On October 11, Secretary of Defense Leon Panetta gave a speech on â€œDefending the Nation from Cyber Attackâ€ to the Business Executives for National Security in New York City. On the whole, the speech was unremarkable. It repeated what have become the standard, policy-maker talking points about cyber threats. Recently, these have come to include the admonition that we should not fail to â€œconnect the dotsâ€ in regard to potential cyber threats the way we failed to prevent the terrorist attacks of September 11, 2001. What the Secretary of Defense and others fail to realize is that focus on hypothetical, worst-case scenarios and exotic means of achieving them can distract us from actual dangers. Ironically, cyber-doom scenarios like the ones deployed by Secretary Panetta in his speech were just such a distraction in the months leading up to 9/11.
Secretary Panettaâ€™s Speech
Secretary Panetta began his speech by noting that when most people think of cyber security, they think of theft of personal identity information, intellectual property, or government secrets. â€œThose threats,â€ he said, â€œare real and exist todayâ€ (p. 1).
But the majority of the Secretaryâ€™s speech was not focused on the threats that are â€œreal and exist today.â€ Instead, he called for immediate precautionary measures to prevent the realization of a number of hypothetical, cyber-doom scenarios.
The scenarios he outlined are not new, but have been used since the 1990s to raise fear of prospective cyber threats and, as a result, motivate a response. These scenarios include cyber attacks that derail trains, contaminate the water supply, shut down the power grid, or disrupt military communications systems. These types of scenarios, he said, â€œcould be as destructive as the terrorist attack of 9/11â€ and warned twice about the â€œparalysisâ€ and â€œshockâ€ that such attacks could cause to the nation (p. 2).
In addition to speaking about the steps that the Department of Defense is taking in the area of cyber security, he ended his speech with a call for Congress to pass comprehensive cyber security legislation. In the meantime, however, he noted that the Administration is considering issuing an executive order. â€œWe have no choice,â€ he said, â€œbecause the threat we face is already hereâ€ (p. 5). This is despite the fact that he had already distinguished between the â€œalready hereâ€ threats and the hypothetical scenarios that served as his call to action. It is also despite evidence that the cyber attack-induced, nation-spanning â€œshockâ€ and â€œparalysisâ€ of which he warns are unlikely.
Connecting the Cyber Dots
Secretary Panettaâ€™s final call to action was not a hypothetical future scenario, but rather, an analogy to the terrorist attacks of 9/11. He said,
Before September 11, 2001 the warning signs were there. We werenâ€™t organized. We werenâ€™t ready. And we suffered terribly for that.We cannot let that happen again. This is a preâ€“9/11 moment. The attackers are plotting.Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them. We need Congress, and we need all of you, to help in that effort (p. 6).
One might explain this invocation of 9/11 by pointing to the setting of the Secretaryâ€™s speech: the U.S.S. Intrepid in New York City. But this is not the first time that a U.S. policy maker has used the failure to â€œconnect the dotsâ€ prior to 9/11 as an analogy to our current state of preparedness to face cyber threats. In fact, this has become a staple analogy for those advocating for passage of the Cybersecurity Act of 2012. In his statement to a Senate Homeland Security and Governmental Affairs Committee hearing about cyber security in February 2012, Senator Jay Rockefeller said,
I think back to 2000 and 2001, when we saw signs of people moving in and out of our country, we saw dots appear to connect, and we knew something new and different and dangerous might be upon us. Our intelligence and national security leadership took these matters seriously – but not seriously enough.
Then it was too late. 9/11 happened.
Today, with a new set of warnings flashing before us, and a wide range of new challenges to our security and our safety, we again face a choice. Act now, and put in place safeguards to protect this country and our people. Or act later, when it is too late. I urge the Senate to act now.
Similarly, in his floor statement introducting the Cybersecurity Act of 2012, Senator Joseph Lieberman warned,
The fact is our cyber defenses are not what they should be, but such as they are they are blinking red. Yet, again, I fear we will not be able to connect the dots to prevent a 9/11-type cyber attack on America before it happens. The aim of this bill is to make sure we donâ€™t scramble here in Congress after such an attack to do what we can and should do today.
Cyber-doom Prior to 9/11
In the decade between the first Gulf War and the terrorist attacks of 9/11, the U.S. defense community was gripped with what one scholar has called a â€œVUCA worldview,â€ that is, a belief that the world was newly volatile, uncertain, complex, and ambiguous, and therefore dangerous.
This sentiment was expressed just months before the 9/11 attacks by then-Secretary of Defense Donald Rumsfeld. The Secretary told a group of military professionals attending Armed Forces Day at Andrews Air Force Base in May 2001 that â€œthe challenges to freedom are unendingâ€ and that their â€œtask is to defend your nation against the unknown, the uncertain, the unseen and the unexpected.â€ In addition to terrorism and proliferation of WMD and missiles, his list of potential threats included cyber-attacks.
Secretary Rumsfeld was not alone in identifying cyber threats as one of the most dangerous potential threats to emerge from the fog of a VUCA world. In March 2001, National Security Advisor Condoleezza Rice had also raised the alarm about potential cyber threats. Even President George W. Bush, in a June 2001 speech, identified â€œbiological and informational warfareâ€ as â€œthe true threats of the 21st century.â€
Rice and Rumsfeld cannot be entirely faulted for worrying about prospective cyber attacks. After all, cyber-doom scenarios had become quite popular in the 1990s. For example, in 1994, futurist and bestselling author, Alvin Toffler, told a reporter that
They [terrorists or rogue states] wonâ€™t need to blow up the World Trade Center. Instead, theyâ€™ll feed signals into computers from Libya or Tehran or Pyongyang and shut down the whole banking system if they want to. We know a former senior intelligence official who says, â€˜Give me $1 million and 20 people and I will shut down America. I could close down all the automated teller machines, the Federal Reserve, Wall Street, and most hospital and business computer systemsâ€™.
Similarly, members of Congress worried openly about the potential threat of cyber attack. In 1999, Rep. Curt Weldon asserted that cyber attacks could pose a greater threat than WMD. Some members of Congress were keen to make sure that the Bush Administration kept its eye on the ball with respect to cyber threats. Former Senator Bob Bennett said in April 2001,
One of the first things that happened after the Bush administration took office, is that Pat Roberts and Iâ€“Pat Roberts, senator from Kansas, whoâ€™s on the Armed Services Committee and has the responsibility for that committee. He and I contacted Condoleezza Rice and asked her to come to the Hill to talk to us, we thought, to let us alert her and kind of indoctrinate her in the size of the threat and the problem.
We now know that while policy-makers worried publicly about the threat of cyber attacks, indications of a physical attack by al-Qaâ€™ida were being missed. In retrospect, Marcus Sachs, a staff member of the Presidentâ€™s Critical Infrastructure Protection Board during the Bush administration, said,
â€˜Based on what we knew at the time, the most likely scenario was an attack from cyberspace, not airliners slamming into buildingsâ€™ [â€¦] Sachs acknowledges that, in hindsight, the effort was misdirected. â€˜We had spent a lot of time preparing for a cyber attack, not a physical attackâ€™, says Sachs. â€˜Our priorities had to change a little bitâ€™.
Cyber doom scenarios were, of course, not the only distraction prior to 9/11. But if we ask ourselves what policy makers were doing when they werenâ€™t â€œconnecting the dotsâ€ prior to 9/11, worrying about cyber doom is certainly among the answers. More importantly, cyber-doom scenarios were and are symptomatic of a tendency towards precautionary thinking that focuses on the possible (or merely imaginable) at the expense of the probable or already occurring.
If the distraction that such thinking caused prior to 9/11 was not enough of a warning about the inherent dangers of this mindset, then the invasion of Iraq should also serve that purpose. Much of the rhetoric from Bush Administration officials in the lead-up to the invasion was reflective of the idea that the world is full of threats that are unseen and unknown, perhaps even unknowable. In 2002, after his now infamous statement about â€œunknown unknowns,â€ when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary Rumsfeld answered simply by saying, â€œthe absence of evidence is not evidence of absence.â€ When the reporter pressed, saying, â€œBut we just want to know, are you aware of any evidence? Because that would increase our level of belief from faith to something that would be based on evidence,â€ Rumsfeld glibly responded, â€œI am aware of a lot of evidence involving Iraq on a lot of subjects.â€ He then called an end to the press conference.
What we learned from the Iraq case is that the fear of the unknown and unseen, which manifests itself in visions of impending doom, can come to drive policy, even in the absence of evidence of these visionsâ€™ possibility or probability. This kind of thinking can even result in a lack of evidence being held up as evidence. Any demand for more evidence comes to be seen as dangerous, a waste of time while the clock counts down to possible doom. As President Bush warned in October 2002, â€œwe cannot wait for the final proof, the smoking gun could come in the form of a mushroom cloud.â€ Preventive action based in ignorance, therefore, becomes the preferred approach to policy.
The second Iraq war is but the most recent example of the dangers of letting a fear-based precautionary logic drive policy. Cyber security may just be the next example. James Lewis, writing in Foreign Policy, says that Secretary Panettaâ€™s speech indicates that the Department of Defense is effectively taking over U.S. cyber security, a development that can only make sense if we have been focused on fantastical visions of cyber doom rather than the threats that are â€œreal and exist today.â€ The only other possibility is that, as a nation, we really do want the military in charge of protecting our personal identities and guarding against illegal downloading of music and movies.
- TESTIMONY-BY: JOHN D. ROCKEFELLER IV, SENATOR, COMMITTEE: SENATE HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS, CQ Congressional Testimony, 16 February 2012. Â â†©
- CONGRESSIONAL RECORD, SENATE, Vol. 158, No. 24, 14 February 2012. Â â†©
- Judith Stiehm (2002) The U.S. Army War College: Military Education in a Democracy (Philadelphia: Temple University Press). Â â†©
- Thomas Elias, â€˜Toffler: Computer Attacks Wave of Futureâ€™, South Bend Tribune (Indiana) (2 January 1994). Â â†©