Electronic Pearl Harbor? More Hype Than Threat

Some day soon, society as we know it is going to collapse, or so we are told. Why? Our computer networks will be attacked by hostile states or terrorist groups, and the nation’s critical infrastructure will crash. At least that is the conventional wisdom. Preparing for an eventual cyber attack has been a growing industry for years now. Think tanks have been cranking out tomes, and the defense industry has been holding conferences to solemnly announce the emergence of the latest threat.

There is just one thing wrong: “There is no there, there,” to quote Gertrude Stein’s famous reference to Oakland. Mark Twain once said, “The rumors of my death have been greatly exaggerated.” The same could be said of the imminence of information-warfare.

This hype is nothing short of amazing when you consider that there still is no single definition of “information warfare” that is accepted government wide. Yet we are spending billions of dollars a year on various operations to prevent cyber attacks at the Pentagon.

That is not to say, of course, that fears of information warfare are totally off base. Certainly, over the years, we have seen many deliberate disruptions of Web sites and e-mail servers, and we have been victimized by various viruses. But most of those incidents have been merely garden-variety nuisances — not the work of a rogue state or a hostile terrorist group.

The problem is that we have been inundated by inaccurate and misleading reporting about the information warfare — which is usually encapsulated by the phrase “Electronic Pearl Harbor.” This, we take as a given that which has yet to be shown as a true threat. In fact, the reporting is so exaggerated that now there are Web sites devoted to debunking the myths around threats posed by computer viruses. Of course, those Web sites are in the minority. The vast majority of the sites — as well as media at large — exaggerate the threat.

Ironically, we may do more injury to ourselves simply by overreacting than any enemy has done or is likely to do. In July 1999, civil libertarians vehemently protested a draft proposal by the Clinton administration’s Office of Transnational Threats. The plan called for the creation of a new program called the Federal Intrusion Detection Network (FIDNET). If ever implemented, FIDNET could allow authorities — including the FBI — access to nonmilitary networks and eventually to some private computer networks. The FBI could then scout for serious penetrations by cyber-savvy criminals, terrorists or foreign governments, all of whom hope to steal information or cause damage to the nation’s critical infrastructure. FIDNET would result in a huge invasion of privacy — the need for which is questionable, given the paucity of major cyber incidents.

Many of the press stories about such incidents are recycled versions of stories that were misreported in the first place. For example, a Network World article on September 13, 1999 noted that the U.S. government is increasingly worried that foreign infiltrators, with the help of foreign-born programmers, are building secret “trap doors” into government and corporate networks. Anonymous CIA analysts were quoted as being worried about the threat. The only problem, according to George Smith, editor of the Crypt Newsletter, is that a similar erroneous story was first circulated back in the late 1980s and has been periodically recycled since.

Another classic myth — that keeps resurrecting itself and has assumed the status of grand proportion — is the Gulf War Virus hoax. For example, in November 1998, the Center for Strategic and International Studies released a report on the dangers of “hackers” and nebulous terror emanating from the Internet. Titled “Cybercrime, Cyberterrorism, Cyberwarfare: Averting an Electronic Waterloo,” the CSIS study reported very little that was new. It did, however, pass on a number of myths. For example, the authors — William Webster, former head of the CIA, and Arnaud de Borchgrave, chief of United Press International — got hooked on the now infamous Gulf War Virus hoax. The two CSIS authors wrote in the foreward: “The United States has readied a powerful arsenal of cyberwaepons… . planting logic bombs in foreign computer networks to paralyze a would-be opponent’s air defense system.”

Interesting reading, yes. Accurate, no. The origin of the hoax: an April Fool’s story claiming that the National Security Agency had developed a computer virus to attack Iraq’s air-defense computers during the Persian Gulf War. The way in which the CSIS report presents this hoax indicates the information was taken from either of two books known to be contaminated by that hoax: James Adams’s The Next World War or Triumph without Victory published by U.S. News & World Report.

Does that mean that there is no threat to U.S. computer networks? No. But, to paraphrase the immortal words of Pogo, it means that we have met the enemy, and he is us — that is, our own lackadaisical computing habits, misleading press reporting and government overreaction. Those problems may be worse than the threat itself.

David Isenberg is an adjunct scholar at the Cato Institute.