The U.S. government needs to figure out how it will respond to acts of cyberwar, as foreign governments increasingly look to gain advantages in cyberspace, a group of cybersecurity experts said Wednesday.
One problem, however, is that there wasn't consensus among the panelists on what exactly constitutes an act of war in cyberspace.
The U.S. military has used cyberattacks to disrupt enemy communications in Iraq, but it seems to have backed away from using cyberattacks on major infrastructure, said Shane Harris, a reporter with the National Journal who has written about the U.S. cyberwar policy in Iraq.
So far, most nations have taken the same approach, added James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, a Washington, D.C., think tank. Nations haven't yet waged all-out cyberwar against each other because they're afraid of retaliation, he said.
There's a difference between war and conflict, he said during a cyberwar discussion at the Congressional Internet Caucus' State of the 'Net conference. "To me, cybercrime and espionage are not acts of war," Lewis added.
An act of war would include disruption of services and physical damage, Lewis said. "As you start to move toward damage and casualties, then we're talking about warfare," he said. "We're in the stages before warfare. We're in the stages where people are poking around."
But cyberwarfare is likely coming, and the U.S. government needs to update its national security strategy to reflect that possibility, Lewis said.
With the possibility of cyberwar, the U.S. government should focus largely on defense, because of outstanding questions about rules of offensive engagement, said Greg Nojeim, senior counsel at the Center for Democracy and Technology, a digital rights group.
"Cyberspace is a battlefield that is much more complicated than other battlefields," he said.
Lewis disagreed, saying the U.S. needs to have both defensive and offensive capabilities. The U.S. needs ways to deal with all kinds of cyberattacks, from cybercriminals to attacks by nations, he said.
"Unless we find a way to use offensive capabilities as part of a deterrence or strategic defense, we will be unable to defeat these opponents," he said.
Part of the problem with responding to cyberattacks has been attributing the attackers, but the attacked companies and agencies can now identify where about 25 percent of attacks come from. The majority of attacks come from inside a couple of countries, including China, he said.
The Chinese government, in recent days, has denied ties with cyberattackers after Google complained about attacks allegedly coming from inside the country.
Robert Holleyman, president and CEO of trade group the Business Software Alliance, said vendors are working hard to decrease vulnerabilties and reduce cyberattacks, but he called on the U.S. Congress to pass a bill requiring breached businesses to report the attacks to affected consumers. He also called for a central place, a sort of "cyber 911" emergency reporting system where businesses could report cyberattacks to government agencies fighting cybercrime.
Lewis suggested that the U.S. government needs to take a bigger role in fighting cyberattacks directly, instead of leaving it to private businesses. "What if we got rid of the Air Force and told our airlines to defend our air space?" he said.
But Nojeim said private companies, and not the government, are best able to defend themselves. "Who knows Google's system better than Google?" he said. "Who can defend them better?"