The Wall Street Journal reports that the Pentagon will soon release a policy document explaining what cyberattacks it will consider acts of war meriting military response. Christoper Preble and I warn against this policy in an op-ed up at Reuters.com:
The policy threatens to repeat the overreaction and needless conflict that plagued American foreign policy in the past decade. It builds on national hysteria about threats to cybersecurity, the latest bogeyman to justify our bloated national security state. A wiser approach would put the threat in context to calm public fears and avoid threats that diminish future flexibility.
Reuters headlined our piece: “A military response to cyberattacks is preposterous.” Actually, our claim is not that we should never use military means to respond to cyberattacks. Our point instead is that the vast majority of events given that name have nothing to do with national security. Most “cyberattackers” are criminals: thieves looking to steal credit card numbers or corporate data, extortionists threatening denial of service attacks, or vandals altering websites to grind personal or political axes. These acts require police, not aircraft carriers.
Even the cyberattacks that have affected our national security do not justify war, we argue. There is little evidence that online spying has ever done grievous harm to national security, thinly sourced reports to the contrary notwithstanding. In any case, we do not threaten war in response to traditional espionage and should not do so merely because it occurs online.
Moreover, despite panicked reports claiming that hackers are poised to sabotage our “critical infrastructure” — downing planes, flooding dams, crippling Wall Street — hackers have accomplished nothing of the sort. We prevent these nightmares by decoupling the infrastructure management system from the public internet. But even these higher-end cyberattacks are only likely to damage commerce, not kill, so threatening to bomb in response to them seems belligerent.
The Stuxnet worm shows that cyberattacks may indeed do considerable harm, perhaps someday killing on a scale akin to small arms. Attacks like that might indeed merit military response. But they remain hypothetical here.
Vague terms like “cyberattack” and the alarmist rhetoric that surrounds them confuse common nuisance attacks with theoretical tragic ones. The danger is militarized responses to criminal acts, foolish regulation, wasteful spending, or even needless war.
To learn about the exaggeration of cyberthreats, read these two articles from the Mercatus Center. For a good discussion of the policy options for dealing with the various cyberharms, see this 2009 congressional testimony from Jim Harper.