We marched into Baghdad on flimsy evidence and we might be about to make the same mistake in cyberspace.
Over the past few weeks, there has been a steady drumbeat of alarmist rhetoric about potential threats online. At a Senate Armed Services Committee hearing this month, chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.”
The increased consternation began with the suspected Chinese breach of Google’s servers earlier this year. Since then, press accounts, congressional pronouncements, and security industry talk have increasingly sown panic about an amorphous cyberthreat.
According to McConnell, now a vice president at Booz Allen Hamilton, “our power grids, air and ground transportation, telecommunications, and water-filtration systems are in jeopardy.” More recently, Sens. Jay Rockefeller (D) and Olympia Snowe (R) wrote about “sophisticated cyber adversaries” with the potential “to disrupt or disable vital information networks, which could cause catastrophic economic loss and social havoc.”
Yet none of the prognosticators of disaster presents any evidence to sustain their claims. They mention the Google breach, but that was an act of espionage that, while serious, did not lead to catastrophe.
There have been and continue to be many “cyberattacks” on government and private networks, from the Korea attacks to the denial-of-service attacks during the Georgia-Russia war. To be sure, these attacks are a serious concern and we should continue to study them.
But so far, these types of events tend to be more of a nuisance than a catastrophe. The biggest result is that websites are down for a few hours or days.
This shows that security should be a serious concern for any network operator. It does not show, however, that these attacks can lead – much less have ever led – to the types of doomsday scenarios that politicians imagine. There is no evidence that these attacks have ever cost any lives or that any type of critical infrastructure has ever been compromised: No blackouts, no dams bursting, no panic in the streets.
The cyberalarmist rhetoric conflates the various threats we might face into one big ball of fear, uncertainty, and doubt. This week for example, the director of the Central Intelligence Agency announced that a cyberattack could be the next Pearl Harbor.
Cyberwar, cyberespionage, cyberterrorism, cybercrime – these are all disparate threats. Some are more real than others, and they each have different causes, motivations, manifestations, and implications. As a result, there will probably be different appropriate responses for each.
Unfortunately, the popular discussion largely clumps them into the vague and essentially meaningless “cyberthreat” category.
Let’s take a deep breath.
Before we can effectively address any of these amorphous “cyberthreats,” we must first identify what, specifically, these threats are and to what extent the federal government plays a role in defending against them.
The war metaphor may be useful rhetoric, but it is a poor analogy to the dispersed and different threats that both public and private information technology systems face.
The fact is, as long as we have had networks, they have been under attack. But over the past 20 years network operators have developed effective detection, prevention, and mitigation strategies.
This is why we should be wary of calls for more government supervision of the Internet. Last week, as part of its National Broadband Plan, the Federal Communications Commission began an inquiry into whether to establish a “voluntary cybersecurity certification program.” Through the program the FCC would certify communication service providers based on a set of cybersecurity standards developed directly by the FCC, or indirectly through a third party.
More ominously, Senators Rockefeller and Snowe have introduced the Cybersecurity Act of 2010 that aims to change how the Internet works in the name of security. It would also create a national system of licensing for security professionals, and would dole out millions of dollars in cyberpork to “regional cybersecurity centers” and other programs.
At the heart of calls for federal involvement in cybersecurity is the proposition that we reengineer the Internet to facilitate better tracking of users in order to pinpoint the origin of attacks. The Rockefeller-Snowe bill looks to develop such a “secure domain name addressing system.”
That’s a slippery slope.
And there’s the fact that we have seen a wasteful military-industrial complex develop before, and in this rush to “protect” we might be seeing a new one blossoming now. The greater the threat is perceived to be – and the less clearly it is defined – the better it is for defense contractors like Booz Allen Hamilton, which last week landed $34 million in Defense Department cybersecurity contracts.
That money could certainly be put to better use right now.
Anyone concerned about net neutrality or civil liberties – in particular online privacy and anonymity – should take notice. Before the country is swept by fear and we react too quickly to the “gathering threat” of cyberattacks, we should pause to calmly consider the risks involved and the alternatives available to us.
Rather than pass a sweeping “cyberdefense” bill right away, Congress should take the time to untangle the different threats that confront us and make sure they are addressing each appropriately. If not, we will be saddled with an overreaching one-size-fits-all result.
Giving the military and federal agencies the tools to protect their online assets might be an appropriate first response. But reengineering the Internet and imposing standards and licensing on the most innovative sector of our economy should give us pause. There is no reason to rush to action.