Talks of cyberwar and a cyber Pearl Harbor seem to be a regular fixture of news reports in the last few months, with prominent U.S. administration officials like Janet Napolitano or Leon Panetta regularly touting the threat of a cyber attack on the United States. But not everybody is buying it. For one, Howard Schmidt, the former chief cybersecurity advisor to President Barack Obama, is skeptical.
“I don’t share the viewpoint that we’re on the brink of disaster every time a new worm comes out or a new DDoS (distributed denial of service) comes out,” he told Mashable. In fact, he even disagrees with the terminology that’s being used. “I don’t like using the word cyberwar, and I don’t like using the word cyber 9/11, cyber Pearl Harbor and all these other things,” he said.
Schmidt sat down to talk with Mashable after the 2013 Kaspersky Cyber-Security Summit in New York City on Wednesday, where he discussed cybersecurity with Eugene Kaspersky, the head of the eponymous online security giant.
Schmidt said he’s not discounting the threat, in fact, he is well aware of the potential disruption that cyber attacks could cause. For him, the worst case scenario is an attack that takes out power, something that could have cascading and potentially very damaging effects. It’s exactly for this reason that he also warns that using cyberweapons or malware against another nations should be a measure of last resort.
“You can use fire in a conflict if you’re not going to burn. If you’re going to burn, you better not care about what’s going to burn,” he said. “And in cyberspace you think about how vulnerable we are in the United States and generally in the developed countries, that could have a worse effect than what we’re trying to solve to begin with.”
Malware, as opposed to actual bombs, isn’t destroyed once it’s used, and targets can take a look at the code and re-use it. Schmidt mentioned the example of a piece of malware that could be used to stop a country from launching a nuclear weapon, a last-resort scenario in which most countries would agree a cyber attack is warranted. But you sill need to think about it twice. “If that can be turned around, reverse-engineered and modified, and keeps you from having your airplanes take off or your trains from working, that’s bad,” he said. “If it ever needs to be done, it’s got to be given a tremendous amount of thought.”
So far, there is no official proof that any country has ever engaged in a cyber attack, although certain malware attacks have been linked to different nations. The Stuxnet worm, which disrupted Iran’s nuclear facilities, has been attributed to the United States and Israel and the recently uncovered cyber espionage operation Red October is rumored to be either a Russian or a Chinese operation.
To avoid a cyber arms-race and an escalation in cyber attacks, Kaspersky has openly advocated for more online regulation, including international treaties limiting the use of malware — just like there are treaties against biological and nuclear weapons.
For Schmidt, that’s not a viable solution because it would be hard to enforce such a treaty. “At some point in the future maybe that will work but right now, number one, we have enough difficulty enforcing treaties of physical things that you can actually count, whether it’s weapon systems or whether it’s export import of these things, it’s extremely difficult,” he said.
Instead of a treaty that will take decades to become reality, Schmidt thinks countries should just respect the rules of engagement that already apply in real warfare. In war “we don’t just arbitrarily start shooting at people, we don’t send planes, we have respect for airspace, we have respect for a lot of the international laws,” he said. “Cyberspace should not be any different.”
Another aspect of cybersecurity that Schmidt has worked on is the protection of personal data online. While at the White House, Schmidt devised the National Strategy for Trusted Identities in Cyberspace, an Internet identity system that had the goal of improving both security and privacy online. Schmidt’s idea was to entrust the private sector with delivering such a system. Government regulation in these cases, he argues, is rarely a good idea. “I’ve never found that government regulation, particularly when it comes to technology, does not have at some point unintended consequences,” he said.
That’s why he opposes the idea of creating a national electronic passport or ID, another solution that Kaspersky has endorsed in the past. While Schmidt admits that that could work in certain countries and cultures, it would never work in the United States. And it might be a bad idea in many cases anyway. “If we have everybody have a Internet identity that governments can have access to, think would would’ve happened during the Arab Spring. People would have been killed.”