When the First Sentence is Wrong, Why Read On?

by on September 9, 2010 · 11 comments

Individuals, shadowy criminal organizations, and nation states all now have the capacity to devastate modern societies through computer attacks.

It’s simply not true.

The author must not know the meaning of “devastate,” which is, according to the handiest Web dictionary, “to lay waste; render desolate.”

There is no such capacity—anywhere—to do such damage through computer attacks, and the capacity of some actors to produce some inconvenience, to cause some economic harm, and perhaps to cause physical damage or injury—none of that justifies such a stupidly phrased sentence.

It’s the first line of the abstract to “An e-SOS for Cyberspace” by Temple University law professor Duncan Hollis. Almost certainly, given the overblown premise, it calls for overblown reactions.

This concludes my review of the first sentence of another fear-mongering cybersecurity paper.

  • Duncan Hollis

    As the author, I get the argument that I'm a Cassandra on cyberthreats. But let me respond by arguing that I DO think that high level attackers (see, e.g., US Cybercom, Chinese cyberforces, etc.) have developed capacities to devastate through attacks on SCADA systems and DDoS attacks that disable emergency phone services; and malware did apparently leads to SpanAir 5022's crash and perhaps AirFrance Flight 447 as well, so I'm not sure we haven't already seen some limited death and destruction from cyberthreats, and I'm hard pressed to believe the future will bring less of it.

  • http://ubiwar.com Tim Stevens

    You're missing the point of Jim's post, though. Your thesis as expressed in your comment still doesn't require the language you use to introduce your paper. In fact, it mitigates against it: disabling an emergency phone service does not devastate a modern society; that malware 'apparently' and 'perhaps' led to air crashes is not evidence of evil intent; limited death and destruction? You're not sure. You may even be right about the future but 'individuals, shadowy criminal organisations [always shadowy], and nation states' have no proven 'capacity to devastate' in the way you suggest.

    In fact, many cybersecurity writers would strengthen their arguments considerably if they toned down the alarmist rhetoric…

  • Duncan Hollis

    But the first sentence isn't my thesis; it simply tries to describe what I see as an increasingly hostile environment in cyberspace. My thesis is that existing rules regulating so-called cybercrime and cyberwar don't work because of the attribution problem. I also argue that getting rid of this attribution problem is not an option any more than the Russian idea to ban cyberweapons or proposals to adopt gov't monitoring or minimum security requirements that so infuriate the U.S. privacy lobby and civil libertarians. Instead, I argue that states should deal with cyberthreats by focusing on helping victims avoid or mitigate the harms that come from cyberthreats. I propose states think about adopting a duty to assist in cases of the most severe cyberthreats as a way to regulate and deter them. I use the SOS at sea as an example of a duty to assist that may map well onto the Internet.

    My point was simply to ask that a paper not be judged based on the merits of the first verb used in an abstract; a verb by the way that does not have to mean “to lay waste” or “to destroy” but which the handiest web dictionary also defines as “to overwhelm” or “to confound.” And I do think cyberthreats are pretty confounding to modern societies right now whether or not you agree with me that they can do more in terms of losses of life or real property damage. But thanks for at least engaging with me on the point.

  • http://ubiwar.com Tim Stevens

    OK, that's a fair point regarding the thesis of your piece. However, I was referring to your comment. I'd read your abstract before Jim wrote his post and had very similar thoughts, to be honest. If the abstract is meant to capture the flavour and argument of a paper then perhaps there's a divergence on this occasion. Given that almost all readers are liable to associate 'devastate' with the rather more dramatic images normally conjured up the word, I think its alternative meanings are largely invisible, and that explanation is, forgive me, slightly disingenuous.

    Neither Jim nor I is deaf to the issues of cybersecurity yet I reiterate my point: by not frontloading respectable articles with language that in common usage does, like it or not, suggest scenarios of doom and destruction, writers on the topic could do themselves a favour and get a proper hearing on the meat of their theses, rather than on the trimmings.

  • Jim Harper

    Sorry for the delay in responding here. Busy day yesterday. Thanks both for your comments.

    I agree that the first sentence isn't your thesis, but a premise. It's so wildly overblown that it disqualified your paper from my reading list. There is no shortage of cybersecurity writing or fear-mongering boilerplate.

    Try diagramming that sentence: The object of the verb “to devastate” is “modern societies.” In your first comment here, you dropped that object because it's so obviously not true. Yes, computer attacks might “devastate” their direct victims, but those are only tiny parts of the society. (I searched for more definitions of “devastate” and it only got worse for you: ” to reduce to chaos, disorder, or helplessness.” Again “societies” was the object of that verb.)

    Had you written, “Some individuals, shadowy criminal organizations, and nation states now have the capacity to harm modern societies through computer attacks,” that's obviously true. This reader might have read on, discovered your thesis, and considered its merits.

    Now you're the unfortunate stand-in for many in the “cybersecurity lobby” (tit for tat) who roll out false or exaggerated threat claims before making their policy arguments. But step one in risk management is risk characterization. If you're not characterizing risk well, why would anyone believe that the rest of your thinking, including your policy conclusions, are going to be any better?

  • Duncan Hollis

    So, the paper gets read if I replace “devastate” with “harm” in the abstract? Done. After all, that's why I posted it in draft form (although the change will take a few days to show up on SSRN).

    I get the sense Jim from your original post and the follow-on comments that we may be operating under slightly different social norms when it comes to scholarship. As you may know, for legal scholarship–which this is–authors often post a paper in draft form for feedback and critiques before finalizing it. Although I still don't think “devastate” has as narrow a meaning as you ascribe to it, I DO think my duty to assist idea is a novel and potentially important solution to severe cyberthreats. And I'm not about to let it die on the vine because of a debate about my choice of verbs in the first sentence of an abstract targeted primarily at the editors of the various student-edited law reviews that are considering this piece for publication.

    I also resist the idea that I am in any way affiliated with a cybersecurity lobby or am in the business of risk characterization. Rather, I'm an international lawyer critiquing existing international legal responses to cyberthreats as inadequate and suggesting a new form of legal response (a new form I'd add that avoids many of the privacy and liberatarian objections that I understand you and others to have made). Your decision to make my paper a stalking horse in some tit-for-tat exchange with cybersecurity experts is thus off the mark. Whatever scholarship cybersecurity experts may have authored has little to say about my piece–a work of legal scholarship. And, if you check, you'll find that within legal scholarship there actually IS a shortage of work on severe cyberthreats (topics like cyberprivacy, IP, and cybercrime, are different matters). Thus, I'd encourage you and others to actually READ my paper. I'm not fear-mongering, but sincerely interested in trying to figure out a way for law to do a better job of avoiding and deterring the most severe harms that cyberthreats may cause. Now maybe you are already too invested in your intial reaction to my abstract, but I'll hold out some hope that once you actually read my paper you'll see my idea is more nuanced and important than your first reaction allowed.

  • Jim Harper

    Glad to hear that you'll change the language. Sorry that you had to be made an example of. (“Fear the blog post,” I'm often fond of joking.)

    We are acting under different social norms. I work in the policy arena, where proposals like yours are turned into law and regulation. In the political arena, where election is the goal, and in writing for law reviews, where acceptance for publication is the goal, speakers/authors have strong incentives to inflate the problems they're addressing, be they cybersecurity, online child predation, terrorism, environmental concerns etc. etc.

    As ideas produced by politicians and law professors make their way into policy, I have to fight back against threat exaggeration in order to promote balanced policies. Otherwise, people take as givens the exaggerated problem statements they used to get elected/published, and they produce policies that are excessive responses to the real problem, more costly than they should be in a number of ways—dollars, privacy, civil liberties, for example. The country is worse off, not better off, when threat exaggeration produces over-response.

    As to the question of who's part of a “lobby,” you referred to a “privacy lobby,” a phrase that implies there's some organized, self-interested, perhaps moneyed group that is pursuing goals from crass motivations rather than the best interests of the country. My tit-for-tat was to make you part of the “cybersecurity lobby.” There's no “lobby” for either interest, of course, just a lot of people pursuing their interests and what they believe to be the best interests of the country (typically in that order).

    But I disagree with your desire to separate yourself from the obligation to think in terms of risk management, or to claim that you're only doing legal scholarship. Public policy is something you can deny participation in, but you can't actually not participate. If you promote exaggerated threats in a publicly posted paper, you're part of the public policy conversation, and I'll use you as an example to discourage threat exaggeration.

  • Duncan Hollis

    Jim — thanks for your response. I look forward to any comments you may have on my actual paper and the e-SOS idea I advocate. Of course, I recognize that I'm participating in a public policy exchange. My point about risk management was simply that I'm taking the risks others have identified, and the legal responses thereto, and assessing them. I don't pretend to have the technical or empirical skills to calculate those risks myself. Maybe you do. Instead, I start with a general premise — cyberthreats are a problem. If you read the actual paper–instead of the abstract that's been the focus of our discussions–you'll also see that I try to give a balanced account of how others have assessed cyberthreats, and the disagreements that exist in how large a threat they pose. From there, I'm looking at the legal solutions that currently address this problem (and others that have been proposed), and suggesting they are inadequate and require new thinking. My paper is a take at such new thinking.

    That said, I don't want to clog up your comments section any more than I already have, so I'm happy to discuss these ideas further off-line if you're interested.

  • Pingback: Post-Event Cyber Deterrence By Denial? « ubiwar :: conflict in n dimensions()

  • Purpleslog

    Ummm…”I get the argument that I'm a Cassandra on cyberthreats”…I didn't get that from any commentator here. Cassandra was correct, just misunderstood. The commentators here are suggesting you are wrong and dislike your use of FUD-ish language.

  • Pingback: If the Premises are Wrong, Why Read On?()

Previous post:

Next post: