On Feb. 14th, 2012, Jerry Brito and Tate Watkins wrote a provocative article for Wired. The authors expressed skepticism for the national response to cyber-threats and drew parallels between reports of possible cyberattacks and the "threat inflation we saw in the run-up to the Iraq War." Specifically, the authors argued that supporters of cybersecurity regulations are conflating cyber threats by talking up the possibility of critical infrastructure failure and cyber-catastrophes. In fact, the authors argue that the debate over cybersecurity legislation has lead the US into a "cyber-industrial complex."
To support their argument, the authors pointed to the lack of verifiable evidence of cyber-catastrophe. Essentially, we often hear about the possibility of hackers attacking critical infrastructure and causing mass mayhem. However, is there any evidence that such mass mayhem has a strong possibility of occurring? The authors don't believe so. In fact, they dismissed a number of reports of possible cyber-attacks on electric grids (including many mentioned by Richard Clarke in his book Cyber War). Moreover, the authors questioned the veracity of the WSJ report of logic bombs within the US electric grid because the article's only source "were anonymous U.S. intelligence officials."
In the end, the authors truly believe that there is little verifiable evidence that the US is at risk of a catastrophic cyberattack. Yes, there is a risk of catastrophic cyber-attack, and yes, that attack would cause serious damage, but it has a low probability of occurrence. Notably, the authors didn't equate cyber-espionage (which there is overwhelming evidence of) with a national catastrophe.
Without verifiable evidence of a risk of catastrophic cyber-attack, the authors believe that maybe we're being lead on. Again drawing parallels to the run up of the 2003 Iraq War, the threat conflation around cybersecurity resembles the Bush administration's pursuit of the Iraqi nuclear program and yellowcake uranium. Why are we being led on? "Washington teems with people who have a vested interest in conflating and inflating threats to our digital security."
The authors recommended that policy makers "clear the air" on cybersecurity by dropping the "apocalyptic rhetoric", declassifying evidence, and making a clear divide between cybersecurity, cyber-espionage, and cybercrime.
The article concluded with that ubiquitous reference to Eisenhower's speech warning against the military-industrial complex. Too avoid the cybersecurity-industrial complex, the authors believe that we must "trust but verify."
You can find the Wired source article here.
Leave a Reply