The imagery and terminology of war pervade computer security. Intrusions, vulnerabilities, attackers, defenders – they are all militaristic. While such terms may be be useful, that does not mean we should think we are at war on the Internet. I say this for a very simple reason: war is always the exception.
Life as we know it is on pause when we are at war. The rules that govern our productive lives – those that allow us to create, trade, and raise families – are all suspended when we are fighting for those lives. The only good thing about war is its ending. To be at war is to be fighting so we can be at peace.
This is what the computer security community must come to grips with: we are not at war today on the Internet. If we were, then people would not be conducting business, socializing, learning, and falling in love online; instead, we would all be fighting for our (virtual) lives.
Now, it is true that in real war life does go on in some fashion; nevertheless, war is defined by fear, and this fear infuses even the most mundane aspects of life. While people are wary, they are not living in fear on the Internet. We are at peace online. And this is a good thing!
Why this matters in a computer security context is that what is appropriate for war is not appropriate for peacetime. Arming the populace for cyber warfare can help prepare us for war; preparation for war, however, is often the surest way to destroy the peace.
Sacrifices that we willingly make in war are loathsome otherwise. To forget this is to forget the greatest benefit of peace: the relative absence of fear. Our job as computer security researchers and professionals should not be to spread fear, but rather to protect people from fear.
Our job is to keep the peace.