Washington is in the midst of debating something called “cybersecurity.” But that term actually includes several very separate and distinct problems that call for very different solutions. Not only does conflating them confuse the issue — it also has very distinct political consequences. So let’s unpack the separate meanings of the term.
1. Criminal and malicious online behavior
As every computer owner knows, internet security is a very real problem for individual households and businesses. The open architecture of computers and the internet has led to an explosion of innovation, collaboration, and creativity — but the very openness that has fuelled so much innovation has also made us vulnerable to viruses, spyware, and other forms of malware. These problems are endemic among home computers and among a surprising number of professionally managed institutional machines as well. Much of this is due to the failure to perform basic computer security.
2. Espionage
Foreign governments have always tried to steal U.S. secrets — just as we have tried to steal theirs in the endless game of spy vs. spy. And of course if they can use the internet to do so, they will. Corporate espionage, meanwhile, may also be a problem, though that too is something that has always taken place, and always will, as competitors try to erase their rivals’ advantages in the marketplace.
3. Potential attacks on critical infrastructure (“cyberterrorism” or “cyberwar”)
Entirely separate from the day-to-day malware attacks and our intelligence agencies’ efforts to keep information out of public hands is the frightening image of terrorists using computer keyboards around the world to spill blood in the streets of America. Some of the more alarmist commentators have painted pictures of nuclear meltdowns, dams sweeping away towns, or chemical clouds billowing over cities. Others have warned about the danger of cyberattacks taking down the U.S. communications or financial systems. Such an attack has never taken place, and the truth is that no one knows how real this risk is. There has been much hype and exaggeration surrounding these scenarios. That certainly does not mean the possibility should be ignored — to the contrary, sensible policies should be enacted to prevent it, such as making sure dams and nuclear power plants are not connected to the internet. But there is simply no basis for declaring that such possibilities are an “existential threat” to the nation, as a top FBI agent has asserted.
Closely intertwined with the discussion of cyberterrorism is talk of the (also hypothetical) scenario of “cyber warfare.” Cyberwar is a poorly defined concept, many aspects of which are still being debated, including the circumstances under which an attack on our critical infrastructure might be considered an act of war. But insofar as the concept involves defending against critical infrastructure attacks using the public internet, the issues raised are not significantly different from those involved with “cyberterrorism.”
The political effects of conflating separate threats
I am far from the first person to point out the entirely different meanings that make up the term cybersecurity (see here for example). But it’s important to recognize the political consequences of conflating these separate problems. By doing so, the security establishment and cybersecurity industry are able to cast cybersecurity as a problem that is both very real and extremely dangerous. But problems that are real — criminal and malicious online behavior — are not a threat to the nation, and problems that are a threat to the nation — “cyberterrorism” or “cyber warfare” attacks that do significant physical damage— remain hypothetical:
Fact?
Terrifying?
Everyday criminal malware
Yes
No
Cyber-terrorism or cyberwar
No
Yes
Blended “cybersecurity”
= Yes
= Yes
Distributed denial-of-service (DDoS) attacks, for example, are a genuine problem. At the same time, temporarily flooding the Treasury Department’s web site with traffic hardly amounts to a critical threat to national security. Yet DDOS attacks, basic and unsophisticated as they may be, are frequently discussed in the grandest geopolitical national security terms, such as the alleged North Korean 2009 “cyber blitz” against the United States (which researchers later said actually appeared to have originated in Great Britain, or possibly Florida), or the over-hyped 2007 “cyber war” against the nation of Estonia.
We can’t have a rational debate or strike an appropriate balance of interests when everyday cybersecurity issues are blurred together with national security matters in this way, leading to hype and exaggeration and investing the issue with more weight and grandeur than it seems to merit.
We’ll be posting about cybersecurity all week.