The New York Times dutifully reports that the Director of National Intelligence says it is. But it’s hard to know what that means. The word “cyberattack” has no usefully fixed definition.
And the important questions—plural—include: 1) whether cyberattacks—plural—are growing in number and sophistication more quickly than the capability of infrastructure owners to fend them off and recover from them; 2) which, if any, owners lack incentives to secure their infrastructure and what security externalities they might create; and 3) what levers—such as contract liability, tort liability, or regulation—might correct any such market failures.
Some lines in Director Blair’s statement are quite telling. Compare this:
Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens.
The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders.
Now, which class of actors are you going to worry about—the ones that dream of doing something bad? Or the ones that have the sophistication to do something bad? Probably the latter.
While calling for a federal intelligence-community role in “cybersecurity,” Blair confesses that this is more of a crime problem that the business sector needs to handle than a true national security issue in which the leading role would be played by government.
The good news is that crime syndicates don’t prosper by killing their hosts. Don’t look for catastrophic failure of our technical infrastructures arising from this most serious of “cyber” threats.
There’s no question that cybersecurity is important. But it’s also manageable. I shared my thoughts on “cybersecurity” last year with the House Science Committee.