The White House likes a bit of threat. In his State of the Union address, Barack Obama wanted to nudge Congress yet again into passing meaningful legislation. The president emphasized that America's enemies are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in the cybersecurity debate reckons that puffery pays off.
The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same."
A reminder is in order: The world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps to claim -- or keep -- scarce resources when austerity and cutting seems out-of-control. The report recommended allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of weapons necessary to punish all-out cyber-aggressors.
Then there are private computer security companies. Such firms, naturally, are keen to pocket some of the government's money earmarked for cybersecurity. And hype is the means to that end. Mandiant's much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But instead of using cocky and over-confident language, Mandiant's analysts should have used Words of Estimative Probability, as professional intelligence analysts would have done.
An example is the report's conclusion, which describes APT1's work: "Although they control systems in dozens of countries, their attacks originate from four large networks in Shanghai -- two of which are allocated directly to the Pudong New Area," the report found. Unit 61398 of the People's Liberation Army is also in Pudong. Therefore, Mandiant's computer security specialists concluded, the two were identical: "Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that Pudong is not a small neighborhood ("right outside of Unit 61398's gates") but in fact a vast city landscape twice the size of Chicago. Mandiant's report was useful and many attacks indeed originate in China. But the company should have been more careful in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm made it too easy for Beijing to dismiss the report. My class in cybersecurity at King's College London started poking holes into the report after 15 minutes of red-teaming it -- the New York Times didn't.
Which leads to the next point: The media want to sell copy through threat inflation. "In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually published two supportive articles on it and pointed out that a major offensive cyber capability now seemed essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style cyberattack that has actually created physical damage -- Stuxnet -- was actually executed by the United States government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report; instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation's fiercest watchdogs too often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security establishment.