So if the attacks of recent years aren't warfare, what are they?
Spies or criminals?
A lot of what's going on is happening on two levels: cyber espionage and cyber crime on a massive -- and growing -- scale. They aren't new, said Patricia Titus, the former chief information security officer at the Transportation Security Administration who now holds a similar post at Unisys Corp. But the attacks on Google and other companies refocused attention on the scope of the problem, she said.
Many of the recent attacks tended to originate from China, though countries such as Russia and India are also suspect. Specific companies and government organizations are usually targeted through the use of social engineering tricks, advanced reconnaissance and sophisticated malware tools that can quietly penetrate networks and steal data. What's not always clear is whether this kind of economic and military espionage is state-sponsored or carried out by hactivists and opportunists.
Other attacks, especially those from Eastern Europe, aim to steal money from banks, businesses, educational institutions and individuals. Most recently, cyber attacks have targeted small and midsize businesses, some of which have been forced out of business or into bankruptcy.
A nexus of bad guys
Increasingly, there appears to be a nexus between the groups committing cyber theft and those doing cyber espionage, said Amit Yoran, former director of the National cyber Security Division of the DHS and current CEO of NetWitness Corp. Many of the botnets, servers, malware tools and techniques now used in cyber crime are also being used for espionage. "Where traditionally a [state-run] intelligence service would execute their own operations, now they have ties with organized crime," he said.
Those kinds of connections -- loose, fluid and constantly changing -- make fending off cyber attacks difficult. As a result, a successful strategic response means that the intelligence community, the U.S Secret Service, FBI and other law enforcement agencies have to start collaborating more, security analysts say. And more information-sharing between the private and public sectors needs to take place.
The vast majority of the critical infrastructure in the U.S. is owned by the private sector. But most companies have little or no information about the wealth of threat data being collected by intelligence and other government agencies, Titus said. If they're unaware of the threats, they may be vulnerable.
At the international level, moves like the proposal to create a U.N. cyber ambassador who can negotiate cyber security matters and articulate U.S. policy are crucial, Titus said. In fact, she wants the State Department to consider installing cyber attachés at U.S. embassies in key countries such as China, India and Russia. That way, the U.S government could quickly communicate with the appropriate authorities in other countries during a cyber crisis. It also gives U.S firms operating in countries such as India and China -- think Google -- a place to turn to immediately when a crisis flares, she said.
The government also needs to focus on continuous monitoring and situational awareness by creating an early-warning system that could sniff out attacks, said Karen Evans, former de facto federal CIO under the Bush administration. Getting a jump on an attack would allow government agencies to respond in a coordinated fashion, she said.