Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar

Air Force Lt. Col. Dan Ward says it’s time we reconsider our definitions of computer attacks

Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar

Uncategorized August 10, 2013 0

It’s a cat in a toilet. Get over it. Wikimedia Commons photo Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar Air Force Lt.... Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar
It’s a cat in a toilet. Get over it. Wikimedia Commons photo

Come On, People—Hacking a High-Tech Toilet Is Not Cyberwar

Air Force Lt. Col. Dan Ward says it’s time we reconsider our definitions of computer attacks

There sure do seem to be a lot of cyber-attacks lately. But that’s mostly because the term is used so broadly. Lately it’s been applied to events ranging from a hacked Twitter account to remotely flushing a high-tech commode.

That’s right: a toilet got hacked. And to some, that counts as an electronic assault.

Look, the term “cyber-attack” loses its meaning when we apply it to everything from stealing credit card numbers to distributing false stock market information to launching a virus that shuts down a uranium processing facility. The fact that computers are involved in those cases makes them “cyber,” but it I’m not sure they all count as “attacks.”

Let’s be clear: an attack is an aggressive or violent act. Spying, on the other hand, involves covertly collecting information without authorization. Of course, stealing means the unapproved removal or use of something that does not belong to you. As for remotely flushing someone’s toilet without their permission, well, I’m not sure what to call that one, but I certainly wouldn’t call it cyberwar.

I think we all agree there is a big difference between secretly watching someone through binoculars, punching someone in the nose and taking someone’s lunch money. None are particularly polite and all can cause harm, but only one is an attack.

Of course, as any mugging victim can tell you, theft is sometimes accompanied by violence. And if the mugging was premeditated, the culprit probably did a little spying. But it is important to realize the stealing, spying and attacking are entirely distinct offenses, even when they occur as part of the same event.

Nobody would say, “A burglar attacked some jewelry from my bedroom while I was out of town,” or, “I didn’t notice when a pickpocket attacked my wallet,” much less, “The paparazzi attacked me with a telephoto lens from half a mile away.”

Such descriptions not only sound absurd, they misrepresent the nature of the events in question. Unfortunately, that’s exactly how most people talk about cyberspace, essentially crying cyberwolf over activities that are not actually attacks.

Bear in mind, cyber-attacks are real. They happen. But when thieves hack into a database and steal a million credit card numbers, they have committed a very specific offense: theft. Similarly, when spies from one country use their computers to find military secrets on the computers from some other country, the activity they are engaged in already has a name: espionage. Calling these events cyber-attacks is inaccurate, distracting and a bit silly.

This matters because distinct challenges require distinct responses. Calling everything an attack puts us into a particular mode of response which may not be the most appropriate for the situation. From a legal, political and military perspective, we would do well to distinguish between crime and conflict, between theft and assault.

As in the real-world, a true cyber-attack aims to create an effect that denies, disrupts, damages or destroys. So if someone takes down a server farm, knocks out a power grid or prevents the enrichment of uranium, we should feel free to call it an attack.

But if a hacker steals the plans for the Joint Strike Fighter or posts an embarrassing Facebook comment in your name, let’s call it something different. And if you do own a $4,000 cyberpotty, be sure to reset the Bluetooth PIN so hackers don’t attack it — I mean, flush it — without your permission.

Originally published by the Air Force General Counsel. Dan’s views are his alone and do not represent the official position of the Air Force or the U.S. government.