.
The Semantics of Cybersecurity
McGraw highlights the issue of semantics in cybersecurity, noting that the term "cyber" can create unnecessary fear. He argues that there is as much myth and hyperbole in cybersecurity discussions as there are real threats. This makes it difficult for policymakers, CEOs, and the public to discern what to believe.
Defining Cyberwar
McGraw considers Stuxnet a cyberweapon, as it had a kinetic impact on physical systems in Iran. However, he does not classify the Estonia attack as cyberwar, as it lacked significant impact and was carried out by individual cybercriminals, not a nation-state.
Policy and Cybersecurity
McGraw has been increasingly involved in discussions in Washington, D.C., and is concerned that the discourse on cybersecurity is overly focused on cyberwar. He advocates for a clearer distinction between cyberwar, espionage, and crime, emphasizing the need to build better systems and reduce vulnerabilities.
The Role of Software Makers
McGraw suggests shifting the conversation towards incentivizing the development of secure systems and discouraging the creation of insecure ones. While he does not propose specific approaches, such as liability, he believes policy discussions should focus on security engineering.
Rational Discussions on Cybersecurity
Despite acknowledging the risks, McGraw calls for rational conversations about cybersecurity. Excessive fear, uncertainty, and doubt do not help, and policymakers need to have the right discussions to set effective policies.
