[Infowarrior] - Is the cyber threat overblown?

Sat Apr 3 12:29:54 UTC 2010

Is the cyber threat overblown?
Posted By Stephen M. Walt  Tuesday, March 30, 2010 - 4:14 PM

http://walt.foreignpolicy.com/posts/2010/03/30/is_the_cyber_threat_overblown

Am I the only person -- well, besides Glenn Greenwald and Kevin  
Poulson -- who thinks the "cyber-warfare" business may be overblown?  
It’s clear the U.S. national security establishment is paying a lot  
more attention to the issue, and colleagues of mine -- including some  
pretty serious and level-headed people -- are increasingly worried by  
the danger of some sort of "cyber-Katrina." I don't dismiss it  
entirely, but this sure looks to me like a classic opportunity for  
threat-inflation.

Mind you, I'm not saying that there aren't a lot of shenanigans going  
on in cyber-space, or that various forms of cyber-warfare don't have  
military potential. So I'm not arguing for complete head-in-the-sand  
complacency. But here’s what makes me worry that the threat is being  
overstated.

First, the whole issue is highly esoteric -- you really need to know a  
great deal about computer networks, software, encryption, etc., to  
know how serious the danger might be.  Unfortunately, details about a  
number of the alleged incidents that are being invoked to demonstrate  
the risk of a "cyber-Katrina," or a cyber-9/11, remain classified,  
which  makes it hard for us lay-persons to gauge just how serious the  
problem really was or is. Moreover, even when we hear about computers  
being penetrated by hackers, or parts of the internet crashing, etc.,  
it’s hard to know how much valuable information was stolen or how much  
actual damage was done. And as with other specialized areas of  
technology and/or military affairs, a lot of the experts have a clear  
vested interest in hyping the threat, so as to create greater demand  
for their services. Plus, we already seem to have politicians leaping  
on the issue as a way to grab some pork for their states.

Second, there are lots of different problems being lumped under a  
single banner, whether the label is "cyber-terror" or "cyber-war." One  
issue is the use of various computer tools to degrade an enemy’s  
military capabilities (e.g., by disrupting communications nets,  
spoofing sensors, etc.). A second issue is the alleged threat that bad  
guys would penetrate computer networks and shut down power grids, air  
traffic control, traffic lights, and other important elements of  
infrastructure, the way that internet terrorists (led by a disgruntled  
computer expert) did in the movie Live Free and Die Hard. A third  
problem is web-based criminal activity, including identity theft or  
simple fraud (e.g., those emails we all get from someone in Nigeria  
announcing that they have millions to give us once we send them some  
account information). A fourth potential threat is “cyber-espionage”;  
i.e., clever foreign hackers penetrate Pentagon or defense  
contractors’ computers and download valuable classified information.  
And then there are annoying activities like viruses, denial-of-service  
attacks, and other things that affect the stability of web-based  
activities and disrupt commerce (and my ability to send posts into FP).

This sounds like a rich menu of potential trouble, and putting the  
phrase "cyber" in front of almost any noun makes it sound trendy and a  
bit more frightening. But notice too that these are all somewhat  
different problems of quite different importance, and the appropriate  
response to each is likely to be different too. Some issues -- such as  
the danger of cyber-espionage -- may not require elaborate technical  
fixes but simply more rigorous security procedures to isolate  
classified material from the web. Other problems may not require big  
federal programs to address, in part because both individuals and the  
private sector have incentives to protect themselves (e.g., via  
firewalls or by backing up critical data). And as Greenwald warns,  
there may be real costs to civil liberties if concerns about vague  
cyber dangers lead us to grant the NSA or some other government agency  
greater control over the Internet.

Third, this is another issue that cries out for some comparative cost- 
benefit analysis. Is the danger that some malign hacker crashes a  
power grid greater than the likelihood that a blizzard would do the  
same thing? Is the risk of cyber-espionage greater than the potential  
danger from more traditional forms of spying? Without a comparative  
assessment of different risks and the costs of mitigating each one, we  
will allocate resources on the basis of hype rather than analysis. In  
short, my fear is not that we won't take reasonable precautions  
against a potential set of dangers; my concern is that we will spend  
tens of billions of dollars protecting ourselves against a set of  
threats that are not as dangerous as we are currently being told they  
are.

I hasten to add that this isn't my area of expertise and I may be  
completely wrong about it. What I would really like, therefore, is for  
an objective, blue-ribbon commission to look carefully at this  
question. Here's a possible example of what I have in mind, but I  
can't tell how reliable its conclusions are likely to be. Why? Because  
I can't tell how many of its members are people with a stake in the  
outcome. Makes me wish somebody like Richard Feynman was still around  
to chair it. 