CybersecurityResearchers say alarmist rhetoric of cyber doom unrealistic and unhelpful

Published 2 May 2011

Researchers are warning that the government’s increasingly “alarmist rhetoric” regarding “catastrophic cyber threats” is not based on credible evidence and is proving to be problematic; the two say that over the past several years politicians have increasingly discussed cyber threats in hyperbolic language that have no basis in actual reality; they warn that the inflation of this threat can be used to justify increasing government regulation of the internet as well as unwarranted government expenditures on cyber security programs

Researchers are warning that lawmakers’ increasingly “alarmist rhetoric” regarding “catastrophic cyber threats” is not based on credible evidence and is proving to be problematic.

In “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cyber security Policy,” Jerry Brito and Tate Watkins, two researchers from the Mercatus Center at George Mason University, argue that the United States could be “witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War.”

The two say that over the past several years politicians have increasingly discussed cyber threats in hyperbolic language that have no basis in actual reality.

For instance Senator Carl Levin (D - Michigan), the chairman of the Senate Armed Services Committee, has likened cyber attacks to weapons of mass destruction. Last year during a committee hearing Senator Levin said, “cyber weapons and cyber attacks potentially can be devastating, approaching weapons of mass destruction in their effects.”

But Brito and Watkins say, “The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public.”

Drawing a comparison to the run up of the Iraq War, the researchers say that while Iraq had previously backed terrorists and possessed chemical and biological weapons, there was never any verifiable evidence to support the claim that Saddam Hussein was on the verge of acquiring weapons of mass destruction.

In regards to cyber security, the two say that while there is a clear indication that cyber crime and cyber attacks are on the rise, there is no verifiable proof to support claims that there will be an imminent catastrophic cyber attack against the United States.

They conclude, “There is very little verifiable evidence to substantiate the threats claimed, and the most vocal proponents of a threat engage in rhetoric that can only be characterized as alarmist.”

They warn that the inflation of this threat can be used to justify increasing government regulation of the internet as well as unwarranted government expenditures on cyber security programs.

Last Monday, DHS Secretary Janet Napolitano delivered a speech at the University of California, Berkeley, urging for greater private sector cooperation with the government on cyber security. To justify her argument, Napolitano linked terrorism to cyber attacks, but Brito said, “There’s zero evidence that cyber is really a tool for terrorist attack.”

“That’s the sort of rhetoric that I’d like to see people be more careful about,” he added.

Brito is careful to note that he is not against government efforts to defend cyber space or that cyber threats are not real. Instead, he wants to start a candid dialogue about the real cyber threats that the country is facing and what the proper way to address them are.

I’m not suggesting the government should have no role in cyber security infrastructure, but we have to ask ourselves, when should the government have a role, and what should that role be?” he said.

Currently the government is seeking to lead nation-wide efforts to secure sensitive data networks, especially in regards to critical infrastructure like electricity grids, dams, and the financial market.

But Brito says that the government has not adequately laid out its justification for seeking to step in and help secure critical infrastructure.

“We haven’t heard that argument. What we’ve heard is, ‘We’re the government, we have to secure the critical infrastructure,’” he said. “Wait, stop, we haven’t had the analysis yet—point me to the critical infrastructure you want to regulate, and tell me why they don’t have the incentive to provide security themselves.”

He also questions whether the government is better equipped to handle cyber security than the private sector.

“How is government going to do any better?” he asked.

It’s just assumed that government is going to come in, and it will all be secure. And I’m not sure why we think that DHS will do better.”

Brito and Watkins also believe that this problem is exacerbated by “a cyber-industrial complex… [that] may serve to not only supply cyber security solutions to the federal government, but to drum up demand for them as well.”

They say that the leading advocates for increased cyber security expenditures are often those that stand to gain the most by it.

The loudest voices for impending cyber war often own consulting firms that receive lucrative cyber security contracts or receive campaign contributions from companies with a large stake in government cyber security spending.

The two also say that there is little third-party evidence to substantiate cyber threats as the producers of cyber security solutions are also the main source of data for cyber security problems.

Jerry Brito is a senior research fellow at the Mercatus Center as well as the director of the Technology Policy Program.

Tate Watkins is a research associate for the Technology Policy Program.