Cyber war threat exaggerated claims security expert By Maggie Shiels

Technology reporter, BBC News, Silicon Valley Published duration 16 February 2011

image caption Electronic attacks will play a part in conventional conflict, but they are not wars, says Mr Schneier

The threat of cyber warfare is greatly exaggerated, according to a leading security expert.

Bruce Schneier claims that emotive rhetoric around the term does not match the reality.

He warned that using sensational phrases such as "cyber armageddon" only inflames the situation.

Mr Schneier, who is chief security officer for BT, is due to address the RSA security conference in San Francisco this week

Speaking ahead of the event, he told BBC News that there was a power struggle going on, involving a "battle of metaphors".

He suggested that the notion of a cyber war was based on several high-profile incidents from recent years.

They include blackouts in Brazil in 1998, attacks by China on Google in 2009 and the Stuxnet virus that attacked Iran's nuclear facilities.

He also pointed to the fallout from Wikileaks and the hacking of Republican vice-presidential candidate Sarah Palin's e-mail.

"What we are seeing is not cyber war but an increasing use of war-like tactics and that is what is confusing us.

"We don't have good definitions of what cyber war is, what it looks like and how to fight it," said Mr Schneier.

image caption Casualty of war? Attacks such as Sarah Palin's e-mail hack have been lumped into the debate

His point of view was backed by Howard Schmidt, cyber security co-ordinator for the White House.

"We really need to define this word because words do matter," said Mr Schmidt.

"Cyber war is a turbo metaphor that does not address the issues we are looking at like cyber espionage, cyber crime, identity theft, credit card fraud.

"When you look at the conflict environment - military to military - command and control is always part of the thing.

"Don't make it something that it is not," Mr Schmidt told a small group of reporters on the opening day of the conference.

A report last month by the Organisation for Economic Cooperation and Development also concluded that the vast majority of hi-tech attacks, described as acts of cyber war, do not deserve the name.

Tanks and bombs

The issue is likely to receive a lot of attention at RSA this week as a number of panels seek to define what is and what is not cyber warfare.

"Stuxnet and the Google infiltration are not cyber war - who died?" asked Mr Schneier.

"We know what war looks like and it involves tanks and bombs.

"However all wars in the future will have a cyber space component.

"Just like we saw in the Iraqi war we [the US] used an air attack to soften up the country for a ground offensive.

"It is probably reasonable you will see a cyber attack to soften up the country for an air attack or ground offensive," he added.

Mr Schneier claimed that the heated rhetoric is driving policy in ways that might not be appropriate.

"The fear is that we are going to see an increased militarisation of the internet," he said.

Recently the FBI and Department of Defence squared off over who got to control defence in cyber space and the multimillion dollar budget that goes with the job.

Mr Schneier said that battle was won by the defence department.

He also claimed there was a worrying trend of politicians who try to introduce legislation as a way to deal with the issue as nothing short of knee-jerk politics.

Last week the Cybersecurity Enhancement Act was introduced in the Senate, following confirmation by oil companies and Nasdaq officials that their computer systems were repeatedly hacked by outsiders

"My worry is these ill thought-out bills will pass," said Mr Schneier.

Treaty talk

Talk of drawing up the equivalent of a Geneva Convention for cyber space has been gaining attention.

The proposal was raised by international affairs think-tank, the EastWest Institute at a security conference in Munich last week.

Mr Schmidt said he is sceptical because he does not believe every country will sign up to an agreed set of norms or standards.

"I don't know that a treaty is going to solve anything at this juncture.

"Not everyone thinks about this unilaterally around the world. We can't do this by ourselves," he said.

Industry commentator Declan McCullagh, who is chief potlicial writer for online news site CNET.com, believes the idea of doing nothing is untenable.

"Before we get to the stage of having to launch a cyber war, and that will eventually come, lets have a public discussion about what this involves," he said.

"A Geneva Convention for cyber war makes sense at least to start that discussion.

"What that would do is put certain types of attacks off the table like you are not going to target the enemy's hospitals or certain types of civilian systems that innocents depend on for their livelihood.

"I don't think everyone is going to respect it, and maybe the US won't respect it at times, but at least it starts the discussion and will probably have a positive effect," said Mr McCullagh.