A long-standing debate within the Obama administration over how to characterize the cyberthreat has complicated the U.S. effort to lay out a governmentwide cybersecurity strategy.
At issue is whether the nation faces the prospect of cyberwar and needs to prepare for it. The Pentagon says yes. Howard Schmidt, the White House coordinator for cybersecurity, sees such talk as "hype" and rejects the "cyberwar" term.
"My father was in a war, my son has been in a war, I've been in a war, and this is not what we're going through right now," Schmidt said in an interview with NPR. "There are a whole lot of ramifications about using that term in any context, and even more in using the term 'cyberwar.' "
Schmidt argues that the cyberattacks being carried out currently against U.S. government and private computer networks fall under the categories of cybercrime, espionage and the theft of intellectual property.
"To label every cyber-intrusion, every theft of intellectual property, as cyberwar is just a total mischaracterization of what's going on in the world today," he said.
At the Pentagon, however, officials take a darker view. During a presentation in February at a conference organized by the cybersecurity company RSA, Deputy Defense Secretary William Lynn said there is reason to worry about cyberweapons being used to cause actual physical damage.
"This development, which marks a strategic shift in the cyberthreat, is only just emerging," Lynn said.
Is It Cyberwar?
The Pentagon analysis contrasts sharply with that of Schmidt, who sees little that is fundamentally new in the recent spate of cyberattacks at RSA, Lockheed Martin and Google. Those intrusions, Schmidt argued, followed "a very standard method of operation that people have used for 20-odd years."
The procedure, he said, generally involves hackers gaining a foothold within a network by stealing someone's password, and then moving up to increasingly higher levels of supervisory control within the computer system. What has distinguished recent attacks, he said, is the way hackers have targeted particular individuals and companies rather than their general approach.
Schmidt was also cybersecurity adviser to President George W. Bush and has served as chief security officer at Microsoft and eBay, in addition to working 30 years as a computer crime and forensics expert for the FBI and the U.S. Air Force.
Schmidt's views on the nature of the cyberthreat, however, have put him at odds with some at the Pentagon. One senior military officer who deals exclusively with cyber issues says Schmidt is seen at the Pentagon as "understating" the threat of cyberwar.
"There's been some pushback against his views," the official said.
At the RSA cybersecurity conference in February, Lynn emphasized the need to prepare for the most dire cyberwar scenarios.
"Of course it is possible that destructive cyberattacks will never be launched. Regrettably, however, few weapons in the history of warfare, once created, have gone unused," Lynn said. "For this reason, we must have the capability to defend against the full range of cyberthreats. This is indeed the goal of the Defense Department's new cyber strategy, and it's why we are pursuing that strategy with such urgency."
'A Semantic Issue'
The new Pentagon cyber strategy is due to be released later this month, but first there will need to be a resolution of any dispute within the administration over how much emphasis to put on cyberwar scenarios.
At the White House, Schmidt won't say he's gotten any pushback from the Pentagon for his refusal to use the term cyberwar, though he acknowledges there have been "conversations" about the issue.
"When people look at definitions of things in their context as opposed to someone else's context, there's always dialogue," he said.
"Each government agency comes with its own set of experiences and expertise," he said. "So what may be a common term in one organization, the military for example, may have a different meaning in another civilian agency."
The goal, Schmidt said, is to make sure the administration is putting out "the right message" about the cyberthreat "and not something that may be subject to misinterpretation."
The dispute over use of the "cyberwar" term, in fact, may reveal more about competing bureaucratic interests than about different views of the threat landscape.
"This is a semantic issue that is really a proxy for a bunch of turf issues," said Stewart Baker, a former general counsel for the National Security Agency and assistant secretary for policy at the Department of Homeland Security under Bush. "As soon as you start talking about 'cyberwar,' you are essentially ceding the intellectual heights to the Pentagon, which says, 'If you're talking about war, you're now talking about something the Department of Defense knows how to do, and the civilians should defer to the DOD on how to fight those wars."
Among those arrayed against the Pentagon are the business interests.
"If you go to a CEO of a company and say, 'Listen, you need to do a better job about protecting intellectual property. And, oh, and by the way, you need to be prepared for cyberwar,' that's not a business thing," Schmidt said. "That's not something business leaders would react to. Or they will say, 'That's a government job.' "
As the White House cybersecurity coordinator, Schmidt has to consider all of the competing interests, and scaring people about the cyberthreat does not rank high on his agenda.
"When the president said, 'This is an important issue,' it was about fixing the issue, not raising alarms," Schmidt said. "There are plenty of people out there to raise alarms. [This] is about finding a rational way to move forward that's good for the economy, that's good for national security, that's good for public safety, without a lot of hype."