Misuse of Language: ‘Cyber’; When War is Not a War, and a Weapon is Not a Weapon

In this Threatpost op-ed, Dave Dittrich and Katherine Carpenter discuss the imprecision in language surrounding “cyber war” and “cyber weapons,” and explain how this may contribute to bad law and policy.

Three Calls to Action

We believe our community and society would benefit from more research and public discussion to clarify language and define a framework for creating more effective law, regulation, and policy in this area.

We are calling for three things:

1: Treat and discuss cyber incidents like the crimes that they are, not acts of war. This incident is now being investigated by the FBI—as it should be, as a serious cyber incident with national security implications—and anyone holding information that they believe is germane to attribution should provide it to the federal government so an effective and thorough criminal investigation can move forward. Citizens can work to fight crime, report it, and protect themselves against it like they do in other arenas. Indictments, such as those in several recent cases involving serious and long-running cyber incidents, are the first public step that the federal government must make in order to use the full set of levers of sovereign power, often shortened to “DIME-LE” for diplomatic, intelligence, military, economic and law enforcement activities. The recently released Presidential Policy Directive (PPD-41) is an effort to qualify “significant cyber incidents” and coordinate responses to them.

2. The more we become dependent on Internet-connected systems in our daily lives, the greater are the chances that some future activity could reach the level of a “use of force” in cyberspace under an effects-based analysis (i.e., kinetic damage so severe that it could injure or kill someone). Because of this, citizens need to be engaged in developing norms of behavior and limits on activities in cyberspace. We believe this should be a free and open debate that involves everyone. Whether some cyber incidents are directly state-sponsored or not may be irrelevant. Leaders of countries may allow cyber actions to take place in their interest (be it by “patriotic “hackers,” or aggrieved victims wanting a right to strike back) without considering the long-term impacts or international consequences of allowing those actions. It is relatively easy to impact systems in cyberspace, which could result in serious disruption to critical infrastructures by individuals with few resources beyond computers and network connections. These leaders would be well served to consider Machiavelli’s observation: “[If] you foresee problems while they are far off (which only a prudent man is able to do) they can easily be dealt with; but when, because you have failed to see them coming, you allow them to grow to the point that anyone can recognize them, then it is too late to do anything.” Rather than calling cyber incidents “acts of war” and demanding the government respond as though they are truly “acts of war,” citizens should advocate their governments for norms they understand and accept through international diplomacy. A race to the bottom is not going to end well.

3. Every nation active in the global community should be investing research funding and engaging in outreach activities to accelerate the development of useful norms of behavior that deal with the issues raised by Aitel and Rid in their editorials. This problem is not new, and has been hotly debated since the mid-1990s. Every few years, calls grow for victims of “cyber attacks” to receive some sort of exemption from computer crime laws allowing them to take matters into their own hands and “strike back” or “hack back” to “increase the costs of attackers” and achieve “deterrence.” “While big men know the needs for self-control and restraint–little men are sometimes moved more by fear and pride. If only in the future the big men can continue to make the little ones sit down and talk, before they start to fight.”

If these cyber incidents really are nation-state sponsored, supported by leaders of sovereign governments who think they are justified in taking actions that the private sector and the media insist on calling “cyber war,” do we really want the private sector doing something that results in an actual shooting war? We are not calling anyone big or little, but we would like to provoke conversation so that we do not need to start any battles, big or small, that we may one day regret.

Dave Dittrich is a computer security researcher in the Center for Data Science at the University of Washington Tacoma. He has been involved in investigating and countering computer crimes going back to the late-1990s, writing extensively on host and network forensics, bots and botnets, DDoS, computer research ethics, and the “Active Response Continuum.”

Katherine Carpenter (JD, MA) is a consultant promoting privacy and improving data security and the ethics behind computer security research. She also works in international law and risk management strategy and previously worked in bioethics and health.

Suggested articles