FGIT: What is the Cyber Conflict Studies Association?

Gourley: It was formed in 2003. We've been focused on academia, working with the colleges, and therefore not been seeking a lot of publicity. Our whole purpose of being is to advance the field of knowledge around cyber conflict, and that meant working with institutions like MIT or the Kennedy School of Government or Georgetown or University of Maryland, those kinds of places.

FGIT: What kinds of advances in thinking has CCSA contributed to?

Gourley: This is not just a computer security challenge. This is something that other part of the community needs to study, not just the computer security guys. We need policy makers to be thinking through cyber conflict, and that has possibly been our greatest contribution--getting the policy makers and those who study peace and war engaged in the study of cyber conflict.

FGIT: There's been recent discussion about how the United States doesn't know what a cyber war is.

Gourley: That gets into our early discussions about our own organization. We could have named ourselves the cyber war studies association--but we might never be in a cyber war. We might be in a continual state of cyber conflict, which is a broader, more encompassing term. Conflict also means you study a boarder amount of things, like espionage or even lower level threats that might related to conflict.

FGIT: What's the difference between cyber conflict and cyber war?

Gourley: The United States has been in one declared war in the last 65 year, and that was World War II. Distinguishing between conflict and war is distinguishing between things on a spectrum. What we're seeing on the nets right now I would not describe as a war. I would describe it as a conflict.

FGIT: How would we recognize a cyber war?

Gourley: It's a matter of would you be able to recognize it in time, what's our warning mechanism, what are the indications that you would be able to recognize in order to stop it in time.

One of the first indications that you're in a war is that you've had a massive power outage for two days. Well, that's too late.

FGIT: Would the events leading up to that outage be distinguishable from espionage?

Gourley: We at the CCSA call for that to be studied by academia. And the kind of ideas we get back is we need to establish a cyber DEW [distant early warning] line. In a Cold War analogy, the DEW line was a long series of radar and observation posts that were meant to detect incoming flights of Soviet bomber and incoming Soviet missiles. The DEW line is still operational and a very important part of our defense. What do we have in the cyber world that would give us warning of a cyber attack? That's an open question.

FGIT: What other topics is CCSA looking into now?

Gourley: How do you articulate a deterrence policy for cyberspace that is not escalatory itself. It's easy to say that we have a deterrence policy, but it's actually very hard to think through one that's not destabilizing.

For example, do we declare that any attack on U.S. infrastructure would be met on an attack on an adversaries' infrastructure? That's incredibly easy to say, but how would you know who's attacking? It's hard to know with any precision--it might be a group of hackers located in your own country, pretending to be in another country.

It's not a credible statement to say that you're going to respond to any attack when you don't know who's attacking you. And if you are going to respond, are you going to attack a nuclear power with cyber weapons? We think these are issues that policymakers need to openly debate.

FGIT: There's a lot of secrecy around all things cyber.

Gourley: Not enough is openly discussed, and that is another key tenet of the CCSA.

An analogy we make is back to the early days of nuclear strategy, when at first it was all secret. Later, professors--some of the best had names like Herman Kahn and Bernard Brodie--began to examine nuclear war and came up with strategies that now everyone believes were much less escalatory and helped keep the peace for years, because of that open study.

Fast forward into the cyber age--we believe more academics need to get involved in discussion cyber war.

Bob Gourley is founder and chief technology officer of Crucial Point LLC, a technology research and advisory firm, and former J2 at the DoD's JTF-CND. He blogs at CTOvision.com.

Related Articles:
Attribution subject of House cybersecurity hearing
Lewis: Cold War lessons of limited value for cyber attack deterrence
Ross: Defense only goes so far, real cybersecurity is agile
Is the threat of cyber war exaggerated?
Lewis: U.S. not in a cyber war