With the world being integrated through access to the web, it’s hardly a shock to hear American officials and politicians voice concerns about the threat posed by “hackers” and “cyberwarfare” to American national security. But as with all warnings regarding the state’s villain du jour, a significant gap exists between the rhetoric and the reality.
To evaluate claims made by “cybersecurity” or “information security” (InfoSec) advocates, either in government or industry (and usually both), one must understand exactly what types of hacking they're claiming poses a threat.
Within cyberwarfare, there are two variants: espionage and sabotage. Cyber espionage refers to the intrusion into computer systems for the purposes of gathering information. This is by far the most common form of hacking that occurs between states. If done to pilfer economic intelligence, it can be damaging to the profits of companies trying to protect trade secrets or intellectual property. If targeting government facilities, it can spill secrets into the hands of geopolitical competitors. And as President Obama has made clear, even concerned citizens who use their access to leak secrets to the American public will be considered spies and "hackers," the definitions of which broaden at executive will.
Judged in terms of potential damage caused, cybersabotage is the real threat — which is why it likely is touted so often. This refers to computer network penetration for the purposes of disrupting a target’s industrial capabilities. In the case of critical infrastructure — such as nuclear plants, water treatment facilities, and communications networks — defense against this sort of intrusion seems reasonable, as the harm caused by the American-Israeli Stuxnet virus should make evident. But the ability to protect such areas of import are well within current means. For example, even the Stuxnet virus had to be introduced by spies within the Iranian nuclear program via USB drives because the computer systems in control of the Siemens industrial machinery were never built to be connected to the internet. Compartmentalization of networks is the easiest way to limit liability from without.
Many of the hypothetical scenarios promoted by cybersecurity sages are easily debunked. Even the White House’s former cybersecurity Czar had to push back against the onslaught of alarmism that conflates cyberespionage, cybersabotage, and their respective dangers.
Furthermore, the solutions proffered to confront the threat of cyberwar go far beyond their stated objectives, raising serious concern over their intent from the beginning. Nowhere was this more visible than in the debate over the now-shelved-but-not-dead Cyber Intelligence Sharing and Prevention Act (CISPA).
The ostensible aim of CISPA — first introduced in 2011 by House Intelligence Committee members Mike Rogers and “Dutch” Ruppersberger, both drowning in defense and intelligence industry cash — was to facilitate information sharing between government and private industry to mitigate the potential for cybersabotage. But the devilish details within told a different story: A definition nearly without limit of what customer information Internet Service Providers (ISPs) could share with the government, and very few restrictions on how Leviathan could then use that information. If passed, the bill would have effectively nullified a number of laws that provide judicial oversight and privacy protections to prevent companies from sharing your details willy-nilly.
To critics, CISPA reeked of a massive power grab by the national security establishment to gather (even more) data on American citizens, while insulating private sector collaborators from any legal reproach. It aimed to be to the ISPs what the 2008 FISA Amendments Act (FAA) was to many of the same companies in their role as telecoms.
So why are government officials and cybersecurity “experts” hyping up and conflating the many forms of hacking into one big, scary, indistinguishable threat? Two (redundant) words: cash money.
By 2015, the U.S. government is expected to spend $10.5 billion per year on cybersecurity, while the worldwide market is estimated to be between $80-140 billion a year. Defense contracting behemoths who live as leeches on the public dime are hip to the scheme, with L-3 Communications, SAIC, and Lockheed Martin all launching cybersecurity branches in recent years. And the same people hawking the threat also happen to sell solutions. Isn't that convenient?
As an outgoing president so astutely pointed out 54 years ago, when an industry is created that exists exclusively on government security contracts, they’re incentivized to make the public feel insecure so they stay fed. The money can then be channeled back into Congressional coffers to ensure future contracts and lax oversight. Et voila, you have the Iron Triangle between business and politics.
As corrosive as that arrangement can be to representative democracy, it can be even more harmful to the truth. As such, don’t expect to hear anything but hype over the threat posed by scary people on the internet — and always check to see who’s paying the bills of the Chicken Littles spouting it.