The Cyberskeptics

This page collects and links writings that challenge the popular notion that cyber-doom is approaching. Concerns about cybercrime, cyberterrorism, and cyberwar have escalated dramatically in the United States. Billions of dollars are being thrown at these problems, and most of the discussion is alarmist in the extreme.

The articles and papers summarized and linked below provide some balance to the discussion. The authors generally support judicious efforts to secure technology and information systems against hacking, theft, and espionage but believe that the threat from cyberattacks has been greatly exaggerated.

Cyberwarfare     Cyberterrorism     Cybercrime     Appendix: A Digital Pearl Harbor



General Cyberwarfare

• Brandon Valeriano and Benjamin Jensen, "The Myth of the Cyber Offense: The Case for Restraint," Cato Institute Policy Analysis No. 862, January 15, 2019.

An empirical analysis of cyber incidents demonstrates that cyber is a relatively restrained domain with few aggressive attacks that seek a dramatic, decisive impact. A more offen-sively-oriented cyber posture, however, risks undermining norms around restraint.

• Joshua Rovner and Tyler Moore, "Does the Internet Need a Hegemon?" Journal of Global Security Studies, Vol. 2, Issue 3, 1 July 2017, Pages 184–203.

The fragility of the internet is relatively resilient and therefore does not require the United States to play the role of cyber hegemon in providing global public goods in cyberspace.

• Erica D. Borghard & Shawn W. Lonergan, "The Logic of Coercion in Cyberspace", Security Studies, Vol.26, No.3 (May 2017), pp. 452-481.

"Cyber power alone has limited effectiveness as a tool of coercion, although it has signifi-cant utility when coupled with other elements of national power."

Joseph S. Nye Jr., "Deterrence and Dissuasion in Cyberspace", International Security, Vol. 41, Issue 3, (Winter 2016/17), pp.44-71

Problems of attribution don’t necessarily undermine deterrence in cyberspace.

• Erik Gartzke & Jon R. Lindsay, "Weaving Tangled Webs: Offense, Defense, and Deception in Cyberspace," Security Studies, Vol.24, No. 2 (June 2015), pp. 316-348

Counter to the claim that cyberspace weakens deterrence and defense, the strategy of de-ception in cyberspace leads covert attackers to exercise restraint, while defenders can em-ploy deceptive concealment to confuse or ensnare aggressors.

• Jon R. Lindsay, "Tipping the Scales: The Attribution Problem and the Feasibility of Deterrence against Cyberattack," Journal of Cybersecurity, Vol. 1, Issue 1 (September 2015), pp. 53–67.

Deterrence in the cyber domain results in many low-value anonymous cyberattacks but few high-value ones. Reliance on deception provides some advantages to the attacker but undermines offensive coercion and creates risks for ambitious intruders.

• Brandon Valeriano and Ryan C. Maness, Cyber War versus Cyber Realities: Cyber Conflict in the International System (Oxford University Press, 2015).

Empirical analysis of cyber incidents demonstrates that the threat of cyberwarfare has been inflated. States tend to use cyberspace in a limited, low-intensity fashion, usually within al-ready-existing regional rivalries, that doesn’t produce long-term effects.

• Jon R. Lindsay, "The Impact of China on Cybersecurity: Fiction and Friction," International Security, Vol. 39, No. 3 (Winter 2014/2015), pp. 7-47.

The U.S.-China cyber relationship is more stable than it appears because for every Chinese advantage, there are also weaknesses to be exploited through the strengths of American ca-pabilities. Each country has incentives to moderate their actions in the cyber domain, which will likely keep the balance of power stable for the foreseeable future.

• Jon R. Lindsay, "Stuxnet and the Limits of Cyber Warfare", Security Studies, Vol.22, No.3 (August 2013) pp.365-404.

An empirical analysis of the Stuxnet attack challenges claims that the internet gives milita-rily weaker actors asymmetric advantages, that offense is becoming easier as defense gets harder, and that deterrence is weak in cyberspace. Also see Jon R. Lindsay, "Stuxnet Debate Continues: How Should Cyberweapons Be Used?" WebProNews, July 12, 2012

• Erik Gartzke, "The Myth of Cyberwar: Bringing War on the Internet Back Down to Earth," International Security, Vol. 38, No. 2 (Fall 2013), pp. 41–73.

Contrary to the argument that cyberwar is a revolution in military affairs with the potential even to overturn the prevailing world order, cyberattacks are more an adjunct to existing forms of political violence than a substitute.

• Ivanka Barzashka, "Are Cyber-Weapons Effective?", The RUSI Journal, Vol.158, No.2, (April 2013) pp. 48-56.

The 2010 Stuxnet attack on Iran’s uranium centrifuges failed to impose lasting damage, much less to sabotage, Iran’s nuclear enrichment program.

• Martin Libicki, "Don't Buy the Cyberhype," Foreign Affairs (online), August 16, 2013).

The United States can limit the risk of cyberattacks by assessing these risks in commercial software, as well as encouraging better IT systems management and the development of tools able to detect potential attacks.

• Mary Ellen O'Connell, "Cyber Security without Cyber War," Journal of Conflict Security Law, Vol. 12, No. 2 (Summer 2012), pp. 187-209.

We should move away from both military analogies and Cold War deterrence theories when we deal with cyber issues. International law governing economic activity and communications is more relevant to monitor activity on the internet.

• Thomas Rid, "Cyber War Will Not Take Place," Journal of Strategic Studies, Vol. 35, No. 1 (February 2012), pp. 5-32.

The term "cyber war" should be rejected. Cyber attacks never fit all three characteristics necessary for an act of war: violence, instrumentality, and a political goal. Cyber war has never happened and is unlikely to occur. See also Thomas Rid, "Think Again: Cyberwar," Foreign Policy, March/April 2012; Thomas Rid Cyber War Will Not Take Place.

• David Betz, "Cyberpower in Strategic Affairs: Neither Unthinkable nor Blessed," Journal of Strategic Studies, Vol. 35, No. 5 (2012), pp. 689-711.

Cyberattacks are can be quite costly, but anonymous attacks have limited effectiveness as a form of coercion. See also David Betz, "Cyber Power in Strategic Affairs: Neither Unthinkable nor Blessed," Geopoliticus (blog), Foreign Policy Research Institute, November 28, 2012. 

• Adam P. Liff, "Cyberwar: A New 'Absolute Weapon'? The Proliferation of Cyberwarfare Capabilities and Interstate War," Journal of Strategic Studies, Vol. 35, No. 3 (May 2012), pp. 401-428.

The untraceability and offensive bias of cyberweapons will notincrease either the frequency of interstate conflicts. Countries may possibly balance each other as well as mitigate potential large-scale confrontation by gaining cyberwarfare advantage.

• Jerry Brito and Tate Watkins, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," Harvard National Security Journal, Vol. 3, No. 1 (April 26, 2011), pp. 39-84.

Increased political attention to cybersecurity, along with the parochial interests of a public-private complex, have contributed to threat inflation. Also see Jerry Brito and Tate Watkins, "The Cybersecurity-Industrial Complex," Reason, August/September 2011; Jerry Brito and Tate Watkins, "Cyberwar Is the New Yellowcake," Wired, February 14, 2012.

• Allan Friedman, "Economic and Policy Frameworks for Cybersecurity Risks," Center for Technology Innovation at Brookings, July 21, 2011.

TThere are differences between various cybersecurity risks and a risk management approach can be applied to these dangers. However, that many security efforts could overwhelm the benefits of information technology.

• Sean Lawson, "Beyond Cyber-Doom: Cyberattack Scenarios and the Evidence of History," Mercatus Center, Vol. 10, No. 77 (January 2011).

Cybersecurity policy should be based on empirical evidence of threats. Modern technolo-gies and decentralized security providers are necessary to prevent cyberattacks.

• Peter Sommer and Ian Brown, "Reducing Systemic Cybersecurity Risk," Organization for Economic Cooperation and Development, January 14, 2011.

Quantitative risk assessment can be used to study the potential effects of various cyber-attacks. Almost all of them are unlikely to have global ramifications.

• Ryan Singel, "Richard Clarke's Cyberwar: File Under Fiction," Wired, April 22, 2010.

Debunks Richard Clarke’s claims about past damages caused by hackers and explains how this sort of alarmism could be a threat to internet openness. See also Ryan Singel, "Is the Hacking Threat to National Security Overblown?" Wired, June 3, 2009; Ryan Singel, "Cyberwar Hype Intended to Destroy the Open Internet," Wired, March 1, 2010.

• Evgeny Morozov, "Cyber-Scare: The Exaggerated Fears over Digital Warfare," Boston Review, July/August 2009.

The legal issues around cyber-attacks, such as liability and Geneva Convention considerations, are murky. The already considerable resilience of internet infrastructure can be improved. See also Evgeny Morozov, "Battling the Cyber Warmongers," The Wall Street Journal, March 8, 2010.


Cyberterrrorsm and Online Terrorism Training

• John Mueller, "The Cybercoaching of Terrorists: Cause for Alarm?," CTC Sentinel, Vol.10, Issue 9, October 2017, pp. 29-35.

The problem of "cybercoaching" potential terrorist recruits is typically a failure for terrorist organizations and much less of a national security threat than many observers claim.

• Kathy Gilsinan, "Is ISIS's Social-Media Power Exaggerated?," The Atlantic, February 23, 2015.

Scrutinizes the ability of groups like ISIS to radicalize young Muslims worldwide through social media, concluding that, while terrorist organizations sometimes use social media to great effect, the groups are mostly engaging with people that are already radicalized.

• Peter W. Singer, "The Cyber Terror Bogeyman," Armed Forces Journal, November 2012.

Fears of a cyber-terror attack are vastly overwrought. Cyberterrorism is a concern, but tar-geted attacks require expertise that terrorists lack.

• Michael Kenney, "Beyond the Internet: Metis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists," Terrorism and Political Violence, Vol. 22, No. 2 (April 2010), pp. 177-197.

• Anne Stenersen, "The Internet: A Virtual Training Camp?" Terrorism and Political Violence, Vol. 20, No. 2 (April 2008), pp. 215-233.

• Mette Eilstrup-Sangiovanni and Calvert Jones, "Assessing the Dangers of Illicit Networks: Why al-Qaida May Be Less Dangerous Than Many Think," International Security, Vol. 33, No. 2 (Fall 2008), pp. 7–44.

The popular notion that terrorism has been greatly aided by the internet is questionable. Although the internet is a great communication tool, online terrorism training is unlikely

• Myriam Dunn Cavelty, "Cyber-Terror — Looming Threat or Phantom Menace? The Framing of the US Cyber-Threat Debate," Journal of Information Technology and Politics, Vol. 1, No. 4 (2007), pp. 19-36.

The fear of cyberterrorism is pervasive despite the fact that there are no confirmed in-stances of its occurrence. Needed is the adoption of a risk frame that focuses attention on probability.


Cybercrime

• Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage, "Measuring the Cost of Cybercrime," Paper presented to the Workshop on the Economics of Information Security, June 2012.

The costs of cyber-crime come largely from the attempts to protect against it, and this suggests that resources now used to protect systems against cyber-criminals might be better spent on finding and arresting them.

• Dinêi Florencio and Cormac Herley, "Sex, Lies and Cyber-crime Surveys," Microsoft Research, June 2011.

The way we measure cyber-crimes is biased and has substantially exaggerated the scope of the problem. See also Dinêi Florencio and Cormac Herley, "The Cybercrime Wave That Wasn't," The New York Times, April 14, 2012.

• Paul Ohm, "The Myth of the Superuser: Fear, Risk, and Harm Online," UC Davis Law Review, Vol. 41, No. 4 (April 2008), pp. 1327-1402.

Debates about cybersecurity often overemphasize the importance of so-called "superusers". These discussions, however, not only leave countries and individuals more vulnerable to these forms of cybercrime, but also induce them to waste important resources to prevent unrealistic threats.


Appendix: A Digital Pearl Harbor

• John Mueller, "Pearl Harbor: Military Inconvenience, Political Disaster," International Security Vol. 16, No. 3 (Winter 1991/92), pp. 172-203.

Militarily, the net damage perpetrated at Pearl Harbor was more nearly an “inconvenience” than a catastrophe. Byanalogy this suggests that a “digital Pearl Harbor” would also merely be an inconvenience, since we have the resources to readily recover from such a setback.