Ed Skoudis gave an interesting keynote speech (available here, PDF) at the Hack in the Box conference held in Kuala Lumpur yesterday. The talk included a section on cyberwar that was, in some ways, the complete inverse of Marcus Ranumís Cyberwar is Bulls**t speech the previous year (slides here, PDF).
Plenty of interesting points mentioned. Here are a few, and just a few of the questions they raised:
There's been talk that some countries are leaning towards viewing cyber attacks as being on par with a traditional kinetic attack (i.e., involving nukes, guns and blood), and possibly requiring appropriate military responses.
Yet, there is no consensus on what constitutes a significant attack – one power grid control station taken down? A townís Internet access shut down? Or, as one of our Analysts put in, "what would *really* constitute a digital 9/11?"
One of Skoudis's contentions is that an attack that takes down an entire country's Internet access is fundamentally similar to a blockade, which is historically accepted as an act of war. The 2007 attacks on Estonia spring to mind. Is that really an accurate, legally acceptable premise though? Can an online attack really cause significant damage to an entire nation's trade/economy/social structure?
On a higher level, assuming this issue isn't just a storm in a teacup, should supra-national organizations like the UN or EU pass legislation dealing with cyberwar? Say, something like setting rules of engagement or a "cyber Geneva Convention"?
The US and Russia canít agree on a proposed treaty (New York Times article) dealing with the cyberwar "threat"; is there any likelihood that multiple countries with varying Internet connectivity and cyberattack-capabilities would be able to clobber a working treaty together?
And what about information security professionals? In events like the Estonia and Georgia cyber attacks, where commercial sites were targeted rather than military ones, it was the average system administrator or security professional that had to deal with the immediate effects of the attack. Do they have a part to play in mitigating cyberwar threats? Is the scope out of the industry's hands? Is it just "not my problem"?
Lots of things to think about, with no consensus in sight. A lot of blogposts, articles and comments – both supporting and dissenting – were generated by Ranum's talk on this topic last year; this year's talk looks set to generate more.
It would probably be interesting to listen to Ed Skoudis and Marcus Ranum debating this topic.