Cybersecurity is a hot policy / legal topic at the moment: the SEC recently issued guidance on cybersecurity reporting, defense contractors suffered a spear-phishing attack, the Office of the National Counterintelligence Executive issued a report on cyber-espionage, and Brazilian ISPs fell victim to DNS poisoning. (The last highlights a problem with E-PARASITE and PROTECT IP: if they inadvertently encourage Americans to use foreign DNS providers, they may worsen cybersecurity problems.) Cybersecurity is a moniker that covers a host of problems, from identity theft to denial of service attacks to theft of trade secrets. The challenges are real, and there are many of them.
That’s why it is disheartening to see otherwise knowledgeable experts focusing on chimerical targets. For example, Eugene Kaspersky stated at the London Cyber Conference that “we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists – and then…oh, God.” FBI executive assistant director Shawn Henry said that attacks could “paralyze cities” and that “ultimately, people could die.”
Do these claims hold up? What, exactly, is it that cyber-terrorists are going to do? Engage in identity theft? Steal U.S. intellectual property? Those are somewhat worrisome, but where is the “terror” part? Terrorists support malevolent activities with all sorts of crimes. But that’s “support,” not “terror.” Hysterics like Richard Clarke spout nonsense about shutting down air traffic control systems or blowing up power plants, but there is precisely zero evidence that even nation-states can do this sort of thing, let alone small, non-state actors. The “oh, God” part of Kaspersky’s comment is a standard rhetorical trope in the apocalyptic discussions of cybersecurity. (I knock these down in Conundrum, coming out shortly in Minnesota Law Review.) And paralyzing a city isn’t too hard: snowstorms do it routinely. The question is how likely such threats are to materialize, and whether the proposed answers (Henry thinks we should build a new, more secure Internet) make any sense.
There are at least two plausible reasons why otherwise rational people spout lurid doomsday scenarios instead of focusing on the mundane, technical, and challenging problems of networked information stores. First, and most cynically, they can make money from doing so. Kaspersky runs an Internet security company; Clarke is a cybersecurity consultant; former NSA director Mike McConnell works for a law firm that sells cybersecurity services to the government. I think there’s something to this, but I’m not ready to accuse these people of being venal. I think a more likely explanation flows from Paul Ohm’s Myth of the Superuser: many of these experts have seen what truly talented hackers can do, given sufficient time, resources, and information. They then extrapolate to a world where such skills are commonplace, and unrestrained by ethics, social pressures, or sheer rational actor deterrence. Combine that with the chance to peddle one’s own wares, or books, to address the problems, and you get the sum of all fears. Cognitive bias matters.
The sky, though, is not falling. Melodrama won’t help – in fact, it distracts us from the things we need to do: to create redundancy, to test recovery scenarios, to deploy more secure software, and to encourage a culture of testing (the classic “hacking”). We are not going to deploy a new Internet. We are not going to force everyone to get an Internet driver’s license. Most cybersecurity improvements are going to be gradual and unremarkable, rather than involving Bruce Willis and an F-35. Or, to quote Frank Drebin, “Nothing to see here, please disperse!“
Cross-posted at Prawfsblawg.