In a recent PolicyMic article, my colleague Luukkas Ilves argues many governmental and trans-national “cyber security strategies” lack concrete guidance on how states should improve their cyber security and promote global norms. While I fully agree, I would like to expand on this assessment and highlight an element holding back current attempts at robust cyber strategy; there is a lack of coherent terminology for distinguishing between cyber attacks and cyber crime. In fact, I believe much of what is commonly labeled as a “cyber attack” is in fact crime, fraud, or even political protest. To avoid such confusion, we need to be more precise with our language when discussing the cyber domain.
“Attack” has rapidly become the legitimate term for describing almost all cyber-security incidents, and has come to dominate related technological lingo. Our firewalls are “breached,” our networks can be “taken down,” and our information can be “plundered.” External “intruders,” often anonymously, “attack” us on a daily basis through viruses, worms, and aptly named "Trojan Horses."
At first glance, such language seems justified. The country-wide distributed denial of service (DDoS) inflicted on Estonia’s networks in 2007 and the potentially catastrophic disruptive capabilities of the Stuxnet virus represent a threat to global security. These are concrete incidents of serious “attack.” But is this always the case?
For instance, let’s take three other prominent “attacks” that made headlines worldwide last year. In one incident, Sony was forced to admit that hackers accessed the personal information of 77 million online customers through their Playstation 3 consoles. In another, the “hackivist” group Anonymous was implicated in taking down financial sites that disowned the whistle-blowing website Wikileaks. More recently, U.S. defense firm Lockheed Martin “detected a significant and tenacious attack on its information systems network."
Contrary to the terminology used in the media and elsewhere, I argue that none of these incidents were an “attack” at all. The first was intended to facilitate fraud, by harvesting financial details. The second was political activism, to protest the actions of big business regarding Wikileaks. The third was an attempt at theft (or perhaps espionage?), in this case, aimed at industrial secrets. None were attacks in the name of creating insecurity, but instead had motivations more commonly associated with conventional crime.
If this seems a pedantic point, consider the implications in legal terms. When an individual breaks a window during a robbery, they are not the arrested for “attacking” that building. Their crime is theft, and prosecuted as such.
Similarly, by failing to better define some forms of nefarious cyber-activity as crime, and not an “attack,” we risk muddling the policy agenda. For instance, the U.S. recently announced that cyber-incidents could now be considered an “act of war.” How can such a serious policy decision be made when the Stuxnet virus (capable of melting down a nuclear centrifuge) is routinely referred to in the same context as hackers stealing Call of Duty account details? Millions of Americans were financially affected by the Playstation breakdown, but could this ever be considered an act of war? The comparison is facile, and so is any policy that fails to clearly define this boundary.
Cyber space is a young policy domain, and some linguistic and legal confusion is to be expected. Regardless, until both commentators and policymakers acquire the discipline to distinguish between true attacks on national security and more common crime, we cannot develop a coherent cyber security agenda.
Photo Credit: Wikimedia Commons