On October 11, Secretary of Defense Leon Panetta gave a speech on “Defending the Nation from Cyber Attack” to the Business Executives for National Security in New York City. On the whole, the speech was unremarkable. It repeated what have become the standard, policy-maker talking points about cyber threats. Recently, these have come to include the admonition that we should not fail to “connect the dots” in regard to potential cyber threats the way we failed to prevent the terrorist attacks of September 11, 2001. What the Secretary of Defense and others fail to realize is that focus on hypothetical, worst-case scenarios and exotic means of achieving them can distract us from actual dangers. Ironically, cyber-doom scenarios like the ones deployed by Secretary Panetta in his speech were just such a distraction in the months leading up to 9/11.
Secretary Panetta’s Speech
Secretary Panetta began his speech by noting that when most people think of cyber security, they think of theft of personal identity information, intellectual property, or government secrets. “Those threats,” he said, “are real and exist today” (p. 1).
But the majority of the Secretary’s speech was not focused on the threats that are “real and exist today.” Instead, he called for immediate precautionary measures to prevent the realization of a number of hypothetical, cyber-doom scenarios.
The scenarios he outlined are not new, but have been used since the 1990s to raise fear of prospective cyber threats and, as a result, motivate a response. These scenarios include cyber attacks that derail trains, contaminate the water supply, shut down the power grid, or disrupt military communications systems. These types of scenarios, he said, “could be as destructive as the terrorist attack of 9/11” and warned twice about the “paralysis” and “shock” that such attacks could cause to the nation (p. 2).
In addition to speaking about the steps that the Department of Defense is taking in the area of cyber security, he ended his speech with a call for Congress to pass comprehensive cyber security legislation. In the meantime, however, he noted that the Administration is considering issuing an executive order. “We have no choice,” he said, “because the threat we face is already here” (p. 5). This is despite the fact that he had already distinguished between the “already here” threats and the hypothetical scenarios that served as his call to action. It is also despite evidence that the cyber attack-induced, nation-spanning “shock” and “paralysis” of which he warns are unlikely.
Connecting the Cyber Dots
Secretary Panetta’s final call to action was not a hypothetical future scenario, but rather, an analogy to the terrorist attacks of 9/11. He said,
Before September 11, 2001 the warning signs were there. We weren’t organized. We weren’t ready. And we suffered terribly for that.We cannot let that happen again. This is a pre–9/11 moment. The attackers are plotting.Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them. We need Congress, and we need all of you, to help in that effort (p. 6).
One might explain this invocation of 9/11 by pointing to the setting of the Secretary’s speech: the U.S.S. Intrepid in New York City. But this is not the first time that a U.S. policy maker has used the failure to “connect the dots” prior to 9/11 as an analogy to our current state of preparedness to face cyber threats. In fact, this has become a staple analogy for those advocating for passage of the Cybersecurity Act of 2012. In his statement to a Senate Homeland Security and Governmental Affairs Committee hearing about cyber security in February 2012, Senator Jay Rockefeller said,
I think back to 2000 and 2001, when we saw signs of people moving in and out of our country, we saw dots appear to connect, and we knew something new and different and dangerous might be upon us. Our intelligence and national security leadership took these matters seriously – but not seriously enough.
Then it was too late. 9/11 happened.
Today, with a new set of warnings flashing before us, and a wide range of new challenges to our security and our safety, we again face a choice. Act now, and put in place safeguards to protect this country and our people. Or act later, when it is too late. I urge the Senate to act now.
Similarly, in his floor statement introducting the Cybersecurity Act of 2012, Senator Joseph Lieberman warned,
The fact is our cyber defenses are not what they should be, but such as they are they are blinking red. Yet, again, I fear we will not be able to connect the dots to prevent a 9/11-type cyber attack on America before it happens. The aim of this bill is to make sure we don’t scramble here in Congress after such an attack to do what we can and should do today.
Cyber-doom Prior to 9/11
In the decade between the first Gulf War and the terrorist attacks of 9/11, the U.S. defense community was gripped with what one scholar has called a “VUCA worldview,” that is, a belief that the world was newly volatile, uncertain, complex, and ambiguous, and therefore dangerous.
This sentiment was expressed just months before the 9/11 attacks by then-Secretary of Defense Donald Rumsfeld. The Secretary told a group of military professionals attending Armed Forces Day at Andrews Air Force Base in May 2001 that “the challenges to freedom are unending” and that their “task is to defend your nation against the unknown, the uncertain, the unseen and the unexpected.” In addition to terrorism and proliferation of WMD and missiles, his list of potential threats included cyber-attacks.
Secretary Rumsfeld was not alone in identifying cyber threats as one of the most dangerous potential threats to emerge from the fog of a VUCA world. In March 2001, National Security Advisor Condoleezza Rice had also raised the alarm about potential cyber threats. Even President George W. Bush, in a June 2001 speech, identified “biological and informational warfare” as “the true threats of the 21st century.”
Rice and Rumsfeld cannot be entirely faulted for worrying about prospective cyber attacks. After all, cyber-doom scenarios had become quite popular in the 1990s. For example, in 1994, futurist and bestselling author, Alvin Toffler, told a reporter that
They [terrorists or rogue states] won’t need to blow up the World Trade Center. Instead, they’ll feed signals into computers from Libya or Tehran or Pyongyang and shut down the whole banking system if they want to. We know a former senior intelligence official who says, ‘Give me $1 million and 20 people and I will shut down America. I could close down all the automated teller machines, the Federal Reserve, Wall Street, and most hospital and business computer systems’.
Similarly, members of Congress worried openly about the potential threat of cyber attack. In 1999, Rep. Curt Weldon asserted that cyber attacks could pose a greater threat than WMD. Some members of Congress were keen to make sure that the Bush Administration kept its eye on the ball with respect to cyber threats. Former Senator Bob Bennett said in April 2001,
One of the first things that happened after the Bush administration took office, is that Pat Roberts and I–Pat Roberts, senator from Kansas, who’s on the Armed Services Committee and has the responsibility for that committee. He and I contacted Condoleezza Rice and asked her to come to the Hill to talk to us, we thought, to let us alert her and kind of indoctrinate her in the size of the threat and the problem.
We now know that while policy-makers worried publicly about the threat of cyber attacks, indications of a physical attack by al-Qa’ida were being missed. In retrospect, Marcus Sachs, a staff member of the President’s Critical Infrastructure Protection Board during the Bush administration, said,
‘Based on what we knew at the time, the most likely scenario was an attack from cyberspace, not airliners slamming into buildings’ […] Sachs acknowledges that, in hindsight, the effort was misdirected. ‘We had spent a lot of time preparing for a cyber attack, not a physical attack’, says Sachs. ‘Our priorities had to change a little bit’.
Cyber doom scenarios were, of course, not the only distraction prior to 9/11. But if we ask ourselves what policy makers were doing when they weren’t “connecting the dots” prior to 9/11, worrying about cyber doom is certainly among the answers. More importantly, cyber-doom scenarios were and are symptomatic of a tendency towards precautionary thinking that focuses on the possible (or merely imaginable) at the expense of the probable or already occurring.
If the distraction that such thinking caused prior to 9/11 was not enough of a warning about the inherent dangers of this mindset, then the invasion of Iraq should also serve that purpose. Much of the rhetoric from Bush Administration officials in the lead-up to the invasion was reflective of the idea that the world is full of threats that are unseen and unknown, perhaps even unknowable. In 2002, after his now infamous statement about “unknown unknowns,” when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary Rumsfeld answered simply by saying, “the absence of evidence is not evidence of absence.” When the reporter pressed, saying, “But we just want to know, are you aware of any evidence? Because that would increase our level of belief from faith to something that would be based on evidence,” Rumsfeld glibly responded, “I am aware of a lot of evidence involving Iraq on a lot of subjects.” He then called an end to the press conference.
What we learned from the Iraq case is that the fear of the unknown and unseen, which manifests itself in visions of impending doom, can come to drive policy, even in the absence of evidence of these visions’ possibility or probability. This kind of thinking can even result in a lack of evidence being held up as evidence. Any demand for more evidence comes to be seen as dangerous, a waste of time while the clock counts down to possible doom. As President Bush warned in October 2002, “we cannot wait for the final proof, the smoking gun could come in the form of a mushroom cloud.” Preventive action based in ignorance, therefore, becomes the preferred approach to policy.
The second Iraq war is but the most recent example of the dangers of letting a fear-based precautionary logic drive policy. Cyber security may just be the next example. James Lewis, writing in Foreign Policy, says that Secretary Panetta’s speech indicates that the Department of Defense is effectively taking over U.S. cyber security, a development that can only make sense if we have been focused on fantastical visions of cyber doom rather than the threats that are “real and exist today.” The only other possibility is that, as a nation, we really do want the military in charge of protecting our personal identities and guarding against illegal downloading of music and movies.
- TESTIMONY-BY: JOHN D. ROCKEFELLER IV, SENATOR, COMMITTEE: SENATE HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS, CQ Congressional Testimony, 16 February 2012. ↩
- CONGRESSIONAL RECORD, SENATE, Vol. 158, No. 24, 14 February 2012. ↩
- Judith Stiehm (2002) The U.S. Army War College: Military Education in a Democracy (Philadelphia: Temple University Press). ↩
- Thomas Elias, ‘Toffler: Computer Attacks Wave of Future’, South Bend Tribune (Indiana) (2 January 1994). ↩