I think that once you get into private sector, you’ve also got that issue as well. Most of our critical infrastructure is run by private industry, where there’s no regulation and no oversight and little incentive for them to invest money in cyber-security. All it takes is one hole in your defenses — that you could have invested unbelievable amounts of money in — to let somebody in and destroy you. If you put yourself in the shoes of somebody running a business, where being competitive means focusing that energy on the business, spending money on cyber-defenses — when you haven’t seen you or any of your competitors be attacked or suffer cyber-attacks — is going to be something that you’re probably not going to think of.
GT: What is an act of cyber-warfare? How do you define it?
MR: The Obama administration published a cyber-security strategy this summer. They’ve got a definition for an act of cyber-warfare … [pertaining to] the nation’s infrastructure. [If] cyber-systems are disrupted in any way, cyber or physical, that’s an act of cyber-war. And they went so far as to say that we reserve the right to retaliate kinetically or with physical military action in the face of something like that.
So from that perspective, I think that’s the definition that I go with. Somebody planting something in your systems so that they can monitor what you’re doing wouldn’t necessarily be classified as an act of cyber-warfare: [It’s] cyber-espionage — espionage being an activity that all governments have been engaged in since the beginning of time; that is kind of just part of doing business. If we find somebody spying in the country, we kick them out. We don’t respond by attacking that country, so I think that that’s a good way to draw the distinction between those two.
GT: How would a nation know whether or not a hacker was acting independently or on behalf of his or her government?
MR: I think that’s a huge problem when it comes to cyber-attacks, being able to tell who carried it out. When it comes to cyber-warfare though, usually there’s a buildup of incidents or confrontation that leads to the attack, and so it’s not necessarily so ambiguous.
GT: If you’re someone who’s savvy enough to launch an online attack, wouldn’t you know how to hide or mask it?
MR: That’s definitely a giant problem. The Google attacks from last year … Google says it was China, but there’s not really conclusive evidence that it was China. In Zero Day, I view a cyber-attack as being just an awesome weapon for terrorists because, if they’re carrying out a physical attack, that’s a lot easier to trace it back to exactly who did it. If it’s a cyber-attack, they can carry it out and it becomes very difficult to really attribute it to exactly where it was perpetrated from. I think that it is an interesting dilemma — the attribution problem in cyber-space.
GT: Does the government have that attribution problem?
MR: I think it’s a definite problem that we’ve got.