When Is a Cybercrime an Act of Cyberwar?

With no consensus on clearly defining the terms, it's easy to get confused by the array of labels available for a given cyber attack.

There is growing talk of cyberwar, as opposed to run-of-the-mill cybercrime. There are also terms that lies somewhere in the middle called cyber espionage, and cyber hacktivism--which is sort of like cyber terrorism for good guys. At the heart of the debate is an attempt to define the scope of an appropriate response to each type of threat.

Former U.S. cyber-security tsar Richard Clarke describes scenarios in his book Cyber War: The Next Threat to National Security and What to Do About It of nationwide power blackouts, poison gas clouds and burning oil refineries, aircraft dropping from the sky and crashing subways. Those are the types of attacks that would seem to clearly indicate an act of cyberwar, but there are also many nuanced attacks in between that muddy the waters.

What Is In a Name?

The problem is that there are subtle semantic differences in the way different parties apply the terms cybercrime, cyberwar, cyber espionage, cyber hacktivism, or cyber terrorism. There is no clear consensus, which complicates the process of determining what level of law enforcement or government should be engaged to address a given attack.

Richard Stiennon, chief research analyst at IT-Harvest and author of Surviving Cyberwar, explains that the methods used can be identical. That means it takes a deeper investigation into the goals and motives of the attack to assign a label to it.

Mike Reagan, CMO of LogRhythm, believes that the lines are definitely getting blurred, but the distinction matters in terms of defining whether an incident is the responsibility of law enforcement or the military. "Cyberwar could be characterized as the use of cyber weapons to destroy enemy capabilities and/or populations. Cyber-crime could be defined as the use of cyber weapons/tools to execute a criminal act driven by any number of reasons."

Stiennon draws some distinctions in the definitions as well. A cybercriminal is generally motivated purely by profit. That is a different goal than cyber espionage, which seeks to access intellectual property for military or industrial strategic advantage, or cyberwar, which focuses on actually sabotaging infrastructure, disrupting critical systems, or inflicting physical damage on an enemy.

Take Away the "Cyber"

Andrew Storms, director of security operations for nCircle, suggests a fitting and helpful analogy. "Remove the prefix from 'cyber crime' and apply the same judgment used in other contexts. Does stealing some cereal from the corner market constitute a crime or an act of war against the market owner? This analogy holds true even at larger scales; does a data breach at a Fortune 500 company call for the FBI or the Marines?

Storms also draws a parallel between the naval blockade during the Cuban Missile Crisis, and a denial-of-service (DoS) attack against a nation's infrastructure. The point being that its possible to have state-sponsored hostilities or acts of aggression that don't cross the line to become an "act of war".

Stiennon points out, though, that even tracing an attack to its source may not clarify the matter. "The difficulty is that the attacker could be a lone wolf like the Comodo Hacker, a street gang like the Nashi, or an organized terrorist cell--none of which fall into a Clausewitzian definition of war."

Does It Really Matter?

At a panel discussion on cyber war at a recent media event hosted by Kaspersky, Alex Seger, head of the Economic Crime Division of the European Council, expressed his opinion that the semantics of defining cybercrime vs. cyberwar are largely irrelevant. Seger says that rather than focus on definitions we should focus on the attacks: methodologies, targets, and consequences--regardless of attribution.

This is true depending on your perspective. At the level where PCs are compromised, and sensitive data is exposed, it is somewhat irrelevant why it happened. What matters is that it did happen, and the focus should be on mitigating damage from the incident and implementing defenses to prevent it from happening again.

Unless you happen to be (or work for) a defense contractor handling top secret information, or a part of the critical infrastructure managing things like water treatment facilities, natural gas pipelines, or air traffic control, the odds are probably slim that a given cyber attack will qualify as cyberwar.

You don't really need to concern yourself with how to lable the attack, though. Ultimately, it is hard to imagine any act of cyberwar that wouldn't also be a violation of existing laws. In that sense, all cyberwar is cybercrime, but not all cybercrime is cyberwar.

If your business experiences a cyber attack of any sort, it is best that you engage the appropriate authorities at your local level, and leave the cybercrime / cyberwar debate to law enforcement, government agencies, and politicians.

Join the CSO newsletter!

Error: Please check your email address.

More about Amazon.comAmazon Web ServicesAndrew Corporation (Australia)ComodoCritical SystemsFBIGoogleKasperskyKasperskynCircleSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place