“May you live in interesting times” is an apocryphal curse that is purported to be of Chinese origin. On the surface, it sounds like a good thing: one would think everyone would want to live in interesting times. However, the events that make for interesting times are rarely desired. Cybersecurity practitioners appear to be continuously living in interesting times. For example, it has long been forecasted that cyberwar would be featured in the next armed conflict, or comprise it entirely. As of this writing, that has yet to come to fruition, though it has come close on multiple occasions.
It is fair to pose the question “What exactly is cyberwar?” because it is easy to conflate espionage with warfare. Nation-states have spied on each other for what seems like forever. They have collected information about strategies and priorities and watched for troop and materiel movements. So, while it can damage international relations, espionage is not technically illegal. War, however, is illegal under international law. Clearly, that has not stopped nation-states and other groups from conducting war. War traditionally has been used to resolve conflicts by harming people and destroying property, economies, cities, and entire countries. Under international law, war is classified as either an international armed conflict (IAC) or a non-international armed conflict (NIAC). IAC is what one would consider traditional war–one nation-state fighting another. NIAC can involve factions inside a nation-state conducting warfare. In both cases, war requires that property or infrastructure be destroyed or people be harmed.
So, how does a cyberwar happen? It would require that a nation-state, or faction within a nation-state, use technology to cause or bring about death or destruction. This would be considered kinetic action, namely, technology being manipulated to bring about death and destruction. The Stuxnet incident in Iran in 2010 was the first widely agreed-upon act of cyberwar (although not reciprocated, at least not kinetically). There are other examples of cyberwar that some may cite. However, the lack of kinetic action means they are technically considered espionage.
Since most people are not international legal scholars, the distinction between cyberwar and espionage can be lost. This leads to the layperson miscategorizing espionage as cyberwar. As a result, the average person likely believes that cyberwar is happening all the time. It is important to set expectations in one’s organization about this distinction and how it applies to one’s particular situation. For example, kinetic cyberevents trigger more availability concerns, while espionage triggers data disclosure events. How this plays out in an organization has implications for how that organization prepares for cyberwar, from the board of directors (BoD) to entry-level employees.
For all the concerns about cyberwar, if the past is any indicator, there is likely to be more espionage and information warfare than kinetic cyberwar. That is the good news. However, the bad news is that battling against nation-state threat actors attempting espionage and data disclosure is made all the more difficult by the skills and tools they bring to bear. Despite that, we can hope that cyberwar continues to stay out of the kinetic realm.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is a vice president and head of cyberrisk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.