John Mueller and Benjamin Friedman, The Cyberskeptics
September 2, 2013
This website collects and links writing challenging the popular notion that cyberdoom is approaching. In the last few years, concerns about cybercrime, cyberterrorism, and cyberwar have escalated dramatically in the United States. Billions of dollars are being thrown at these problems, and most of the discussion is alarmist in the extreme.
A major example is the best-selling 2010 book by Richard Clarke and Robert K. Knacke, Cyberwar: The Next Threat to National Security and What to Do About It. By 2011, Mike Mullen, then Chair of the Joint Chiefs of Staff declaimed: "The biggest existential threat out there [as opposed to small existential threats, presumably] is cyber," and in 2012, his successor told a Harvard audience that "A cyber attack could stop our society in its tracks." Late in the year, Defense Secretary Leon Panetta sternly warned of an impending "digital Pearl Harbor."
The articles and papers summarized and linked below provide some balance to the discussion. The authors generally support judicious efforts to secure technology and information systems against hacking, theft, and espionage but believe that the national security threat from cyberattacks has been greatly exaggerated. The articles are categorized by subject, though most of them touch on several of the topics...
- Jerry Brito and Tate Watkins question the factual claims generally offered to support the conclusion that cyberattacks are a massive new security danger and highlights parallels between prior episodes of threat inflation by media, industry and government — the missile and bomber gaps in the Cold War and the run-up to the Iraq War — and what is currently occurring in cyber-security. They suggest that cybersecurity policy should be based on better evidence and on cost-benefit analysis.
Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," Harvard National Security Journal, Vol. 3, No. 1 (April 26, 2011), pp. 39-84.
Jerry Brito and Tate Watkins, "The Cybersecurity-Industrial Complex," Reason, August/September 2011.
Jerry Brito and Tate Watkins, "Cyberwar Is the New Yellowcake," Wired, February 14, 2012.
- Allan Friedman sets out differences between various cybersecurity risks, differentiating especially national security concerns from those involving cybercrime. He advocates a risk management approach to these dangers, warning that many security efforts go too far and can overwhelm the benefits of information technology.
Allan Friedman, "Economic and Policy Frameworks for Cybersecurity Risks," Center for Technology Innovation at Brookings, July 21, 2011.
- Jim Harper's Congressional testimony urges a sober response to cyber threats and discusses problems, especially concerning civil liberties, related to the sorts of internet regulation proposed by cyber-alarmists. He discusses market or liability based alternatives to proposed regulations.
Jim Harper, "Assessing Cybersecurity Activities at NIST and DHS," Testimony before the Subcommittee on Technology & Innovation, Committee on Science and Technology, United States House of Representatives, June 25, 2009.
- Sean Lawson examines hypothetical scenarios often said to result from cyberattacks, and finds that such scenarios are unrealistic. Lawson argues that cybersecurity policy should be based not on worst-case scenarios but rather on empirical evidence of threats, and it should allow decentralized responses by various security providers.
Sean Lawson, "Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History," Mercatus Center, Vol. 10, No. 77 (January 2011).
Sean Lawson, "Cyberwar Hype Comes Under Increasing Scrutiny," Forbes, April 28, 2011.
- Evgeny Morozov argues that most cybersecurity threats are either inherently minor or vastly overblown. He also discusses the murky legal issues around cyber attacks, such as liability and Geneva Convention considerations, and suggests that we should slow the offensive measures being researched in the United States and work instead to improve on the already considerable resilience of internet infrastructure.
Evgeny Morozov, "Cyber-Scare: The Exaggerated Fears over Digital Warfare," Boston Review, July/August 2009.
Evgeny Morozov, "Battling the Cyber Warmongers," The Wall Street Journal, March 8, 2010.
- Bruce Schneier argues that a political struggle for control of cybersecurity is generating alarming stories about the cyber dangers. The military, by framing online acts that are actually hacking, espionage, theft, or political activism as war, is coming out on top of that struggle. The security of its online information is certainly a valid military function, but by surrendering to the notion that we are now fighting a cyberwar, we needlessly sacrifice power over networks to the government and foster a sense of helplessness.
Bruce Schneier, "Threat of 'Cyberwar' Has Been Hugely Hyped," CNN, July 8, 2010.
Bruce Schneier, "So-called Cyberattack Was Overblown," Schneier on Security, July 13, 2009.
Bruce Schneier, "Chinese Cyberattacks: Myth or Menace?" Schneier on Security, July 2008.
- Ryan Singel's review debunks Richard Clarke's claims about the past damage that hackers caused, especially about major power outages, and Clarke's lurid predictions about future cyberattacks. He argues that while some of Clarke's regulatory suggestions are sensible, this sort of alarmism encourages overreactions that threaten to the openness of the internet.
Ryan Singel, "Richard Clarke's Cyberwar: File Under Fiction," Wired, April 22, 2010.
Ryan Singel, "Is the Hacking Threat to National Security Overblown?" Wired, June 3, 2009.
Ryan Singel, "Cyberwar Hype Intended to Destroy the Open Internet," Wired, March 1, 2010.
- Peter Sommer's and Ian Brown's OECD monograph uses quantitative risk assessment to study the likely effects of various types of cyber-attacks and concludes that almost all are unlikely to have global ramifications. They identify areas that could use incremental improvements to prevent losses from cybersecurity failures.
Peter Sommer and Ian Brown, "Reducing Systemic Cybersecurity Risk," Organization for Economic Cooperation and Development, January 14, 2011.
- Erik Gartzke notes that cyberwar has been described as a revolution in military affairs with the potential even to overturn the prevailing world order. To supplant existing modes of conflict, however, cyberwar must be capable of realizing the political objectives to which force or threats of force are commonly applied, and it largely fails to do so. Cyberattacks are more an adjunct to existing forms of political violence than a substitute. Rather than helping to supplant existing powers, these capabilities will likely protect them by augmenting their military advantages.
Erik Gartzke, "The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth," a version of this paper will soon be published in International Security.
- Martin Libicki argues that cyber attacks are not the great threat that they are often said to be, and that their main danger to U.S. national security comes from overwrought U.S. responses. He contends that a making war in response to a cyber attack would be foolish, and that a prudent counter-cyber strategy avoids unnecessary red lines. The United States, he argues, can limit the risk of cyberattacks by identifying risks in commercial software and encouraging better IT systems management and the development of tools to quickly detect and thwart attacks.
Martin Libicki, "Don't Buy the Cyberhype," Foreign Affairs (online, August 16, 2013.
- Mary Ellen O'Connell argues that we should move away from a military analogy in general and from Cold War deterrence in particular in dealing with cyber issues. International law governing economic activity and communications is more relevant for activity on the internet.
Mary Ellen O'Connell, "Cyber Security without Cyber War," Journal of Conflict Security Law, Vol. 12, No. 2 (Summer 2012), pp. 187-209.
- Thomas Rid rejects the term "cyber war," noting that cyber attacks never fit all three characteristics necessary for an act of war: violence, instrumentality, and a political goal. Cyber attacks have always been espionage, sabotage, or subterfuge, falling into a gray area between war and criminality. He argues that cyber-war has never happened and is unlikely to occur.
Thomas Rid, "Cyber War Will Not Take Place," Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5-32.
Peter McBurney and Thomas Rid, "Cyber-Weapons," RUSI Journal, Vol. 157, No. 1 (February 29, 2012), pp. 6-13.
Thomas Rid, "Think Again: Cyberwar," Foreign Policy, March/April 2012.
Thomas Rid, Cyber War Will Not Take Place (London: Hurst, 2013).
- Brandon Valeriano and Ryan Maness study government-to-government cyber conflict between 2001 and 2011. They find that cyber disputes are rare and have a minimal impact on their targets. They argue that the ease of attacks actually inducing mutual restraint, and that the exaggerated threat of cyber warfare does not require a reorientation of security strategies.
Brandon G. Valeriano and Ryan Maness, "The Dynamics of Cyber Conflict between Rival Antagonists, 2001-2011" (Working Paper).
Brandon Valeriano and Ryan Maness, "The Fog of Cyberwar: Why the Threat Doesn't Live Up to the Hype," Foreign Affairs (Online), November 21, 2012.
- Ross Anderson and his co-authors give a systematic accounting of the costs of cybercrime. They argue that its costs come largely from the attempts to protect against it, suggesting that resources now used to protect the web against cyber-criminals might be better spent on finding and arresting them.
Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, "Measuring the Cost of Cybercrime," Paper presented to the Workshop on the Economics of Information Security, June 2012.
- Dinˆi Florencio and Cormac Herley conduct statistical analyses of the measurements often used concerning cybercrime. They argue that the measures are biased and have substantially exaggerated the scope of the problem.
Dinêi Florencio and Cormac Herley, "Sex, Lies and Cyber-crime Surveys," Microsoft Research, June 2011.
Dinˆi Florencio and Cormac Herley, "The Cybercrime Wave That Wasn't," The New York Times, April 14, 2012.
Cyberterrrorsm and online terrorism training
- Peter W. Singer argues that fears of a cyberterror attack are vastly overwrought. Cyberterrorsm has never killed anyone and has done little material damage. While cyber terrorism is worth some concern, sophisticated Stuxnet-like attacks require expertise that terrorists lack. Terrorists tend to use the interest like other groups do, for communications, networking, and marketing. That makes them vulnerable to government tracking and disruption.
Peter W. Singer, "The Cyber Terror Bogeyman," Armed Forces Journal, November 2012.
- Mette Eilstup-Sangiovanni, Calvert Jones, Michael Kenney and Anne Stenersen all question the popular notion that terrorism has been greatly aided by the internet. They show that while the internet does serve terrorists as a communication tool, terrorists must take great risks of capture or disruption by organizing plots online, misinformation is rife online, and virtual terrorism training is far inferior to traditional sort.
Mette Eilstrup-Sangiovanni and Calvert Jones, "Assessing the Dangers of Illicit Networks: Why al-Qaida May Be Less Dangerous Than Many Think," International Security, Vol. 33, No. 2 (Fall 2008), pp. 7–44.
Michael Kenney, "Beyond the Internet: Metis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists," Terrorism and Political Violence, Vol. 22, No. 2 (April 2010), pp. 177-197.
Anne Stenersen, "The Internet: A Virtual Training Camp?" Terrorism and Political Violence, Vol. 20, No. 2 (April 2008), pp. 215-233.
Appendix: The Non-Digital Pearl Harbor
- The cyber-alarmist literature constantly refers to the dangers of "a digital Pearl Harbor." John Mueller examines the damage perpetrated at the actual Pearl Harbor. Although very commonly described as a "disaster" and "catastrophe," the 1941 attacks actually did very little lasting physical damage (beyond the lives lost). There was a dead loss of only two very old battleships, and almost all other damage was quickly repaired. American industry soon supplied new ships and planes in enormous numbers, and the ability of the United States to enter the Pacific War was scarcely delayed. From a military perspective, the attack was essentially an inconvenience. As many of the articles above suggest, that would be the likely consequence of a digital attack.
John Mueller, "Pearl Harbor: Military Inconvenience, Political Disaster," International Security Vol. 16, No. 3 (Winter 1991/92), pp. 172-203.
Senior Research Scientist
Ohio State University
1501 Neil Avenue
Columbus, Ohio 43201 USA
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA
Research Fellow in Defense and Homeland Security Studies
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA