A recent piece in Fortune exhorts us to act now to improve cybersecurity because cyber doom is coming if we don’t. “Cyber” could be as bad or worse than 9/11, Pearl Harbor, or even nukes!
With senior defense officials raising alarms about the potential for a “Cyber 9/11†or a “Cyber Pearl Harbor,†however, there is an opportunity to take decisive action now on the issue that is among the most critical to America’s physical and economic security.
Step one, we’re told, is to truly understand the risks we face:
When most people think about cyber security right now, what comes to mind is the theft of personal data through hacking e-mails or stealing passwords. For the average American, the risk feels more like a nuisance than a threat to our existence.
They think that because that’s the vast majority of what is really happening in cybersecurity now. And it has been for the 25 years that “senior defense officials” have been warning of imminent cyber Pearl Harbors.
Respected military officials, however, have asserted that cyber potentially poses a more immediate threat to our collective security than even nuclear weapons.
Doom Scenarios are Not the Immediate Cybersecurity Threat
No “respected military officials” are named in the Fortune piece. I can think of a couple who have said the opposite, however. General Michael Hayden has said:
Leon Panetta spent a lot of time in his last year or two in government talking about cyber Pearl Harbor, digital 9/11, catastrophic attack. I don’t think that’s what we have to worry about.
Similarly, Director of National Intelligence, General James Clapper, has said:
Rather than a “Cyber Armageddon†scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security. (PDF)
Obsession with Cyber Doom is Part of the Problem
What’s more, this obsession with hypothetical cyber doom scenarios is partly to blame for U.S. flat-footedness in the face of Russian information operations during the election. The Wall Street Journal and James Lewis of CSIS put it well, when they said,
For years, U.S. government officials have warned of a “cyber 9/11,†a catastrophic hacking attack that would bring down the electrical grid or cause death and physical destruction. Apparent Russian attempts to sow discord in the U.S. election highlight both the risks of more mundane attacks and a new weapon in information wars: the disclosure of hacked information to influence policy or public perception.
“We tend to over-militarize everything and spend our time looking for a cyber 9/11, and Russia completely went around us on it,†said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “Our doctrine is very much about protecting critical infrastructure, and their doctrine is about information warfare.
Join the Cyber Reality Based Community
The proper response, then, to the recent uptick in public and policymaker attention to cybersecurity matters is not to focus once again on the same, tired cyber doom scenarios we’ve focused on for 25 years. Instead, it’s time to join the reality-based community and work to address the cyber threats we actually face, even if those are not as sexy as hypothetical cyber doom.
