OECD: Concept Of Cyberwar Is Overhyped

from the nice-to-finally-see-this dept

Mon, Jan 17th 2011 2:55pm — Mike Masnick

We've spent plenty of time over the past year or so discussing how the concept of a "cyberwar" has been blown totally out of proportion, often by those seeking to get rich off of the fear. We've been ridiculed for this, often getting messages from people saying that we don't know what's really going on. However, now the OECD, a rather respectable organization, has stepped up and said the same thing: the concept of a "cyberwar" is totally overhyped, and while there may be random computer-based hacks and attacks here and there, to label it as a "war" is way beyond reasonable.

Attempts to quantify the potential damage that hi-tech attacks could cause and develop appropriate responses are not helped by the hyperbolic language used to describe these incidents, said the OECD report.

"We don't help ourselves using 'cyberwar' to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks," said Professor Peter Sommer, visiting professor at LSE who co-wrote the report with Dr Ian Brown of the Oxford Internet Institute.

"Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure," added Prof Sommer.

Part of the problem is that people (again, often with questionable agendas) like to lump all sorts of very different activities under the single heading of "cyberwar" to make it sound like a bigger issue than it really is (and, presumably, to get more money). It's nice to see more level-headed analysis coming out of groups like the OECD. Now, if only governments will actually listen...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cyberwar, oecd

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 17 Jan 2011 @ 2:56pm

Organisation for Economic Cooperation and Development.

Yup, call in the economists to explain a computer issue.
[ link to this | view in chronology ]
drew (profile), 17 Jan 2011 @ 3:21pm

dammit!
Was just going to send this one in. Nice to see a bit of recognition that there's a vast amount of hype and fear-mongering going on.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Jan 2011 @ 3:31pm
  
  Re: dammit!
  I think we truly should publicize this issue more in the press so everyone can really see how fear-mongering and hype could be the end of our society, and our country as we know it.
  Perhaps Rep. King could get right on this ...
  [ link to this | view in chronology ]
- The Mighty Buzzard (profile), 17 Jan 2011 @ 3:39pm
  
  Re: dammit!
  And yet, nobody I've actually met in person pays attention to the issue. No matter how much they hype it.
  [ link to this | view in chronology ]
  - Not an electronic Rodent, 18 Jan 2011 @ 1:42am
    
    Re: Re: dammit!
    And yet, nobody I've actually met in person pays attention to the issue. No matter how much they hype it.
    Unfortunately it's worse if people don't pay attention to it. Then it becomes insidious, like the rest of security theatre, all you have to do is keep blasting it out in the media "there's a war going on you know nothing about and we are keeping you safe even though you never see it".
    
    Because people actually don't understand it and don't care that much it goes in at a lower-conciousness level and becomes generally accepted wisdom, which is much harder to fight against with reasoned argument because everyone "knows".
    [ link to this | view in chronology ]
    - Chris in Utah (profile), 18 Jan 2011 @ 5:29am
      
      Re: Re: Re: dammit!
      And then people wonder why I have infowars as my URL. Hoping Average Joe is reading.
      [ link to this | view in chronology ]
    - Almost Anonymous (profile), 18 Jan 2011 @ 10:29am
      
      Re: Re: Re: dammit!
      Excellent, EXCELLENT post. Can't click 'Insightful' enough. I was going to say something similar, but you put it much more eloquently that I would have.
      
      Bottom line for me: fearful people are much easier to herd and control. This is why 'they' implemented the color-coded turrist alert system, and why 'they' will keep beating the cyberwar drum.
      
      'they' = media, government, paranoid delusionals, pick your poison
      [ link to this | view in chronology ]
fogbugzd (profile), 17 Jan 2011 @ 3:47pm

Ask the Iranians
I am guessing that OECD didn't ask the Iranians about the reality of cyber warfare. http://www.itworld.com/security/133836/us-israel-appear-confirm-role-stuxnet-nyt

My biggest concern is that governments around the world will use the excuse of cyberwar to do lots of other things such as imposing more intrusions into personal freedoms and enhancing IP protections.
[ link to this | view in chronology ]
- Anonymous Coward, 17 Jan 2011 @ 4:12pm
  
  Re: Ask the Iranians
  I'd be wary of any government that sponsors development of worms and viruses.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Jan 2011 @ 6:32pm
    
    Re: Re: Ask the Iranians
    So, all of them?
    [ link to this | view in chronology ]
Jonathan (profile), 17 Jan 2011 @ 4:05pm

The Imaginary and the Real
Granted that there is a lot of hype around cyberwar,
let's also keep in mind the real-world demo of a weapon in this war. Stuxnet, if we believe the analysis, caused major grief in Iran and had a significant impact on the development of their nuclear capabilities.
This appears to have been well architected, tightly targeted, military-grade smart weapon that has been very difficult to remediate and caused serious hardware damage.
I wouldn't want my infrastructure to be the target of Stuxnet 2.0.
[ link to this | view in chronology ]
- Marcus Carab (profile), 17 Jan 2011 @ 5:25pm
  
  Re: The Imaginary and the Real
  Agreed - there are real things that could reasonably be put under the heading of "cyberwar" (even if it is a somewhat sensational heading - the concept isn't entirely unsound). Of course, it seems that simply referring to these things as new forms of digital attack used in conflicts is more accurate than creating a whole new class of conflict - but you're right that there are elements of cyberwarfare out there, and one day we may see a war that is primarily driven by digital attacks.
  
  However the real issue is, as you say, the hype - mainly the hype that lumps all sorts of things together as cyberwar. Suddenly spam, fraud, Wikileaks and 4chan are all part of the "cyberwar" - and that's where things start to get silly.
  [ link to this | view in chronology ]
- Mike Masnick (profile), 17 Jan 2011 @ 5:57pm
  
  Re: The Imaginary and the Real
  Stuxnet, if we believe the analysis, caused major grief in Iran and had a significant impact on the development of their nuclear capabilities.
  
  I would argue that's much more on the espionage front, than any "war" development.
  [ link to this | view in chronology ]
  - Anonymous Coward, 17 Jan 2011 @ 6:09pm
    
    Re: Re: The Imaginary and the Real
    And may I add that, if there's any "war" development in this case, it would not happen on the network side.
    
    I'd consider them as "brain-dead" if they don't enforce physically isolated network in their nuclear development facilities. You don't need a targeted espionage... just some random routine virus/worm can wreak havoc easily.
    [ link to this | view in chronology ]
  - sumquy, 17 Jan 2011 @ 8:29pm
    
    Re: Re: The Imaginary and the Real
    but that is exactly the point. it wasn't espionage. or at least not primarily, stuxnet's purpose was to infiltrate iranian nuclear facility and to destroy as many centrifuges as possible before being detected. i agree that a lot of things like hacking, espionage, ddos, etc... aren't "cyberwarfare" at all.
    
    Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure," added Prof Sommer.
    
    exactly. stuxnet was a "determined attempt to disrupt critical national infrastructure"
    
    you really need to read more deeply into it, because half of what i,ve read you comment on it is wrong.
    [ link to this | view in chronology ]
abc gum, 17 Jan 2011 @ 5:12pm

Could it be that Mother Nature is the biggest potential cyber terrorist? (solar flare) Do not expect any attention to be paid towards this very real threat ... no, in fact this will be largely ignored because there is no monetary reward. When it does happen, it will be called a natural disaster and tax money will be used to fix it - so why should any business feel responsible for addressing the issue in a proactive manner when it has a negative affect upon their bottom line. I recall news items from the past where satellite outage was attributable to solar activity, as was at least one power grid disruption. I imagine that the cost was absorbed by either the tax payer, rate payer, or insurance payer. It is almost humorous to watch, but they are gambling with my money and without my consent.
[ link to this | view in chronology ]
Anonymous Coward, 17 Jan 2011 @ 6:31pm

I think the main problem is the word "war" in the term "cyberwar." People use the word "war" to describe any conflict between two individuals/organizations. You can, for example, have a huge, multi-year conflict between two or more nations that involves shooting, bombing, and invading countries, but not declare actual "war," yet people still call it one (and perhaps rightfully so, although not strictly correct in legal terms). You can have corporate wars, where two corporations struggle for the same market. You can have format wars, where two technologies backed by large groups compete for the same niche. Then you get the world wars and (thankfully non-existent) nuclear wars.

So yes, Mike, defining a cyberwar as one nation-state using cyber assets to cripple or destroyer another nation-state, the threat of cyberwar is vastly over exaggerated, especially considering that cyber attacks generally augment physical attacks. But who's to say that a "cyberwar" is not what we're seeing right now?

We (the country/world/media) have to decide on a definition of "cyberwar" before you can even think to start discussing if one is likely.
[ link to this | view in chronology ]
- abc gum, 17 Jan 2011 @ 8:23pm
  
  Re:
  One,
  Two,
  Three,
  Four,
  I declare a cyberwar
  [ link to this | view in chronology ]
aperson (profile), 18 Jan 2011 @ 12:01am

Gotta say, stuxnet looked like one hell of a step forward in terms of offensive capability. We might not be taking cyberwar seriously, but a lot of money paying a lot of talent...black projects have been behind a lot of interesting developments.
[ link to this | view in chronology ]
Chris in Utah (profile), 18 Jan 2011 @ 5:33am

Vison for the future?
I'm wondering if the next presidential race is going to be on a platform of a war on the internet. They'll of course use a PC word (aka Net neutrality). And in true Orwellian fashion we'll believe both Net neutrality and protection from net threats are one truth... or I mean bill.
[ link to this | view in chronology ]
Anonymous Coward, 18 Jan 2011 @ 6:08am

The American government has always felt that the only way to unite the people is to have a war to incite patriotic fervor.
[ link to this | view in chronology ]
Hagai, 28 Jan 2011 @ 4:10am

Stuxnet very real, but statistics are indeed inapplicable
I disagree about Stuxnet: dismissing Stuxnet for not being the norm is not a good idea. On the other hand, I agree about the inapplicability of statistics. Demonstrating cyber-war shall be qualitative rather than quantitative. Cyber-war shall be dealt with, but it cannot be demonstrated by statistics, but by analysis of all that has not yet happened. See interesting post about the research: Cyber-war Risk Exaggerated?.
[ link to this | view in chronology ]