When is a cybercrime an act of cyberwar?

There is growing talk of cyberwar, as opposed to run-of-the-mill cybercrime. There are also terms that lies somewhere in the middle called cyber espionage, and cyber hacktivism - which is sort of like cyber terrorism for good guys. At the heart of the debate is an attempt to define the scope of an appropriate response to each type of threat.

Former US cyber-security tsar Richard Clarke describes scenarios in his book Cyber War: The Next Threat to National Security and What to Do About It of nationwide power blackouts, poison gas clouds and burning oil refineries, aircraft dropping from the sky and crashing subways. Those are the types of attacks that would seem to clearly indicate an act of cyberwar, but there are also many nuanced attacks in between that muddy the waters.

What's in a name?

The problem is that there are subtle semantic differences in the way different parties apply the terms cybercrime, cyberwar, cyber espionage, cyber hacktivism, or cyber terrorism. There is no clear consensus, which complicates the process of determining what level of law enforcement or government should be engaged to address a given attack.

Richard Stiennon, chief research analyst at IT-Harvest and author of Surviving Cyberwar, explains that the methods used can be identical. That means it takes a deeper investigation into the goals and motives of the attack to assign a label to it.

Mike Reagan, CMO of LogRhythm, believes that the lines are definitely getting blurred, but the distinction matters in terms of defining whether an incident is the responsibility of law enforcement or the military. "Cyberwar could be characterized as the use of cyber weapons to destroy enemy capabilities and/or populations. Cyber-crime could be defined as the use of cyber weapons/tools to execute a criminal act driven by any number of reasons."

Stiennon draws some distinctions in the definitions as well. A cybercriminal is generally motivated purely by profit. That is a different goal than cyber espionage, which seeks to access intellectual property for military or industrial strategic advantage, or cyberwar, which focuses on actually sabotaging infrastructure, disrupting critical systems, or inflicting physical damage on an enemy.

Take away the "Cyber"

Andrew Storms, director of security operations for nCircle, suggests a fitting and helpful analogy. "Remove the prefix from 'cyber crime' and apply the same judgment used in other contexts. Does stealing some cereal from the corner market constitute a crime or an act of war against the market owner? This analogy holds true even at larger scales; does a data breach at a Fortune 500 company call for the FBI or the Marines?

Storms also draws a parallel between the naval blockade during the Cuban Missile Crisis, and a denial-of-service (DoS) attack against a nation's infrastructure. The point being that its possible to have state-sponsored hostilities or acts of aggression that don't cross the line to become an "act of war".

Stiennon points out, though, that even tracing an attack to its source may not clarify the matter. "The difficulty is that the attacker could be a lone wolf like the Comodo Hacker, a street gang like the Nashi, or an organized terrorist cell--none of which fall into a Clausewitzian definition of war."

Does it really matter?

At a panel discussion on cyber war at a recent media event hosted by Kaspersky, Alex Seger, head of the Economic Crime Division of the European Council, expressed his opinion that the semantics of defining cybercrime vs. cyberwar are largely irrelevant. Seger says that rather than focus on definitions we should focus on the attacks: methodologies, targets, and consequences - regardless of attribution.

This is true depending on your perspective. At the level where PCs are compromised, and sensitive data is exposed, it is somewhat irrelevant why it happened. What matters is that it did happen, and the focus should be on mitigating damage from the incident and implementing defenses to prevent it from happening again.

Unless you happen to be (or work for) a defense contractor handling top secret information, or a part of the critical infrastructure managing things like water treatment facilities, natural gas pipelines, or air traffic control, the odds are probably slim that a given cyber attack will qualify as cyberwar.

You don't really need to concern yourself with how to lable the attack, though. Ultimately, it is hard to imagine any act of cyberwar that wouldn't also be a violation of existing laws. In that sense, all cyberwar is cybercrime, but not all cybercrime is cyberwar.

If your business experiences a cyber attack of any sort, it is best that you engage the appropriate authorities at your local level, and leave the cybercrime / cyberwar debate to law enforcement, government agencies, and politicians.