John Mueller and Benjamin Friedman, The Cyberskeptics

July 7, 2014

This website collects and links writing challenging the popular notion that cyberdoom is approaching. In the last few years, concerns about cybercrime, cyberterrorism, and cyberwar have escalated dramatically in the United States. Billions of dollars are being thrown at these problems, and most of the discussion is alarmist in the extreme.

A major example is the best-selling 2010 book by Richard Clarke and Robert K. Knacke, Cyberwar: The Next Threat to National Security and What to Do About It. By 2011, Mike Mullen, then Chair of the Joint Chiefs of Staff declaimed: "The biggest existential threat out there [as opposed to small existential threats, presumably] is cyber," and in 2012, his successor told a Harvard audience that "A cyber attack could stop our society in its tracks." Late in the year, Defense Secretary Leon Panetta sternly warned of an impending "digital Pearl Harbor."

The articles and papers summarized and linked below provide some balance to the discussion. The authors generally support judicious efforts to secure technology and information systems against hacking, theft, and espionage but believe that the national security threat from cyberattacks has been greatly exaggerated. The articles are categorized by subject, though most of them touch on several of the topics...

General Cyberalarm

  • Jerry Brito and Tate Watkins question the factual claims generally offered to support the conclusion that cyberattacks are a massive new security danger and highlights parallels between prior episodes of threat inflation by media, industry and government — the missile and bomber gaps in the Cold War and the run-up to the Iraq War — and what is currently occurring in cyber-security. They suggest that cybersecurity policy should be based on better evidence and on cost-benefit analysis.

    Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," Harvard National Security Journal, Vol. 3, No. 1 (April 26, 2011), pp. 39-84.

    Also see:
    Jerry Brito and Tate Watkins, "The Cybersecurity-Industrial Complex," Reason, August/September 2011.

    Jerry Brito and Tate Watkins, "Cyberwar Is the New Yellowcake," Wired, February 14, 2012.
  • Allan Friedman sets out differences between various cybersecurity risks, differentiating especially national security concerns from those involving cybercrime. He advocates a risk management approach to these dangers, warning that many security efforts go too far and can overwhelm the benefits of information technology.

    Allan Friedman, "Economic and Policy Frameworks for Cybersecurity Risks," Center for Technology Innovation at Brookings, July 21, 2011.
  • Jim Harper's Congressional testimony urges a sober response to cyber threats and discusses problems, especially concerning civil liberties, related to the sorts of internet regulation proposed by cyber-alarmists. He discusses market or liability based alternatives to proposed regulations.

    Jim Harper, "Assessing Cybersecurity Activities at NIST and DHS," Testimony before the Subcommittee on Technology & Innovation, Committee on Science and Technology, United States House of Representatives, June 25, 2009.
  • Sean Lawson examines hypothetical scenarios often said to result from cyberattacks, and finds that such scenarios are unrealistic. Lawson argues that cybersecurity policy should be based not on worst-case scenarios but rather on empirical evidence of threats, and it should allow decentralized responses by various security providers.

    Sean Lawson, "Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History," Mercatus Center, Vol. 10, No. 77 (January 2011).

    Also see:
    Sean Lawson, "Cyberwar Hype Comes Under Increasing Scrutiny," Forbes, April 28, 2011.
  • Evgeny Morozov argues that most cybersecurity threats are either inherently minor or vastly overblown. He also discusses the murky legal issues around cyber attacks, such as liability and Geneva Convention considerations, and suggests that we should slow the offensive measures being researched in the United States and work instead to improve on the already considerable resilience of internet infrastructure.

    Evgeny Morozov, "Cyber-Scare: The Exaggerated Fears over Digital  Warfare," Boston Review, July/August 2009.

    Also see:
    Evgeny Morozov, "Battling the Cyber Warmongers," The Wall Street Journal, March 8, 2010.
  • Bruce Schneier argues that a political struggle for control of cybersecurity is generating alarming stories about the cyber dangers. The military, by framing online acts that are actually hacking, espionage, theft, or political activism as war, is coming out on top of that struggle. The security of its online information is certainly a valid military function, but by surrendering to the notion that we are now fighting a cyberwar, we needlessly sacrifice power over networks to the government and foster a sense of helplessness.

    Bruce Schneier, "Threat of 'Cyberwar' Has Been Hugely Hyped," CNN, July 8, 2010.

    Also see:
    Bruce Schneier, "So-called Cyberattack Was Overblown," Schneier on Security, July 13, 2009.

    Bruce Schneier, "Chinese Cyberattacks: Myth or Menace?" Schneier on Security, July 2008.
  • Ryan Singel's review debunks Richard Clarke's claims about the past damage that hackers caused, especially about major power outages, and Clarke's lurid predictions about future cyberattacks. He argues that while some of Clarke's regulatory suggestions are sensible, this sort of alarmism encourages overreactions that threaten to the openness of the internet.

    Ryan Singel, "Richard Clarke's Cyberwar: File Under Fiction," Wired, April 22, 2010.

    Also see:
    Ryan Singel, "Is the Hacking Threat to National Security Overblown?" Wired, June 3, 2009.

    Ryan Singel, "Cyberwar Hype Intended to Destroy the Open Internet," Wired, March 1, 2010.
  • Peter Sommer's and Ian Brown's OECD monograph uses quantitative risk assessment to study the likely effects of various types of cyber-attacks and concludes that almost all are unlikely to have global ramifications. They identify areas that could use incremental improvements to prevent losses from cybersecurity failures.

    Peter Sommer and Ian Brown, "Reducing Systemic Cybersecurity Risk," Organization for Economic Cooperation and Development, January 14, 2011.

Cyberwar

  • David Betz criticizes the claims that cyberattacks are typically cheap to mount and anonymous. Sophisticated cyberattacks are often quite costly, requiring state funding, high levels of technical know-how and deep intelligence on the target of the attack. Similarly, the problem of anonymity is more complex then popularly assumed because anonymous attacks have limited effectiveness as a form of coercion. If a state doesn't know where the attack is coming from, it cannot respond to the demands of the attacker. Betz argues that cyberattacks by non-state actors might be more dangerous but notes that violent terrorist organizations have barely attempted such attacks. When network technology has been adopted by such organizations it has been used for non-violent purposes.

    David Betz, "Cyberpower in Strategic Affairs: Neither Unthinkable nor Blessed," Journal of Strategic Studies, Vol. 35, No. 5 (2012), pp. 689-711.

    Also see:
    David Betz, "Cyber Power in Strategic Affairs: Neither Unthinkable nor Blessed," Geopoliticus (blog), Foreign Policy Research Institute, November 28, 2012.
  • Erik Gartzke notes that cyberwar has been described as a revolution in military affairs with the potential even to overturn the prevailing world order. To supplant existing modes of conflict, however, cyberwar must be capable of realizing the political objectives to which force or threats of force are commonly applied, and it largely fails to do so. Cyberattacks are more an adjunct to existing forms of political violence than a substitute. Rather than helping to supplant existing powers, these capabilities will likely protect them by augmenting their military advantages.

    Erik Gartzke, "The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth," International Security, Vol. 38, No. 2 (Fall 2013), pp. 41–73.
  • Martin Libicki argues that cyber attacks are not the great threat that they are often said to be, and that their main danger to U.S. national security comes from overwrought U.S. responses. He contends that a making war in response to a cyber attack would be foolish, and that a prudent counter-cyber strategy avoids unnecessary red lines. The United States, he argues, can limit the risk of cyberattacks by identifying risks in commercial software and encouraging better IT systems management and the development of tools to quickly detect and thwart attacks.

    Martin Libicki, "Don't Buy the Cyberhype," Foreign Affairs (online, August 16, 2013).
  • Adam P. Liff argues against those claiming that the untraceability and offensive bias of cyberweapons will increase the frequency of war and interstate conflict. Drawing on insights from theories of nuclear weapons usage and deterrence, Liff sees the possibility for cyberwarfare capabilities to balance each other and mitigate large scale confrontations. Still, there may be a related increase in small scale nuisance attacks, and large states may be increasingly likely to use computer network attacks as a brute force weapon when there is little opportunity for retaliation.

    Adam P. Liff, "Cyberwar: A New 'Absolute Weapon'? The Proliferation of Cyberwarfare Capabilities and Interstate War," Journal of Strategic Studies, Vol. 35, No. 3 (May 2012), pp. 401-428.

    Also See:
    Adam P. Liff, "The Proliferation of Cyberwarfare Capabilities and Interstate War: Redux: Liff Responds to Junio," Journal of Strategic Studies, Vol. 36, No. 1 (February 2013), pp. 134-138.
  • Jon R. Lindsay argues that the case of the Stuxnet attack against Iran weakens three major assumptions about cyberwarfare: that cyberwarfare grants asymmetric advantages to weaker opponents, favors offensive over defensive action, and is difficult to deter. Stuxnet, a computer worm likely created by U.S. and Israeli state agencies, only managed to damage marginal amounts of centrifuges in Iran. The Iranians quickly discovered the intrusion, and the effects were minor and temporary. Iran's fear of escalation likely deterred any cyber or military response. Stuxnet therefore suggests that cyber attacks will be a tool of rich countries not weak or non-state actors, are of limited value, and can be deterred.

    Jon R. Lindsay, "Stuxnet and the Limits of Cyber Warfare," Security Studies, Vol. 22, No. 3 (August, 2013), pp. 365-404.

    Also See:
    Jon R. Lindsay, "Stuxnet Debate Continues: How Should Cyberweapons Be Used?" WebProNews, July 12, 2012
    Jon R. Lindsay, "International Cyberwar Treaty Would Quickly Be Hacked to Bits," US News and World Report, June 8, 2012
  • Mary Ellen O'Connell argues that we should move away from a military analogy in general and from Cold War deterrence in particular in dealing with cyber issues. International law governing economic activity and communications is more relevant for activity on the internet.

    Mary Ellen O'Connell, "Cyber Security without Cyber War," Journal of Conflict Security Law, Vol. 12, No. 2 (Summer 2012), pp. 187-209.
  • Thomas Rid rejects the term "cyber war," noting that cyber attacks never fit all three characteristics necessary for an act of war: violence, instrumentality, and a political goal. Cyber attacks have always been espionage, sabotage, or subterfuge, falling into a gray area between war and criminality. He argues that cyber-war has never happened and is unlikely to occur.

    Thomas Rid, "Cyber War Will Not Take Place," Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5-32.

    Also see:
    Peter McBurney and Thomas Rid, "Cyber-Weapons," RUSI Journal, Vol. 157, No. 1 (February 29, 2012), pp. 6-13.

    Thomas Rid, "Think Again: Cyberwar," Foreign Policy, March/April 2012.

    Thomas Rid, Cyber War Will Not Take Place (London: Hurst, 2013).
  • Brandon Valeriano and Ryan Maness study government-to-government cyber conflict between 2001 and 2011. They find that cyber disputes are rare and have a minimal impact on their targets. They argue that the ease of attacks actually inducing mutual restraint, and that the exaggerated threat of cyber warfare does not require a reorientation of security strategies.

    Brandon G. Valeriano and Ryan Maness, "The Dynamics of Cyber Conflict between Rival Antagonists, 2001-2011" (Working Paper).

    Also see:
    Brandon Valeriano and Ryan Maness, "The Fog of Cyberwar: Why the Threat Doesn't Live Up to the Hype," Foreign Affairs (Online), November 21, 2012.

Cybercrime

  • Ross Anderson and his co-authors give a systematic accounting of the costs of cybercrime. They argue that its costs come largely from the attempts to protect against it, suggesting that resources now used to protect the web against cyber-criminals might be better spent on finding and arresting them.

    Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, "Measuring the Cost of Cybercrime," Paper presented to the Workshop on the Economics of Information Security, June 2012.
  • Dinêi Florencio and Cormac Herley conduct statistical analyses of the measurements often used concerning cybercrime. They argue that the measures are biased and have substantially exaggerated the scope of the problem.

    Dinêi Florencio and Cormac Herley, "Sex, Lies and Cyber-crime Surveys," Microsoft Research, June 2011.

    Also see:
    Dinêi Florencio and Cormac Herley, "The Cybercrime Wave That Wasn't," The New York Times, April 14, 2012.
  • Paul Ohm argues that debates about cybersecurity often overemphasize the importance of so-called "superusers:" technological geniuses who can single handedly perpetrate devastating cyberattacks. Ohm notes that rather then being the work of exceptional individuals, most cybercrime is the work of sophisticated organizations, or low-level hackers with limited capabilities. An emphasis on "superusers" not only leaves countries and individuals more open to these common forms of cybercrime, but runs the risk of wasteful spending on capabilities to prevent a threat that doesn't exist.

    Paul Ohm, "The Myth of the Superuser: Fear, Risk, and Harm Online," UC Davis Law Review, Vol. 41, No. 4 (April 2008), pp. 1327-1402

Cyberterrrorsm and online terrorism training

  • Myriam Dunn Cavelty discusses why fear of cyberterrorism is so pervasive despite no confirmed instances of its occurrence. Cavelty sees this threat perception as a result of efforts to "securitize" information technology. She argues the specific fear of cyberterrorism, as a unique subset of cyber threats, grows out of deeper fears of random violence and confusion about computer technology. In thinking about cybersecurity, Cavelty advocates the adoption of a risk frame that focuses attention on probability. She also considers the benefits of devolving responsibility for cybersecurity from the government to the private sector.

    Myriam Dunn Cavelty, "Cyber-Terror—Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate," Journal of Information Technology and Politics, Vol. 1, No. 4 (2007), pp. 19-36.
  • Mette Eilstup-Sangiovanni, Calvert Jones, Michael Kenney and Anne Stenersen all question the popular notion that terrorism has been greatly aided by the internet. They show that while the internet does serve terrorists as a communication tool, terrorists must take great risks of capture or disruption by organizing plots online, misinformation is rife online, and virtual terrorism training is far inferior to traditional sort.

    Mette Eilstrup-Sangiovanni and Calvert Jones, "Assessing the Dangers of Illicit Networks: Why al-Qaida May Be Less Dangerous Than Many Think," International Security, Vol. 33, No. 2 (Fall 2008), pp. 7–44.

    Michael Kenney, "Beyond the Internet: Metis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists," Terrorism and Political Violence, Vol. 22, No. 2 (April 2010), pp. 177-197.

    Anne Stenersen, "The Internet: A Virtual Training Camp?" Terrorism and Political Violence, Vol. 20, No. 2 (April 2008), pp. 215-233.
  • Peter W. Singer argues that fears of a cyberterror attack are vastly overwrought. Cyberterrorsm has never killed anyone and has done little material damage. While cyber terrorism is worth some concern, sophisticated Stuxnet-like attacks require expertise that terrorists lack. Terrorists tend to use the interest like other groups do, for communications, networking, and marketing. That makes them vulnerable to government tracking and disruption.

    Peter W. Singer, "The Cyber Terror Bogeyman," Armed Forces Journal, November 2012.

Appendix: The Non-Digital Pearl Harbor

  • The cyber-alarmist literature constantly refers to the dangers of "a digital Pearl Harbor." John Mueller examines the damage perpetrated at the actual Pearl Harbor. Although very commonly described as a "disaster" and "catastrophe," the 1941 attacks actually did very little lasting physical damage (beyond the lives lost). There was a dead loss of only two very old battleships, and almost all other damage was quickly repaired. American industry soon supplied new ships and planes in enormous numbers, and the ability of the United States to enter the Pacific War was scarcely delayed. From a military perspective, the attack was essentially an inconvenience. As many of the articles above suggest, that would be the likely consequence of a digital attack.

    John Mueller, "Pearl Harbor: Military Inconvenience, Political Disaster," International Security Vol. 16, No. 3 (Winter 1991/92), pp. 172-203.

To inquire about this subject or suggest additional articles contact John Mueller or Benjamin Friedman.

John Mueller
Senior Research Scientist
Mershon Center
Ohio State University
1501 Neil Avenue
Columbus, Ohio 43201 USA
Senior Fellow
Cato Institute
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA
bbbb@osu.edu

Benjamin Friedman
Research Fellow in Defense and Homeland Security Studies
Cato Institute
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA
BFriedman@cato.org