John Mueller and Benjamin Friedman, The Cyberskeptics
January 3, 2012
This website collects and links writing challenging the popular notion that cyberdoom is approaching. In the last few years, concerns about cybercrime, cyberterrorism, and cyberwar have escalated dramatically in the United States. Billions of dollars are being thrown at these problems, and most of the discussion is alarmist in the extreme.
A major example is the 2010 book by Richard Clarke and Robert K. Knacke, Cyberwar: The Next Threat to National Security and What to Do About It, which became a best seller. By 2011, Mike Mullen, then Chair of the Joint Chiefs of Staff declaimed: "The biggest existential threat out there [as opposed to small existential threats, presumably] is cyber," and in 2012, his successor told a rapt audience at Harvard that "A cyber attack could stop our society in its tracks." Late in the year, Defense Secretary Leon Panetta sternly warned of an impending "digital Pearl Harbor."
The articles and papers summarized and linked below provide some balance to the discussion. The authors generally consider judicious efforts to secure technology and information systems against hacking and other malicious intrusions to be justified, but all believe that the threat has been greatly exaggerated, particularly as it pertains to national security. This website is intended to be a resource for those researching the topic and to demonstrate the flaws in the conventional story.
Below we give a brief biography for each author, a general summary of their writing on the issue, and links to those pieces.
1. Jerry Brito is a senior research fellow at the Mercatus Center, director of its Technology Policy Program, and adjunct professor of law at George Mason University.
Tate Watkins is a free-lance journalist.
Brito and Watkins question the factual claims generally offered to support the conclusion that cyberattacks are a massive new security danger and highlights parallels between prior episodes of threat inflation by media, industry and government—the missile and bomber gaps in the Cold War and the run-up to the Iraq War—and what is currently occurring in cyber-security. They suggest that cybersecurity policy should be based on better evidence and on cost-benefit analysis.
Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," Harvard National Security Journal, Vol. 3, No. 1 (April 26, 2011), pp. 39-84.
Jerry Brito and Tate Watkins, "The Cybersecurity-Industrial Complex," Reason, August/September 2011.
Jerry Brito and Tate Watkins, "Cyberwar Is the New Yellowcake," Wired,February 14, 2012.
2. Thomas Rid is Reader in War Studies at King's College London and a non-resident fellow at the Center for Transatlantic Relations in the School for Advanced International Studies at Johns Hopkins.
Rid rejects the term "cyber war," noting that cyber attacks have never fit all three characteristics necessary for an act of war: violence, instrumentality, and a political goal. Cyber attacks have always been espionage, sabotage, or subterfuge, falling into a gray area between war and criminality. He argues that cyber-war has never happened in the past or present and is unlikely to occur in the future.
Thomas Rid, "Cyber War Will Not Take Place," Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5-32.
Peter McBurney and Thomas Rid, "Cyber-Weapons," RUSI Journal, Vol. 157, No. 1 (February 29, 2012), pp. 6-13.
Thomas Rid, "Think Again: Cyberwar,"Foreign Policy, March/April 2012.
Thomas Rid, Cyber War Will Not Take Place, book to be published by Hirst (London) in April 2013.
3. Mary Ellen O'Connell is Robert and Marion Short Professor of Law and Research Professor of International Dispute Resolution at the Notre Dame Law School.
O'Connell argues that we should move away from a military analogy in general and from Cold War deterrence in particular in dealing with cyber issues. International law rules governing economic activity and communications are the relevant ones for activity on the Internet. Applying them will result in the identification and application of rules with a far better chance of keeping the Internet open and safer for all.
Mary Ellen O'Connell, "Cyber Security without Cyber War," Journal of Conflict Security Law, Vol. 12, No. 2 (Summer 2012), pp. 187-209
4. Bruce Schneier is a top security analyst and writes a blog with a readership in the hundreds of thousands.
Schneier argues that although cybersecurity is a national security issue, politically motivated cyber attacks are not a new phenomenon. He notes that, contrary to much reporting, Chinese hackers are almost exclusively unaffiliated with the Chinese government or military. He points out that most cyber attacks are easily prevented and that cyberterrrorism is a media invention not a present reality.
Bruce Schneier, "Threat of 'cyberwar' has been hugely hyped," CNN, July 8, 2010.
Bruce Schneier, "So-called cyberattack was overblown," Schneier on Security, July 13, 2009.
Bruce Schneier, "Chinese Cyberattacks: Myth or Menace?" Schneier on Security, July 2008.
5. Erik Gartzke is a political scientist at the University of California at San Diego.
Gartzke notes that cyberwar has been described as a revolution in military affairs, a transformation of technology and doctrine with the potential even to overturn the prevailing world order. However, to supplant existing modes of conflict, cyberwar must be capable of realizing the political objectives to which force or threats of force are commonly applied, and in important respects it fails to do so. In fact, it is much more likely to serve as an adjunct to, rather than a substitute for, existing forms of political violence. Moreover, far from a threat to existing hierarchies, it appears much more likely to augment the military advantages of status quo powers.
Erik Gartzke, "The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth," Working paper.
6. Allan Friedman is research director of the Center for Technology Innovation at the Brookings Institution in Washington, DC.
Friedman sets out differences between various cybersecurity risks, differentiating especially national security concerns from those involving cybercrime. He advocates a risk management approach to these dangers, warning that many security efforts go too far and can overwhelm the benefits of information technology.
Allan Friedman, "Economic and Policy Frameworks for Cybersecurity Risks," Center for Technology Innovation at Brookings, July 21, 2011.
7. Ross Anderson is Professor of Security Engineering at the Computer Laboratory at the University of Cambridge in Britain.
In a conference paper, Anderson and his seven co-authors give a systematic accounting of the costs of cybercrime. They argue that its costs come largely from the attempts to protect against it, suggesting that resources now used to protect the web against cyber-criminals might be better spent on finding and arresting them.
Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, "Measuring the Cost of Cybercrime," Paper presented to the Workshop on the Economics of Information Security, June 2012.
8. Dinêi Florencio and Cormac Herley are researchers at Microsoft.
Florenicio and Herley have done careful statistical analyses of the measurements often used concerning cybercrime. They argue that the measures are severely biased and have substantially exaggerated the scope of the problem.
Dinêi Florencio and Cormac Herley, "The Cybercrime Wave That Wasn't," The New York Times, April 14, 2012.
Dinêi Florencio and Cormac Herley, "Sex, Lies and Cyber-crime Surveys," Microsoft Research, June 2011.
9. Sean Lawson is Associate Professor in the Department of Communication at the University of Utah.
Lawson has extensively assessed cyber-doom scenarios. His work empirically debunks the assumptions underlying overblown "cyber-doom" scenarios, particularly those about the damage from potential attacks and those about any resulting societal chaos.
Sean Lawson, "Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History," Mercatus Center, Vol. 10, No. 77 (January 2011).
Sean Lawson, "Cyberwar Hype Comes Under Increasing Scrutiny," Forbes, April 28, 2011.
10. Peter Sommer is Visiting Professor at de Monfront University and Visiting Reader in the Faculty of Mathematics, Computing and Technology, Open University.
Ian Brown is Senior Research Fellow at the Oxford Internet Institute and Associate Director, Cyber Security Centre, at the University of Oxford.
Their OECD monograph uses quantitative risk assessment to study the likely effects of various types of cyber-attacks and conclude that almost all cyber scenarios are unlikely to have global ramifications. They also identify areas that could use further incremental improvement to better prevent losses from cyber-security failures.
Peter Sommer and Ian Brown, "Reducing Systemic Cybersecurity Risk," Organization for Economic Cooperation and Development, January 14, 2011.
11. Jim Harper is an analyst at the Cato Institute in Washington, DC.
Harper's Congressional testimony urges a sober response to cyber threats and discusses problems, especially ones concerning civil liberties, related to regulation of the Internet as ardently proposed by cyber-alarmists. He focuses particularly on current cybersecurity legislation, and possible market or liability based alternatives.
Jim Harper, "Assessing Cybersecurity Activities at NIST and DHS," The Cato Institute: Testimony, June 25,2009.
12. Evgeny Morozov is currently at Stanford and at the New America Foundation in Washington.
Morozov argues that many cyber-security threats are either inherently minor or vastly overblown. He also discusses the murky legal issues around cyber attacks, such as liability and Geneva Convention considerations, and suggests that we should slow the offensive measures being researched in the United States and work instead to improve on the already considerable resilience of our internet infrastructure.
Evgeny Morozov, "Cyber-Scare: The exaggerated fears over digital warfare," Boston Review, July/August 2009.
Evgeny Morozov, "Battling the Cyber Warmongers," The Wall Street Journal, March 8, 2010.
13. Ryan Singel is a prominent columnist at Wired.
Ryan Singel debunks Clarke's claims about damage from hackers. He argues that none of the cyberattacks the United States has seen can qualify as cyberwar. He discusses the danger of fear-mongering by government officials promoting cybersecurity programs. He also points out the way alarmist rhetoric has encouraged legislation heightening surveillance of internet activity.
Ryan Singel, "Richard Clarke's Cyberwar: File Under Fiction," Wired, April 22, 2010.
Ryan Singel, "Is the Hacking Threat to National Security Overblown?" Wired, June 3, 2009.
Ryan Singel, "Cyberwar Hype Intended to Destroy the Open Internet," Wired, March 1, 2010.
14. Anne Stenersen is a think tank researcher in Norway.
15. Michael Kenney is a political scientist at the University of Pittsburgh.
16. Mette Eilstup-Sangiovanni is a lecturer in the Department of Politics and International Studies and a Fellow in International Relations at Sidney Sussex College.
17. Calvert Jones is a PhD candidate at Yale University.
These authors all question the popular notion that terrorism has been greatly aided by the internet. They show that the internet does serve terrorists, like anyone, as a communication tool. However, terrorists take great risks of capture or disruption by organizing plots there, misinformation is rife online, and virtual terrorism training is far inferior to traditional sort.
Anne Stenersen, "The Internet: A Virtual Training Camp?" Terrorism and Political Violence, Vol. 20, No. 2 (April 2008), pp. 215-233.
Michael Kenney, "Beyond the Internet: Metis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists," Terrorism and Political Violence, Vol. 22, No. 2 (April 2010), pp. 177-197.
Mette Eilstrup-Sangiovanni and Calvert Jones, "Assessing the Dangers of Illicit Networks: Why al-Qaida May Be Less Dangerous Than Many Think," International Security, Vol. 33, No. 2 (Fall 2008), pp. 7–44.
Appendix: The Non-Digital Pearl Harbor
John Mueller is a political scientist at Ohio State University and a Senior Fellow at the Cato Institute in Washington, DC.
The cyber-alarmist literature constantly refers to the dangers of "a digital Pearl Harbor." In an article in International Security, Mueller examines the damage perpetrated at the actual Pearl Harbor. Although very commonly described as a "disaster" and "catastrophe," the 1941 attacks actually did very little lasting physical damage (beyond the lives lost). There was a dead loss of only two very old battleships, and almost all other damage was repaired in quite short order. Moreover, American industry soon supplied new ships and planes in enormous numbers, and the ability of the United States to enter the Pacific War was scarcely delayed. From a military perspective, the attack was essentially only an inconvenience. As many of the articles suggest, that would be the likely consequence of a digital attack.
John Mueller, "Pearl Harbor: Military Inconvenience, Political Disaster," International Security Vol. 16, No. 3 (Winter 1991/92), pp. 172-203
To inquire about this subject or suggest additional articles contact John Mueller or Benjamin Friedman.
John Mueller
Mershon Center
Ohio State University
1501 Neil Avenue
Columbus, Ohio 43201 USA
Cato Institute
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA
bbbb@osu.edu
Benjamin Friedman
Research Fellow in Defense and Homeland Security Studies
Cato Institute
1000 Massachusetts Avenue, NW
Washington, DC 20001 USA
BFriedman@cato.org