For years, I have been a critic of cyber security advocates’ use of doom rhetoric to call attention and motivate a response to cyber threats. Perhaps the chief example of such rhetoric is the cyber Pearl Harbor analogy, which as been used regularly in the U.S. cyber security debate since 1991.

One criticism that I and others have made of this analogy is that focussing attention on a hypothetical, catastrophic threat distracts from the more mundane, but much more common, threats we face each day. These are the myriad data breaches and acts of cyber crime, espionage, and propaganda that regularly grace the headlines of newspapers worldwide. As Jason Healey argued at the 2016 NATO CyCon, the fact that cyber Pearl Harbor has not occurred after 25 years of warnings is a good indicator that we are focused on the wrong threat.

But in a recent interview with Nextgov, the DoD cyber policy chief gave a different explanation. Nextgov reports that the reason a catastrophic cyber Pearl Harbor

hasn’t happened is because the massive power and stated policy of the U.S. military—cyber and otherwise—have deterred any would-be attacker, says Aaron Hughes, the Defense Department’s top cyber policy official.

It’s proven more difficult, however, to deter nondestructive breaches such as the Russian government-backed leaks from Democratic political organizations that wreaked havoc on the 2016 presidential campaign, the deputy assistant secretary of defense for cyber policy said.

In short, critics say that cyber Pearl Harbor hasn’t happened because it is not the real threat. The DOD cyber policy chief says that cyber Pearl Harbor hasn’t happened because DOD has effectively deterred it.

This is an interesting rhetorical move, but one that I find unconvincing. It reminds me of a joke one of my professors used to tell when I was an undergraduate. He would wave a chalkboard eraser around and ask unsuspecting students if they knew what it was. Of course, they would say it is an eraser. But, he would tell them, it wasn’t just any eraser. It is a magic eraser that wards off lions! To the students’ incredulous looks, he would reply, “Well, you don’t see any lions around, do you?”

You don’t see any cyber Pearl Harbors, do you? Then the DOD’s magic cyber deterrence must be working!

Advertisements