Over the past few years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cybersecurity threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.
The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation.
Threat inflation, according to Thrall and Cramer, is a concept in political science that refers to “the attempt by elites to create concern for a threat that goes beyond the scope and urgency that a disinterested analysis would justify.” Different actors—including members of Congress, defense contractors, journalists, policy experts, academics, and civilian, military, and intelligence officials—will each have their own motives for contributing to threat inflation. When a threat is inflated, the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information. The result can be unwarranted public support for misguided policies.
The run-up to the Iraq War illustrates the dynamic of threat inflation. After 9/11, the Bush Administration decided to invade Iraq to oust Saddam Hussein. Lacking any clear casus belli, the administration sought popular and congressional support for war by promoting several rationales that ultimately proved baseless.
Over the past two years, there has been a drive for increased federal involvement in cybersecurity. This drive is evidenced by the introduction of several comprehensive cybersecurity bills in Congress, the initiation of several regulatory proceedings related to cybersecurity by the Federal Communications Commission and Commerce Department, and increased coverage of the issue in the media. The official consensus seems to be that the United States is facing a grave and immediate threat that only quick federal intervention can address. This narrative has gone largely unchallenged by members of Congress or the press, and it has inflated the threat.
There is very little verifiable evidence to substantiate the threats claimed, and the most vocal proponents of a threat engage in rhetoric that can only be characterized as alarmist. Cyber threat inflation parallels what we saw in the run-up to the Iraq War.
Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well.
In our new working paper, Tate Watkins and I draw a parallel between today’s cybersecurity debate and the run-up to the Iraq War and look at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. We also draw a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and look at how unwarranted external influence can lead to unnecessary federal spending. Finally, we survey several federal cybersecurity proposals and present a framework for policy makers to analyze the cybersecurity threat.
Over the next few days I’ll be excerpting the paper here and would love your thoughts and reactions.