From The Hill this weekend:
But James Lewis, the director of the Technology and Public Policy Program at the Center for Strategic and International Studies, said “no serious analyst doubts the risk anymore” of a cyber attack.
"There are people who are naturally skeptical about anything the government says and there are the ones who are paid to be skeptical," Lewis said, but he claimed almost everyone else has accepted the seriousness of the situation.
Since I’m the only other person quoted in the story—making the case that the threat of a catastrophic cyberattack has been exaggerated—that statement can be read as applying to me. I’m certainly naturally skeptical of government (for good reason, I think), and to the extent my organization is also generally skeptical of government, I guess I am paid to be skeptical of government. But the implication that I wouldn’t advocate skepticism of government but for payment is insulting. And it also has nothing to do with whether the cyber threat has been blown out of proportion and whether we should be skeptical of such threat inflation.
On that front, I’d like to quote at length from a fantastic 2006 San Francisco Chronicle piece entitled, “The War on Hype,” that might as well have been written by me. It is by a certain James A. Lewis:
Or cyber terror. In 1995, the first in a long series of warnings of an “electronic Pearl Harbor” was made. Although terrorists have launched many attacks since 1995, none has involved cyber terror.
The closest thing to a cyber attack occurred in Australia, when a disgruntled employee who had designed the computer system for a sewage treatment plant was able to penetrate the network after 49 consecutive attempts that went unnoticed and release raw sewage. The government report on the incident says this produced an unbearable smell for several days. Residents were unhappy, but able to control their terror.
Cyber terror was at first suspected in the 2003 Northeast blackout. The cause turned out to be incompetence and falling trees. The widespread blackout did not degrade U.S. military capabilities, did not damage the economy, and caused neither casualties nor terror.
One lesson to draw from this is that large, modern economies are hard to defeat. Their vulnerability — to cyber attack or dirty bombs or the other exotic weapons — is routinely exaggerated.
Yes, computer networks are vulnerable to attack, but nations are not equally vulnerable. Countries like the United States, with its abundance of services and equipment and the ability and experience in restoring critical functions, are well equipped to overcome an attack.
Yes, that’s the very point I was making in the Hill article, and which I’ve been making in my writing the last couple of years. But wait, there’s more.
What explains this discrepancy between risk and perception?
During the cold war, analysts became accustomed to thinking about horrible things that never happened — from nuclear winter to atomic war. This willingness to suspend disbelief has carried over to the war on terrorism.
When the cold war ended, the United States reassessed what kinds of threats it would face in the future. A series of influential commissions concluded that new kinds of opponents would use asymmetric attacks and unconventional weapons against the American homeland. They would attack vulnerable civilian targets, as no one could challenge the U.S. military and win.
This assessment proved, unfortunately, to be correct, but its corollary — that the new opponents would use unconventional weapons like cyber or bio — missed the mark.
There are important differences between experts and terrorists. Experts imagine exotic attack scenarios. Terrorists are conservative. They prefer guns and bombs.
There’s even a hint of how threat inflation can hurt policymaking:
The media, particularly television, prefers to translate complex risks into simple and dramatic tales. Eighty-three people dying in six years is tragic, but not news. Deadly chickens sweeping out of China to infect millions appeals to alarmism and anxiety and attracts audiences and talking heads.
A changing American political culture makes our leaders more anxious. Since the 1960s, the U.S. government has become progressively more cautious and risk-averse. …
Exaggerated concerns shape our spending and strategies for counterterrorism and public health (even if our implementation of these strategies is at times so lax as to appear to welcome risk with open arms).
It’s good to know that a serious analyst can doubt the risks associated with cyberattack. If Dr. Lewis has changed his views on the threat posed by cyber, I’m sure it’s the result of extensive investigation and careful reflection, and not for any other reason. More to the point, it doesn’t matter. Bringing up motives is what you do when you can’t counter an argument.