When Do We Call a Cyber Attack an Act of Cyber War? | Security Intelligence Blog

April 2014
S	M	T	W	T	F	S
« Mar
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30

Mar15

When Do We Call a Cyber Attack an Act of Cyber War?

2:47 pm (UTC-7) | by Martin Roesler (Director for Threat Research)

What is the difference between cybercrime and a “cyber war”?

There are different elements of an attack that help us understand this: the targets, the threat actors behind it, as well as the tools used. But I think one of the most important aspects, something that drives all the other aspects, is also the answer to the question I posed earlier: intent.

I believe this difference in intent matters because it defines the threat itself. There are a lot of reports on different kinds of organizations being successfully victimized by targeted attacks, and it has become so overwhelming to the point that it has obscured our view of what kind of threats we’re dealing with. And though knowing the intent might not be able to help us stop an attack, it can enable us assess if we are a potential target.

Cyber war or Cybercrime?

For example, when a threat actor from country A conducts a targeted attack against several companies in country B, does it count as cyber war, or cybercrime? The answer, again, depends on the intent.

Cyber war, as Raimund Genes also said in his 2013 predictions, refer to politically motivated attacks that may destroy data or even cause physical damage to infrastructure of a specific country. So in my example above, if the goal of the attack is to destroy the companies’ data or their infrastructure with a political intent, it may be considered an act of cyber war.

However, if the attack is conducted in order to steal information from the companies with a pure financial intent, then it should be considered a form of cybercrime. Most of the cybercrime schemes we’ve seen in the past aimed to affect as many individual users as possible, but the cybercriminals have found a bigger and better target in companies.

Ends vs. Means

Of course, although the end goals are different, there is a clear overlap between the two, that being the gathering of information. For example, gaining internal information in order to gain money is the goal of cybercrime, but in terms of cyber war, the same scheme can be just part of reconnaissance for a bigger operation. So if we look at it, the targeted attack itself is simply a tool in order to achieve the intent. The structures, techniques, and tools used can be the same, but the ending can be completely different.

Does It Matter?

So in the end, does the intent matter? Not that much. But how you protect yourself and your network does. Regardless of who you think is after you, any of them will be after your crown jewels. So act accordingly. It’s all a name game.

Share this article

This entry was posted on Friday, March 15th, 2013 at 2:47 pm and is filed under Targeted Attacks . Both comments and pings are currently closed.

Roland Dela Paz

Good read!

I definitely agree that the “difference in intent matters because it defines the threat itself”, and I also believe that in the end it should also matter, just like every other element of an attack should.

If you know the intent, you would not only know that you are a potential target but also have an idea on what tools or means they are likely to use to accomplish this intent, therefore allowing you to protect yourself accordingly.

Yet again this raises another question–how would you know an attacker’s intent? Realistically speaking intent is typically understood after the investigation of attack artefacts, let alone there are too many attacker intents out there that may match your profile as an organization.

How you protect yourself and your network indeed is what matters in the end, but I believe taking into consideration every element of cyber attacks positions you better to achieving this.
http://techzwn.com Joshua Philipp

Good analysis, but the Chinese in particular have a broader definition of war. They have five forms outside what we think of as war: culture warfare, economic warfare, business warfare (which is different from economic), legal warfare (“lawfare”), and information warfare. They also have a boiled down version they call The Three Warfares – http://www.carlisle.army.mil/USAWC/parameters/Articles/2010summer/Thomas.pdf
- TrendLabs
  
  Hi Joshua,
  
  Yes, you are correct. In other cultures and other languages, terms and definitions do not always match with our own. However, in general, definitions are relative, and in this case, the message is always defined by the recipient, not by the sender. It does not matter if an attack is meant to be “business warfare” or “information warfare” — if it limits or eliminates my capabilities to live a peaceful life, I can call it aggressive.
  
  To go back to my blog: My point was not to separate between different types of warfare, but to make clear that the weapon does not define whether an act is criminal or not, but the intent. An individual that takes illegal actions to have a selfish and monetary benefit, is a criminal. On the other hand, a group of people who, for political reasons take an illegal act against another group, are either terrorists or warriors.
  
  Thanks!
  Martin

TrendLabs Malware Blog

Trend Micro

Targeted Attacks

Mobile

Recent Posts

Calendar