We Don’t Want the Cybersmoking Cybergun to Be a Cybermushroom Cybercloud

The House Committee on Homeland Security held a hearing today bearing the unsubtle title: “America is Under Cyber Attack: Why Urgent Action is Needed.” With the conclusion fixed in advance of the testimony—which, as promised, uniformly prophesied imminent cybercataclysm—you’d think the real question would be why a hearing was needed. The answer, of course, is to frighten off any second thoughts about cybersecurity legislation due for consideration this Friday, to which opposition has been mounting among some techies and civil libertarians.

Jim Harper has already done plenty of excellent work puncturing the more apocalyptic hype around cybersecurity—a favorite at this hearing was “Cyber Pearl Harbor”—which I need not rehash here. Even bracketing the question of how realistic some of the threat scenarios are, however, what struck me was that “cyber attack” is really something of a category error, at least as used at this hearing, where “attack” carries the grim overtones of a national security threat, and “America” as a whole is the target.  In reality, you have a range of security problems facing a diverse array of public and private entities. Some are analogous to conventional state or terror-group sponsored attacks or espionage.  Most are the digital equivalents of what we’d normally label “crime”: theft, vandalism, corporate espionage, and so on.

At the extreme end, you have largely hypothetical attacks on the SCADA control systems that operate critical infrastructure like power plants or transportation networks. These have the potential to inflict the kind of damage we’d associate with a physical attack, but we’ve only got one known real-world instance of this, and experts agree that it was almost certainly born in the USA. Such attacks are rare because they’re very difficult to carry off, involve identifying and exploiting vulnerabilities in uncommon task-specific software systems, and would most likely require insider complicity—which means they’re probably best conceived as one aspect of the more general problem of hardening critical infrastructure targets. Ditto for attempts to compromise systems with sensitive government data—a hard problem for government IT departments, but not one Congress has an obvious role in beyond appropriating the necessary funds.

Then you have the vast majority of actual successful “cyber attacks,” which target ordinary private systems, and range from sophisticated spear-phishing efforts aimed at exfiltrating valuable corporate commercial data to simple DDOS attacks launched by “script kiddies.” Some of these are serious and costly—but the costs are primarily borne by the targeted entities, which will more likely have the incentive, responsibility, and local knowledge required to respond appropriately.

These aren’t entirely unrelated problems: A malware-infected private computer may be conscripted into a botnet or serve as a staging ground for an attack on a more critical target. But it hardly seems conducive to sober policy making to lump them together under the general heading of “cybersecurity.” First, because resources aren’t going to be prioritized well if officials in the grip of apocalyptic mass-casualty scenarios start throwing money at programs that are primarily about making it harder for Anonymous to crash websites. Second, because the nature and scope of (for instance) the information sharing that might facilitate security improvements, and the privacy interests implicated by such sharing, may be quite different for these different types of cases, and be better dealt with under separate rubrics to the extent government has a role to play at all.