Geoff Harris is the President of the UK Chapter of the Information Systems Security Association (ISSA) a not-for-profit, international organization of information security professionals and practitioners. In this interview he discusses cyber warfare.

In your opinion, how far are we from a international consensus as to what constitutes an act of cyber warfare and what issues do you predict will be the major stumbling blocks on the road to such an agreement?

There have been various incidents that could be described as acts of cyber warfare.

The Cyber-attacks against Estonian systems in starting in April 2006 with data-flooding attacks on key government websites, culminating on a coordinated Distributed Denial of Service (DDoS) attacks on key government, financial and media sites in May 2006 certainly would fall under this category.


In terms of what constitutes an act of cyber warfare, I would have to refer this to international lawyers and powers such the United Nations. There has been enough debate around what constitutes an act of war in convention terms e.g. Iraq Like the definition of "war" itself, the term "cyber war" is complex. The most basic definition is that cyber war simply entails waging war through digital, technological means. According to the Institute for Advanced Study of Information Warfare (ASIW), they have defined cyber as "the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, and adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own.

A country will have to be extremely careful when it comes to attributing attacks to a source, because the cyber world is eminently suitable for misdirection and subterfuge, and traces left by attackers are not obvious to the greater public. Do you think there will be a need for some kind of international court or body that will have final ruling on who's to blame for attacks and breaches that cross the line between cyberterrorism and cyber espionage and cyber warfare?

In the example above, the Estonian defence authorities traced the sources of the attacks to Russian IP addresses. However the Russian authorities were unable provide details on the individuals owning these IP addresses stating that they had no legal powers to do so, apparently stating that these acts were not illegal in Russia at that time.