Mark Thompson has a new essay up over at Time on “Cyber War Worrywarts” in which he argues that in debates about cybersecurity, “the ratio of scaremongers to calm logic [is] currently about a 2-to-1 edge in favor of the Jules Verne crowd.” He’s right. In fact, I used my latest Forbes essay to document some of the panicky rhetoric and examples of “threat inflation” we currently see at work in debates over cybersecurity policy. “Threat inflation” refers to the artificial escalation of dangers or harms to society or the economy and doom-and-gloom rhetoric is certainly on the rise in this arena.
I begin my essay by noting how “It has become virtually impossible to read an article about cybersecurity policy, or sit through any congressional hearing on the issue, without hearing prophecies of doom about an impending “Digital Pearl Harbor,” a “cyber Katrina,” or even a “cyber 9/11.”” Meanwhile, Gen. Michael Hayden, who led the National Security Administration and Central Intelligence Agency under president George W. Bush, recently argued that a “digital Blackwater” may be needed to combat the threat of cyberterrorism.
These rhetorical claims are troubling to me for several reasons. I build on the concerns raised originally in an important Mercatus Center paper by my colleagues Jerry Brito and Tate Watkins, which warns of the dangers of threat inflation in policy debates and the corresponding rise of the “cybersecurity industrial complex.” In my Forbes essay, I note that:
Panics and threat inflation can create distrust in many institutions, especially the press, and result in a “boy who cried wolf” problem. When panic becomes the norm, it becomes more difficult for the public to take seriously those who propagate such tall tales. “When a threat is inflated,” argue Brito and Watkins, “the marketplace of ideas on which a democracy relies to make sound judgments—in particular, the media and popular debate—can become overwhelmed by fallacious information.”
Apocalyptic rhetoric and prophecies of doom are also inappropriate—even offensive—when comparisons are made to horrific events that are not analogous to cybersecurity attacks. Thousands lost their lives or were injured in the attacks on Pearl Harbor in 1941 and the World Trade Center during 9/11, and Hurricane Katrina also resulted in thousands of deaths and injuries in 2005. To compare cybersecurity attacks to those incidents is to insult the memories of those who lost their lives.
Finally, the technopanic mentality is also troubling because it can lead to calls for comprehensive regulation of the Internet or forms of information control. We are starting to hear calls by a variety of policymakers and cyberwar pundits for more “oversight” and “control.” In a National Journal essay last month, Michael Hirsh noted that “the cyberwar threat is being hyped because of a fear of unknown dangers [but] the biggest threat of all may come from our own overreaction.” Hirsh documents how “a new multibillion-dollar military-industrial complex is emerging,” and billions are already being spent. In my Forbes piece, I note how in his recent book, Cyber War: The Next Threat to National Security and What to Do About It, cyberwar prophet of doom Richard A. Clarke, a former cybersecurity advisor in the Clinton and Bush Administrations, calls for government to impose a fairly sweeping set of new rules on Internet Service Providers to better secure their networks against potential attacks. Clarke wants ISPs to engage in a great deal more network monitoring for digital dangers (using deep-packet inspection techniques) under threat of legal sanction if things go wrong. He admits there are corresponding costs and privacy concerns, but largely dismisses them in the name of a safer and more secure cyberspace. [See my review of his book here.]
My primary fear is that this panic is all prelude to a big push for a “precautionary principle” approach for cybersecurity. That is, progress in the digital technology arena will increasingly be subjected to preemptive prohibitions and ongoing “oversight” out of fear of any and all “worst case” risk scenarios that policymakers and cyberwar pundits can conjure up.
As I note in concluding my essay, the better approach to cybersecurity going forward is education and resiliency:
People and institutions can prepare for potential security problems in a rational fashion if given more information and tools to better secure their digital systems and understand how to cope when problems arise. Panic, by contrast, is never the right answer.
Yet, fear remains a remarkably powerful force in public policy debate and I am willing to bet that these threat inflation tactics will only increase in coming months and years. As I’ve noted here many times before, fear sells.
Related TLF Reading (all from Jerry Brito)
- Langevin: Panetta is cyberdoom certified
- Can cyber-kamikazes cyberbombard our cyberdefenses?
- Overclassification stifles the cybersecurity conversation