Is the cyber threat overblown?

Am I the only person -- well, besides Glenn Greenwald and Kevin Poulson -- who thinks the "cyber-warfare" business may be overblown? It’s clear the U.S. national security establishment is paying a lot more attention to the issue, and colleagues of mine -- including some pretty serious and level-headed people -- are increasingly worried by the danger of some sort of "cyber-Katrina." I don't dismiss it entirely, but this sure looks to me like a classic opportunity for threat-inflation.

Mind you, I'm not saying that there aren't a lot of shenanigans going on in cyber-space, or that various forms of cyber-warfare don't have military potential. So I'm not arguing for complete head-in-the-sand complacency. But here’s what makes me worry that the threat is being overstated.

First, the whole issue is highly esoteric -- you really need to know a great deal about computer networks, software, encryption, etc., to know how serious the danger might be.  Unfortunately, details about a number of the alleged incidents that are being invoked to demonstrate the risk of a "cyber-Katrina," or a cyber-9/11, remain classified, which makes it hard for us lay-persons to gauge just how serious the problem really was or is. Moreover, even when we hear about computers being penetrated by hackers, or parts of the internet crashing, etc., it’s hard to know how much valuable information was stolen or how much actual damage was done. And as with other specialized areas of technology and/or military affairs, a lot of the experts have a clear vested interest in hyping the threat, so as to create greater demand for their services. Plus, we already seem to have politicians leaping on the issue as a way to grab some pork for their states.

Second, there are lots of different problems being lumped under a single banner, whether the label is "cyber-terror" or "cyber-war." One issue is the use of various computer tools to degrade an enemy’s military capabilities (e.g., by disrupting communications nets, spoofing sensors, etc.). A second issue is the alleged threat that bad guys would penetrate computer networks and shut down power grids, air traffic control, traffic lights, and other important elements of infrastructure, the way that internet terrorists (led by a disgruntled computer expert) did in the movie Live Free and Die Hard. A third problem is web-based criminal activity, including identity theft or simple fraud (e.g., those emails we all get from someone in Nigeria announcing that they have millions to give us once we send them some account information). A fourth potential threat is “cyber-espionage”; i.e., clever foreign hackers penetrate Pentagon or defense contractors’ computers and download valuable classified information. And then there are annoying activities like viruses, denial-of-service attacks, and other things that affect the stability of web-based activities and disrupt commerce (and my ability to send posts into FP).

This sounds like a rich menu of potential trouble, and putting the phrase "cyber" in front of almost any noun makes it sound trendy and a bit more frightening. But notice too that these are all somewhat different problems of quite different importance, and the appropriate response to each is likely to be different too. Some issues -- such as the danger of cyber-espionage -- may not require elaborate technical fixes but simply more rigorous security procedures to isolate classified material from the web. Other problems may not require big federal programs to address, in part because both individuals and the private sector have incentives to protect themselves (e.g., via firewalls or by backing up critical data). And as Greenwald warns, there may be real costs to civil liberties if concerns about vague cyber dangers lead us to grant the NSA or some other government agency greater control over the Internet.  

Third, this is another issue that cries out for some comparative cost-benefit analysis. Is the danger that some malign hacker crashes a power grid greater than the likelihood that a blizzard would do the same thing? Is the risk of cyber-espionage greater than the potential danger from more traditional forms of spying? Without a comparative assessment of different risks and the costs of mitigating each one, we will allocate resources on the basis of hype rather than analysis. In short, my fear is not that we won't take reasonable precautions against a potential set of dangers; my concern is that we will spend tens of billions of dollars protecting ourselves against a set of threats that are not as dangerous as we are currently being told they are.

I hasten to add that this isn't my area of expertise and I may be completely wrong about it. What I would really like, therefore, is for an objective, blue-ribbon commission to look carefully at this question. Here's a possible example of what I have in mind, but I can't tell how reliable its conclusions are likely to be. Why? Because I can't tell how many of its members are people with a stake in the outcome. Makes me wish somebody like Richard Feynman was still around to chair it. 

Alex Wong/Getty Images

Stephen M. Walt

Obama's Afghan drop-in

I don't watch much televised news -- there's just not a lot of content per unit of time and I get bored too quickly -- but I did happen to catch a report on President Obama's whirlwind trip to Afghanistan yesterday. (As a sign of my indifference to the major networks, I couldn't even tell you which channel I was watching). But I did see a film clip of the president giving a speech to the troops at Bagram air base, where he thanked them for their efforts, said the country was grateful, and told the troops "the American armed services does not quit, we keep at it, we persevere, and together with our partners we will prevail."

As always, Obama looked comfortable and sounded good. And it's possible that he meant every word of his pep talk. But I kept wondering what he meant by "prevail?" What is his definition of victory? Is it the surrender and capture of Mullah Omar and the Quetta Shura, or the military defeat of the Taliban itself? Is victory defined as the establishment of a unified Afghan central government (something that hasn't existed for decades) in command of native security forces that can take over the battle themselves, with little or no foreign support? If special representative Richard Holbrooke thinks we'll "know success when we see it," what exactly are we looking for?" 

Here's how Obama defined the strategy in his remarks:

Our broad mission is clear: We are going to disrupt and dismantle, defeat and destroy al Qaeda and its extremist allies. That is our mission. And to accomplish that goal, our objectives here in Afghanistan are also clear: We're going to deny al Qaeda safe haven. We're going to reverse the Taliban's momentum. We're going to strengthen the capacity of Afghan security forces and the Afghan government so that they can begin taking responsibility and gain confidence of the Afghan people.

And our strategy includes a military effort that takes the fight to the Taliban while creating the conditions for greater security and a transition to the Afghans; but also a civilian effort that improves the daily lives of the Afghan people, and combats corruption; and a partnership with Pakistan and its people, because we can't uproot extremists and advance security and opportunity unless we succeed on both sides of the border. Most of you understand that."

If that's what the President really thinks, we are going to be there for a long, long time.  So I found myself hoping (perhaps naively) that this was all a bit of blue-smoke-and-mirrors, and that he's actually planning to follow the same script in Afghanistan that Bush followed in Iraq.  It won't be identical in every detail, but the basic logic would be similar.  Here's how it goes:

First, announce an escalation of the U.S. effort (aka a "surge"), but set a rough deadline for it and quietly put new emphasis on "political reconciliation." (Done).  Next, bombard the media with lots of evidence of progress, such as Taliban "strongholds" seized, al Qaeda leaders killed or captured, Taliban leaders arrested in Pakistan, etc., so that people think the surge is working.  (Now underway). Third, arrange a diplomatic settlement that requires the phased withdrawal of U.S./ISAF troops, even if their departure is on a rather lengthy timetable. The Iraqi equivalent was the Status of Forces agreement negotiated by the Bush administration in the fall of 2008; in Afghanistan, it would probably entail some sort of negotiation between the Karzai government, the Taliban, and various other warlords (whether by a loya jirga) or some other device (Maybe underway too?). Finally, start removing the "surged" forces more-or-less on schedule-and ahead of the 2012 election cycle-so that you can claim to have avoided the quagmire that critics warned about back in 2009 (Remains to be seen).

I have no idea if this is what Obama or his team are actually planning -- or maybe just hoping for -- but at this stage it is offers the best chance of avoiding an open-ended commitment there.  Part of the trick is to keep sounding resolute and determined even while you're (quietly) looking for an exit, and as someone who remains unconvinced that the Afghan campaign is worth the costs, I'll continue to hope that this is what is really going on.