Spying or Cyber War? How to Tell the Difference
The idea of a hostile country hijacking computers deep inside the United States sounds frightening. But is it really so different from what countries—including the U.S.—have always done in the name of espionage?
That was a question posed to Gen. Keith Alexander, a former director of the NSA, at Fortune’s Brainstorm Tech conference on Tuesday in Aspen, Colo.
Alexander responded by saying there’s a clear distinction between countries using computers to spy and to attack.
“It’s intent. Cyber war is to inflict damage while spying is to learn secrets,” he said, adding that every nation engages in cyber-spying.
As a examples of computer activity that rises to the level of cyber war, Alexander pointed to the alleged attack on Sony by North Korea, and to attacks in Ukraine aimed at the company’s economy and infrastructure.
Get Data Sheet, Fortune’s technology newsletter.
The distinction between spying and cyber war is important since the latter has the potential to trigger military retaliation, or invoke responses under treaties like NATO, while espionage is considered less serious.
“Nations are going to test us in cyber space,” said Alexander without elaborating as to whether recent hacking activities directed at the U.S. approach the level of war.
Alexander and others on the panel also discussed what the United States should do to protect itself against cyber attacks. According to Oren Falkowitz, the CEO of an anti-phishing service called Area 1 security, a lot of this responsibility should fall to the private sector.
“It’s just not the role of the government to protect everyone in this country,” he said, explaining that businesses should be responsible for securing their own networks unless critical infrastructure is involved.
Falkowitz also downplayed the cyber threat posed by new technologies like artificial intelligence, stating that 95% of all hacks begin with phishing, so there is no reason for hackers to pursue more exotic AI-based tactics.
Gen. Alexander, who now heads a company called IronNet Cybersecurity, was less sanguine about the AI threat.
“As countries look to cyber as an element of national power, they’ll turn to AI and other new tech,” he warned.
Meanwhile, another U.S. company is having considerable success in using an unorthodox technique—paying hackers—to protect companies from cyber attacks. The company, HackerOne, runs programs called “bug bounties” that involve inviting a large network of friendly hackers to attempt to break into a company’s network, and then rewarding them if they are successful.
The bug bounty programs have proved so successful that even the U.S. military is using them. Last year, the military paid HackerOne to run a program called “Hack the Pentagon” that flushed out numerous computer vulnerabilities.