Cyber framework better than strict rules

The 2011 RSA Conference that took place Feb. 14-18 is one of the top security events that promote knowledge sharing and professional networking. Security professionals had the opportunity to choose from 250 sessions and hear from industry thought leaders. As the conference proceeded, a number of interesting sound bites came out. At the same time, additional sound bites emerged from other significant sources that seemed to be in direct conflict with the RSA comments.

“We really need to define cyber war because words do matter,” said White House cyber czar Howard Schmidt at the RSA conference. "There are a lot of pieces that don't apply [to war] so we need to define what we're talking about."

This is one time that he and I agree. Do you think he read my recent blog post asking whether we are at Cyber Defcon 1? I would bet at this point he is even more frustrated than I am about ill-defined terms such as cyber war.

I decided to ask around about why it is taking so long and so little progress is being made in this area. I was not prepared for one of the answers I got. The startling comment was that certain entities in both the military and private sector do not want hard and fast definitions for those terms because it would restrict or limit their operational abilities in both offensive and defensive cyber actions and in their cyber intelligence collection activities.

After giving it considerable thought, I believe that comment is right on. Acts of cyber aggression all the way up to what we are calling acts of cyber war are so dynamic it would be nearly impossible to construct hard and fast rules to guide our military, intelligence and black-operations groups. What we need is a cyber policy framework to guide decision-making rather than rules.