Is the cyber threat overblown?

Am I the only person — well, besides Glenn Greenwald and Kevin Poulson — who thinks the "cyber-warfare" business may be overblown? It’s clear the U.S. national security establishment is paying a lot more attention to the issue, and colleagues of mine — including some pretty serious and level-headed people — are increasingly worried by the danger of some sort of "cyber-Katrina." I don’t dismiss it entirely, but this sure looks to me like a classic opportunity for threat-inflation.

Mind you, I’m not saying that there aren’t a lot of shenanigans going on in cyber-space, or that various forms of cyber-warfare don’t have military potential. So I’m not arguing for complete head-in-the-sand complacency. But here’s what makes me worry that the threat is being overstated.

First, the whole issue is highly esoteric — you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be.  Unfortunately, details about a number of the alleged incidents that are being invoked to demonstrate the risk of a "cyber-Katrina," or a cyber-9/11, remain classified, which makes it hard for us lay-persons to gauge just how serious the problem really was or is. Moreover, even when we hear about computers being penetrated by hackers, or parts of the internet crashing, etc., it’s hard to know how much valuable information was stolen or how much actual damage was done. And as with other specialized areas of technology and/or military affairs, a lot of the experts have a clear vested interest in hyping the threat, so as to create greater demand for their services. Plus, we already seem to have politicians leaping on the issue as a way to grab some pork for their states.

Second, there are lots of different problems being lumped under a single banner, whether the label is "cyber-terror" or "cyber-war." One issue is the use of various computer tools to degrade an enemy’s military capabilities (e.g., by disrupting communications nets, spoofing sensors, etc.). A second issue is the alleged threat that bad guys would penetrate computer networks and shut down power grids, air traffic control, traffic lights, and other important elements of infrastructure, the way that internet terrorists (led by a disgruntled computer expert) did in the movie Live Free and Die Hard. A third problem is web-based criminal activity, including identity theft or simple fraud (e.g., those emails we all get from someone in Nigeria announcing that they have millions to give us once we send them some account information). A fourth potential threat is “cyber-espionage”; i.e., clever foreign hackers penetrate Pentagon or defense contractors’ computers and download valuable classified information. And then there are annoying activities like viruses, denial-of-service attacks, and other things that affect the stability of web-based activities and disrupt commerce (and my ability to send posts into FP).

This sounds like a rich menu of potential trouble, and putting the phrase "cyber" in front of almost any noun makes it sound trendy and a bit more frightening. But notice too that these are all somewhat different problems of quite different importance, and the appropriate response to each is likely to be different too. Some issues — such as the danger of cyber-espionage — may not require elaborate technical fixes but simply more rigorous security procedures to isolate classified material from the web. Other problems may not require big federal programs to address, in part because both individuals and the private sector have incentives to protect themselves (e.g., via firewalls or by backing up critical data). And as Greenwald warns, there may be real costs to civil liberties if concerns about vague cyber dangers lead us to grant the NSA or some other government agency greater control over the Internet.  

Third, this is another issue that cries out for some comparative cost-benefit analysis. Is the danger that some malign hacker crashes a power grid greater than the likelihood that a blizzard would do the same thing? Is the risk of cyber-espionage greater than the potential danger from more traditional forms of spying? Without a comparative assessment of different risks and the costs of mitigating each one, we will allocate resources on the basis of hype rather than analysis. In short, my fear is not that we won’t take reasonable precautions against a potential set of dangers; my concern is that we will spend tens of billions of dollars protecting ourselves against a set of threats that are not as dangerous as we are currently being told they are.

I hasten to add that this isn’t my area of expertise and I may be completely wrong about it. What I would really like, therefore, is for an objective, blue-ribbon commission to look carefully at this question. Here’s a possible example of what I have in mind, but I can’t tell how reliable its conclusions are likely to be. Why? Because I can’t tell how many of its members are people with a stake in the outcome. Makes me wish somebody like Richard Feynman was still around to chair it.