Top men tell us that dark forces -- China, Russia, criminal elements, spies, terrorists, and hackers -- are burrowing deep into America's digital infrastructure, looking to exploit weaknesses, wreck security and cause mayhem. Last month, CIA Director Leon Panetta testified to Congress that "the potential for the next Pearl Harbor could very well be a cyber-attack," adding to a list of terrifying analogies used to describe the cyber peril, "Cyber 9/11" and "Cyber Armageddon" among them. And the future looks bleak. As former Director of National Intelligence (DNI) Michael McConnell wrote a year ago, "The United States is fighting a cyber-war today, and we are losing. It's that simple."
These are smart individuals with weighty responsibilities, but with respect to the threat from cyberspace, they are also crummy rhetoricians. Comparisons to traumatic national events by identified enemies focus on the binary us-vs-them distorting the way to tackle this complex problem. As Stuxnet, WikiLeaks, and subsequent hacker initiatives indicate, the fight is indeed on for control of the global cybercommons. However, as top DHS officers recently noted, cyberspace is "not a war zone." Scripting a cinematic showdown, where a digital Wyatt Earp loads his pistol with ones and zeroes and blows away the bad guys at the Cyber OK Corral, is terribly misleading.
Abusing analogies in the service of advocacy understates the impact of real life-or-death situations. During the 9/11 and Pearl Harbor attacks, thousands of Americans were killed, millions of dollars of property was damaged, and the national pride was hurt. In response to both situations, the US significantly reorganized its defenses and lashed out violently against its enemies. In contrast, the April 2010 rerouting of US government and business computer IP addresses to China for several minutes made few headlines. Few if any Americans have perished as a direct result of a cyberattack and the US government has yet to reorient itself to address these challenges in a systematic, comprehensive manner.
Why will it only take a mass-casualty event within the US to create this complete change in attitude? In recent Congressional testimony, current DNI General James Clapper provided one answer, if indirectly: cyberthreats do not yet compromise core national security interests. He assessed the threats from cyberspace fell into three major subjects: Criminal Acts; Infrastructure Vulnerabilities; and Foreign Espionage. Let's quickly examine each issue:
Criminal Acts: General Clapper noted that the use of malicious software ('malware') is rapidly rising, costing global businesses almost $1 trillion in 2008. These numbers are terrifying, but they include ill-defined international intellectual property theft violations and data loss. That number rises through some measure of industry slight-of-hand, where buying a pirated $1 CD in Bangkok is deemed equivalent to stealing $15 from a US-based record company. As Harvard Business School professor Fritz Foley told the US International Trade Commission in July 2010, "Be careful about using information the multinational [companies] provide you. I would imagine they have an incentive to make the losses seem very, very large."
"Half of all US computers" are compromised with malware, perhaps including the one on which you are currently using to reading this article. The question here is, again, a question of intent and scale. Digital thieves and misanthropes are more akin to muggers and corporate saboteurs than the hundreds of fighters, bombers, and torpedo planes in the service of the circa 1941 Imperial Japanese Navy. There is certainly a threat here but the complexities of life in the digital age do not boil down to a simple metaphor.
Infrastructure Vulnerabilities: General Clapper said the US relies on cyberspace for basic infrastructure-related tasks including "power, energy distribution, transportation, [and] manufacturing." He additionally noted that Americans are moving their personal and professional worlds online.
The difficulty with General Clapper's assertion isn't that he is incorrect; rather the issue is that the US needs to upgrade its basic infrastructure regardless of cyber threats. As the American Society of Civil Engineers in 2009 noted, US physical infrastructure is already in overall "poor" condition, and requires over $2 trillion over the next half-decade to raise everything-from dams to roads to the electrical grid -- to a "good" condition. What metaphor would fix those?
In a time when many political leaders have called for drastic cuts in nondiscretionary spending, reinvesting in complex, unsexy infrastructure systems and their slightly sexier digital cousins will likely fall by the budgetary wayside. House majority Leader Eric Cantor in January stated, "We've got to learn how to prioritize and do more with less in all areas of government." If physical infrastructure serves as a precedent, even terrible low-casualty accidents like 2007's lethal collapse of the I-35 bridge in Minneapolis do not spur national action.
Foreign Espionage: Clapper said, "The cyber environment provides unprecedented opportunities for adversaries to target the US due to our reliance on information systems." They have been compromised in the past, such as when the Pentagon's unclassified computer system was breached in 2008. According to the ODNI's counterintelligence outfit, the National Counterintelligence Executive (NCIX), the main threat to US systems however remains the "insider threat" -- traitors within the system -- and not far-removed cyberspies.
In any case, the US government retains powerful (if untested and classified) weapons that are meant to deter foreign governments from launching a new digital Pearl Harbor. An attack from another nation-state that leads to significant death and destruction will unleash the full fearsome power of the Pentagon, as well as the offensive capabilities of America's various intelligence agencies. This, however, would be an actual war with actual dead Americans.
Finally, in their Congressional testimony, neither Clapper nor National Counterterrorism Center Director Michael Leiter could muster a single incident where terrorists had used the Internet to carry out attacks - the so-called 'cyberterrorism' threat. While terrorists indeed use websites and email to disseminate propaganda and recruit followers, countering them all is like fighting a mosquito with a sledgehammer. Furthermore, successful execution of these efforts requires considerable coordination across multiple agencies. Otherwise the US can end up fighting itself -- as it did in 2008 when the military forcibly shuttered a jihadist website that was allegedly a joint CIA-Saudi effort to lure extremists in order to gather intelligence, thwart terror plots and make arrests.
Instead of relying upon faulty, alarmist comparisons, policymakers should discard metaphors completely and focus upon seeing cyberspace for what it is -- a complicated, interconnected decentralized network of networks over which the US government only has some degree of control. Deploying frequent incendiary analogies about war and death is counterproductive to producing long-term public-private results that will keep America and Americans safer -- perhaps not completely safe, but safer out there in the digital badlands.