A new report suggests that lawmakers, policy wonks and
corporations are sensationalizing the risk of cyber attacks far beyond the
actual threat. The inflation of cyber security threat, like the inflation of the threat of Communism during the Cold War, or terrorist acts in the wake of the 9/11 attacks, could lead to laws
that curtail individual freedoms and regulate the Internet in
unnecessary ways, the report concludes.
The paper by Jerry Brito and Tate Watkins at the Mercatus Center at George Mason University is “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy”
(PDF). It appears in an environment of heightened debate about the
breadth and consequences of U.S. government investments in cyber
security. Incidents like the breach at security firm HB Gary have raised the specter of sophisticated cyberwarfare tools and tactics being used for civilian or commercial ends. At the same time, independent
research has thrown a shadow of doubt over official and industry
proclamations about the comparative strength of nations like China or its ability to triumph should a cyber war actually happen.
Warnings about a pending “digital Pearl Harbor” have been floating
around for much of the last decade, but have often had difficulty
catching the notice of lawmakers who were more focused on dirty bombs
than ddos attacks. Today, after high profile cyber attacks the U.S. and
other governments and western technology and defense firms have made
headlines, politicians and policy makers have suddenly “discovered” the
cyber threat. But now the pendulum may be swinging too far in the other direction.
Brito and Watson compare the current panic about cyber
security among the Washington D.C. political and policy elite with the
Bush Administration’s now notorious run up to Operation Iraqi Freedom,
the 2003 invasion of Iraq that toppled Saddam Hussein.
As with the
alleged ties between Saddam Hussein and Al Queda, and the rumored
weapons of mass destruction (WMD) hidden in Iraq, warnings about the
looming threat of cyber war are hard to justify based on facts, the
researchers suggest. Seminal reports like the Center for Strategic and
International Studies’ Commission on Cyberssecurity for the 44th
Presidency and the 2010 book Cyber War by former presidential
cybersecurity advisor Richard Clarke and Council on Foreign Relations
fellow Richard Knake rely more on innuendo than fact – portraying the U.S. as defenseless,
painting worst case scenarios about the real world fallout of a
successful cyber attack and insinuating about shadowy “planned attacks”
on U.S. infrastructure and ongoing actions
to create the impression of a pressing crisis. The prescription, in
both cases, is more regulation of the Internet” – a step the reports
authors say is hardly justified by the evidence.
The report is no
kinder to the media, which it accuses of accepting the dark picture
painted by Clarke, the CSIS at face value. Indeed, leading outlets like
The New York Times and Wall Street Journal have trumpeted defense
industry and Beltway claims of dire breaches without requiring named
sources for any of the information. The authors take particular umbrage
with the Wall Street Journal, where reporter Siobhan Gorman rang up a
series of cybersecurity scoops about breaches of classified netowrks,
all sourced to unnamed “current and former government officials.”
While
subsequent reporting contradicted some of the claims of the Journal
reports, “without any official statement on the matter, the result of
these reports can well be to raise public alarm without offering a clear
sense of the scope or magnitude of the threat,” the report concludes.
Finally,
the authors warn of the emergence of a “cyber industrial complex,” akin
to the military industrial complex that grew up in response to the
demands of the Cold War. Firms like McAfee, Symantec, Checkpoint and
traditional defense contractors are now positioning themselves to take
advantage of increased spending oncybersecurity, in an environment of
overall cuts to defense spending – competing against the likes of
Lockheed Martin, Boeing, SAIC and Northrop Grumman, the authors said.
The
proposals to secure cyberspace: recommendations for closer monitoring
of Internet traffic by telecommunications and the government, changes to
core Internet protocols that would make it easier to identify the
source of attacks and those behind them. The premise of these programs:
that there is a “market failure,” and that private sector remedies are
inadequate to the cyber threat are only tenuously supported by tangible
evidence – if at all, they say.
Before creating new policies in
response to poorly scoped cyber threats, the authors recommend that
policy makers in the U.S. abandon the heated cyberwar rehtoric and
declassify information related to cyber threats so that the public can
properly sort out the true nature of the threat and the ways in which
new policies, laws and expenditures of tax dollars might best address
them.
