Cyberwar vs. Cyber-Espionage vs. Cybercrime

For the purpose of conceptual clarity, it’s probably best to think of things from this framework. Otherwise we may lose sight of what actually constitute military vs. law enforcement cyber-threats.

  • Cyberwar: The use of cyber weapons to violently destroy–or threaten to destroy–enemy capabilities. This ranges from command and control warfare against enemy C2 systems to strategic attack on enemy population centers during war (all of the doom scenarios about destroying the power grid, etc). This has never happened. Stuxnet is the closest to this but falls more–if we or the Israelis were involved–under the framework of covert action. In others words, the digital equivalent of overthrowing the Iranian government in the 1950s. Note that cyber war will mostly be performed by states but not exclusively. (Update: Alex informs me that there were significant computer-to-computer links involved in the information attack on Syrian air defenses a couple years back).
  • Cyber-Espionage: The exploitation of computer systems to steal industrial, military, and political information as well as military reconnaissance efforts to probe the security of adversary defense networks and industrial infrastructure. Note that most–if not all–things dubbed ‘cyber-war’ are really just cyber-espionage.
  • Cybercrime: Petty hacking, political activism, large-scale criminal enterprises, etc. Again, most of what is called cyberwar is in fact cybercrime. Cyber-terrorism fits rather uneasily between the spectrum of cyberwar and cybercrime and is mainly a matter of scale. Significant armed rebellion using cyber tools would be considered within the framework of ‘war,’ but the cyber equivalent of the Jonestown cult would probably not be considered to be warfare.

Note that these are only ideal categories–in practice they blend together significantly.


4 thoughts on “Cyberwar vs. Cyber-Espionage vs. Cybercrime

  1. lot of cybercrime is around “breaches” … harvesting financial transaction account information for the purpose of performing fraudulent transactions.

    we were tangentially involved in the cal. state breach notification legislation being brought in to help wordsmith the electronic signature legislation. some of the parties had done detailed public surveys of privacy issue and found #1 was “identity theft” … in large part the “account fraud” kind frequently as result of breaches. In many of the breach cases, the custodian of the data was processor or merchant which were not at risk from exposure of the information (i.e. the crooks used the information to drain customer accounts). At the time, there was little being done about breaches (almost no awareness that the account fraud was occurring as a result of breach) and there was some anticipation that the publicity resulting from breach notification would provide some motivation to take corrective action.

    in the decade or so since the cal. legislation there have been numerous federal pre-emption bills introduced … that roughly fall into two categories 1) similar to original cal. legislation and 2) notification legislation eliminating most requirements for notification.

    most of the breach “cybercrime” … looks much more like cyber-espionage … stealing information … for criminal purposes.

    besides many of the entities holding the data aren’t at risk with its exposure (modulo data breach notification legislation), another problem is the enormous mismatch between the defenders and the attackers, the value of the information for large majority of the defenders is the profit from the transaction (potentially a couple dollars) while the value of the information to the attackers can be two orders of magnitude larger (100 times or more), from fraudulent transactions draining the accounts (“security proportional to risk” metaphor).

    in the 90s, there was work on slightly tweaking the paradigm so that exposure of the information was no longer a risk … it didn’t do anything to eliminate breaches … it just eliminated the ability for crooks to use the harvested information (breaches, skimming, evesdropping, etc) for performing fraudulent transactions (eliminating crooks motivation for such activities). for various reasons, the solutions have yet to be deployed. there have been a number of metaphors attempting to illustrate various aspects of the current environment … one such “dual-use” … information exists at millions of locations & required to be available for large number of business processes, so even if planet was buried under miles of information hiding encryption, it couldn’t stop leakage.

  2. recent articles:

    Breaches and Security, By the Numbers
    Cyber attacks outpace global response, U.S. warns
    Secret Service Reveals How It Stalks Cybercriminals
    Hackers ‘should fight cyber spies’

    this is old post about attempting to do taxonomy from exploit cve database:(at the time managed by Mitre, since taken over by NIST).

    I talked to Mitre about possibly getting a little more structure into the reporting … but (at the time) they said they were lucky getting any description at all.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s