Cyber war fever — Catch it!

Has the risk of cyber war been grossly exaggerated? It depends on whom you ask. According to the audience attending last week’s Intelligence Squared debate in Washington D.C., it's a very real threat.

Of course, this was a crowd that chose to watch a debate among security experts rather than the big-league debut of pitching phenom Stephen Strasburg of the Washington Nationals. They sat in a room listening to security expert and author Bruce Schneier and Electronic Privacy Information Center Executive Director Marc Rotenberg debate former national intelligence director Mike McConnell and Harvard Internet law professor Jonathan Zittrain. They could have watched Craig Ferguson or Conan O'Brien on TV, or heard James Taylor and Carole King perform, but they chose the debate hall.

This was a crowd that worries about cyber war.

Related coverage:

New DOD cyber commander seeks better situational awareness

DOD struggles to define cyber war

One thing both sides in the debate agreed on is that cyber war is real. Opinions might vary about just how likely it is, but they agreed that the country needs to have an open discussion on how to defend against it and conduct it. Unfortunately, our policy has not kept pace with the real possibility of such a war.

The debate was part of a series, now in its fourth season, sponsored by the Intelligence Squared U.S. Foundation and aired by National Public Radio and Bloomberg Television. It was the first such debate conducted outside New York. The purpose of the series is to encourage “intelligent and civil discourse” on important issues, but that does not mean the discourse is not lively and entertaining.

When it came down to it, neither side actually debated the topic, which was that the cyber war threat has been greatly exaggerated. Schneier and Rotenberg, speaking in favor of the motion, took the premise for granted and focused their arguments instead on the motive, asserting that it is a power and money grab on the part of the military and intelligence community, particularly the National Security Agency.

McConnell, who used to head that agency, dismissed the concerns and focused instead on the need for security. “Secrecy gets a very bad name in our society,” he said, but “secrecy is a necessity.” There is no need to fear NSA, however, because it plays by the rules. Trust us.

McConnell and Zittrain focused on the vulnerability of the Internet and its potential for being exploited by a variety of bad actors. “As long as the vulnerability is there, all that is needed is the motivation,” Zittrain said.

But “words matter a lot,” Schneier said. They have consequences and influence policy, he argued, and we should not be using the phrase “cyber war” so loosely.

Words matter a lot right now because to date the United States has no policy on cyber war, but it has established a Cyber Command with a four-star general in charge to conduct it. We have yet to define clearly what cyber war is and what the rules of engagement are. Can we be sure that the Chinese computers that appear to be attacking us are not being controlled by North Korea or even Brazilian hackers? Should we respond to bytes with bombs? If so, when? Do existing mutual aid treaties bind countries to assist in the defense of each other's cyberspace? If someone knocks a NATO server off-line in England, are we obligated to respond?

If we have answers to these questions and to the myriad other questions each answer would raise, they have not been made public as have the rules for conventional warfare. Maybe these issues will be addressed by the new Cyber Command. But if, as Georges Clemenceau said, war is too serious a matter to be left to the military, then cyber war is too important to be left to the generals. Public policy and public discourse is called for. Intelligent and civil discourse, of course.