peacefare.net

How serious is the cyber threat?

By now, Americans should be thoroughly acclimated to exaggerations of threat:  the Soviet threat was inflated, the Iraq weapons of mass destruction threat was inflated, and the global terrorism threat has been inflated.  Now we’ve got the Defense Science Board (DSB) and the Director of National Intelligence warning about cyber threats and the National Security Advisor fingering China.  So how serious is the situation, and how far should we go in responding to it?

Like all the threats that came before it, cyber sounds serious enough:  foreign powers could not only steal your emails and block your internet access but also disrupt power and water supplies, purloin valuable commercial secrets and render US military operations unusable, including our nuclear forces.  If you believe the newspapers, we know the Chinese are already grabbing emails from organizations they are interested in as well as intercepting commercially important plans and data.  We also know from the press that Israel and the US have used cyber attacks to slow the Iranian nuclear enrichment program, which suggests a capability to disrupt vital infrastructure.  Iranians are smart–if we’ve done something to them, you can be pretty sure they are trying to figure out how to do it to us.  The Chinese won’t be sitting on their laurels either.

The DSB gives this graphic description of the consequences of a full-spectrum cyber attack on US forces:

…attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.

But that is only the military piece.  A full-spectrum cyber attack would also target civilian systems:

The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack’s effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation.

While warning about the societal threats, the DSB focuses its recommendations on the Department of Defense.  Most of what they say seems reasonable to me, though I confess I find it difficult to imagine–as the DSB does–the use of nuclear weapons to deter an “existential” cyber attack.  We are going to threaten to nuke the nerds?  We are not even likely to know which country they’ve launched their attack from.

The DSB proposes a three-tiered response to cyberthreats:  defense, consequence management and deterrence.  Here is where things get hard.  Exaggeration of a threat is not in and of itself necessarily harmful, except insofar as it diverts resources from higher priorities.  But it is arguable that we’ve done more damage to ourselves responding to threats than the threats themselves were likely to do.  There aren’t too many people who think the Iraq war was worth it, since Saddam Hussein did not have nuclear weapons and we’ll be paying the trillion-dollar bill for decades.  The Soviet space threat got us excited enough to go to the moon, but how much good has that done for people in Peoria?

It would be easy to do serious damage to the openness of the internet and the social media it has spawned by too much concern about cybersecurity.  Lots of us are already struggling to remember all our damn passwords and usernames.  Adding levels of unnecessary security will make our entire economy less efficient and the benefits of openness more difficult to obtain.  I’m really not all that concerned with the Chinese reading my emails.  In fact, it might make them a bit less competitive than they would otherwise be.

I don’t mean to pooh-pooh the threat.  I only mean to urge us not to overreact.  Wisdom, not panic, should be the mood.  What really needs to be done to reduce the vulnerability of our vital infrastructure?  What are the cheapest and best means?  The DSB takes a “systems” approach.  That seems to me right:  rather than clamping down on everything, which is the natural bureaucratic reaction, lets look at what is most serious and deal with that first.  If our nuclear deterrent has to be protected from cyberattack, I’m all for it.  But let’s not treat my emails the same way.