This term has been thrown around a little and yesterday the Organization for Economic Cooperation and Development (OECD) released a report saying that "true cyberwar is unlikely." Here's an excerpt that was sent to me for comment:
“There is nothing new in what the hacktivists are doing,” Mr. Sommer said. “It really should not be exaggerated. It’s really more like the kind of thing Greenpeace does.”
“We have to get used to the fact that popular protests, as well as skirmishes between nations, are going to have a cyber dimension,” he added. “Some people say cyberespionage is just a few clicks away from cyberwar. It’s not; it’s just another way of spying.”
Report challenges cyberwar doomsday scenarios
New York Times January 17, 2011
A new study commissioned by the Organization for Economic Cooperation and Development says a true cyberwar is unlikely, and that -- unlike scenarios painted by many recent books and articles on the topic -- advanced countries could recover from such a conflict within days, even hours. "You have this sort of competition between writers to say, 'I have a scarier story than you do,'" said co-author Peter Sommer of the London School of Economics.
I agree that sometimes infosec folks can get into the habit of telling the scarier story. If that scarier story is true though shouldn't we take heed? I responded with the following:
This is an interesting take and really just seems to be a language issue. I suppose it all depends on how you define "war" and "warfare." Mr. Sommer's quote "... skirmishes between nations, are going to have a cyber dimension,” is war in some people's eyes. Also, if it's "..just another way of spying" do wars ever start because of more traditional espionage? I also don't really understand the Greenpeace reference since they don't really attempt government-level espionage. As for the statement that "... advanced countries could recover from such a conflict within days, even hours." That's a great point, cyber-based attack would only be devastating if followed by a tactical operational attack to take advantage of the service disruption. The ability to disrupt, or intercept, communications to and from your target would give you a significant advantage. This ability has brought about encrypted communications by default for the military while critical infrastructure has not yet seen the need for this. One of the issues we discuss with our customers when penetration testing is to assess the impact of the operational decisions made based on information received from a field-connected device. Can I get a human, or machine, to initiate an action if I provide false data?
In 2008 Russia attacked Georgia and used cyber attacks as part of their campaign. I wonder if that would be considered cyber warfare by the authors or just a skirmish? Then, to be fair, I wonder how Georgia would define it.
I believe cyber "war" is a reality and will be used as a component of real large-scale attacks in the future. What do you think?