What makes a cyberattack? Experts lobby to restrict the term
Raphael Satter, The Associated Press
Published Tuesday, March 28, 2017 2:55PM EDT
LONDON -- When U.S. senator John McCain told Ukrainian television that the allegedly Russian-backed breach of the Democratic National Committee's server was "an act of war," Michael Schmitt cringed.
Schmitt, a professor of law at the U.S. Naval War College and University of Exeter in England, has spent years trying to defuse talk of cyberattacks, an expression used to describe everything from remotely disabling a city's power grid to stealing a Facebook password. The concern, for Schmitt and others, is that overheated rhetoric could prompt dangerous diplomatic missteps.
"We're very nervous when people say 'cyberattack,' because a 'cyberattack' opens the door to a state responding at very highest level of severity," Schmitt said in a recent interview. "If there's any area where we need to be careful, it's this."
Schmitt is one of a group of academics campaigning to change the language around electronic subterfuge. Their work on a recently published handbook, the Tallinn Manual 2.0 , is meant to help policymakers to distinguish serious attacks from minor incidents. Other experts are directly lobbying journalists and politicians to moderate their tone.
"Words matter," said Thomas Rid, who teaches at the Department of War Studies at King's College London. "Words affect intelligence operations; words affect military operations; words affect the behaviour of allies and enemies. And of course words shape what lawmakers think and what laws are made. So if we're not precise, we're literally escalating a problem."
Professionals are trying to knock back talk of cyberattacks, too. When Oklahoma Senator Jim Inhofe described the massive data breach at the U.S. Office of Personnel Management as one of America's "most damaging cyberattacks," one of America's top spymasters corrected him.
"I would say that this was espionage," then-National Security Agency Director James Clapper said . "I think there is a difference between an act of espionage, which we conduct as well, and other nations do, versus an attack."
The indiscriminate use of the word "cyberattack" can also tip the scales of justice, said attorney Jay Leiderman, who has represented a Who's Who of American hackers . Two of the cases Leiderman has been involved in, activist Jeremy Hammond and gonzo journalist Barret Brown, have featured stiff sentences meted out over alleged "cyber attacks."
"It affects the ability to get a fair trial," said Leiderman. "The person who screws around a little bit is getting the same type of charges and the same kind of media coverage as a state-sponsored actor."
Some don't think it's necessary to crack down on the term.
Dieter Fleck, the honorary president of the International Society for Military Law, said it was generally fine to use the word "cyberattack" so long as it wasn't confused with the much more serious category of intrusions formally known as "armed attacks."
But Jake Davis, the ex-spokesman for the Lulz Security group of hackers, said journalists needed to articulate what was happening online without resorting to the word "cyberattack," a verbal crutch which he said came "from a place of laziness."
The Associated Press Stylebook is defining a cyberattack narrowly as something that causes "physical damage or significant and wide-ranging disruption." The malicious code that allegedly wrecked Iran's centrifuges would qualify. The daily drumbeat of leaks and breaches wouldn't.
The Stylebook definition, announced Friday, was welcomed by Schmitt, who called it a "monumental step forward."
Even those who worry that the misuse of the word "cyberattack" is too widespread to stop backed the move.
"It may be too late," said Josephine Wolff, an associate of the Harvard Berkman Center for Internet & Society. "But I do think that there's value in helping people making the distinction."