How scared should we be?
Find someone who works on security, find an alarmist.
Whether it's the IT guys where you work pestering you to change your password every couple of weeks, to a general briefing from Congress on "emerging" threats (that will require big new spending to counter, of course), people who are paid to worry about danger always overestimate on the downside.
And fair enough. When the worst happens, the outraged cry goes up: "Why didn't you see this coming and prevent it?!" (frequently from the same people who were cutting budgets on security, e.g. Benghazi). It's generally a good idea to have your security people losing sleep at night over insecurity.
But the discussion in the US of the security of government computers can be exasperating in its hyperbole, even when it's dealing with real threats. Consider Defense Secretary Leon Panetta last month. In an Oct. 11 speech on "cybersecurity" (the charmingly archaic "cyber" seems to live on only in government discourse about modern information technology), he seemed to suggest that a computer virus or infiltration of government computers by a hostile foreign power could kill thousands of Americans.
"Before Sept. 11, 2001, the warning signs were there. We weren't organized. We weren't ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment," Panetta said. "The greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyber attack perpetrated by nation states (or) violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation."
The Sept. 11, 2001 attacks on New York and Washington claimed nearly 3,000 lives. That led the US into two wars that claimed thousands more American lives and those of tens of thousands of Afghans and Iraqis. As far as I'm aware, the current cumulative death toll from "cyberattacks" globally is zero.
This isn't to downplay the real Internet security arms race. Do the Chinese, or the Russians, want to use computer viruses and other forms of electronic snooping to steal US secrets? Obviously. Can computer viruses be used as weapons, to perhaps infiltrate the control systems of missiles or electric grids? You only have to look at the Stuxnet virus that successfully targeted Iran's nuclear enrichment program to see the reality of that.
Clearly a lot of brain power is going in to malicious software, from governments to gangsters. And of course, there's lots of gray area, with all of the data-mining programs that now run in the background of our Internet use, compiling databases of personal information to better target everything from pitches to buy new cars to campaigns for politicians. Or efforts to game online advertising (this story today claims that automated Internet use – bots – jumped to 36 percent of all Internet traffic from 6 percent last year, mostly due to scams to victimize online advertisers).
Another story that caught my eye today on this comes from Bloomberg, which got a peek of a draft of an annual Internet security report for Congress.
"China is 'the most threatening actor in cyberspace' as its intelligence agencies and hackers use increasingly sophisticated techniques to gain access to U.S. military computers and defense contractors," Bloomberg summarizes.
One statistic in that story is highly suggestive of Chinese interest in exploiting the Internet, though I'd bet a lot of the activity is commercial fraud mixed in among Peoples Liberation Army efforts. Apparently, statistics from the company Cloudfire show that on an average day, 15 percent of Internet activity is malicious – viruses, attempted hacks, malware, and so on. Yet on a major Chinese holiday last year malicious traffic plummeted to 6.5 percent of the total.
Suggestive, to be sure.
But so far, computer code doesn't kill. Certainly not directly. On my personal fear scale, I rate "cyberterrorism" a "meh."