Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy

There has been no shortage of attention devoted to cybersecurity, with a wide range of experts warning of potential doomsday scenarios should the government not act to better secure the Internet. But this is not the first time we have been warned of impending dangers; indeed, there are many parallels between present portrayals of cyberthreats and the portrayal of Iraq prior to 2003, or the perceived bomber gap in the late 1950s.

This Article asks for a better justification for the increased resources devoted to cyber threats. It examines the claims made by those calling for increased attention to cybersecurity, and notes the interests of a military-industrial complex in playing up fears of a “cyber Katrina.” Cybersecurity is undoubtedly an important policy issue. But with a dearth of information regarding the true nature of the threat, it is quite difficult to determine whether certain government policies are warranted—or if this merely represents the latest iteration of threat inflation benefitting private and parochial political interests.

Introduction

Over the past two years, there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said, “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

Security risks to private and government networks from criminals and malicious state actors are no doubt real and pressing. However, the rhetoric of “cyber doom” employed by proponents of increased federal intervention in cybersecurity implies an almost existential threat that requires instant and immense action. Yet these proponents lack clear evidence of such doomsday threats that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve not only to supply cybersecurity solutions to the federal government, but to drum up demand for those solutions as well.

Part I of this article draws a parallel between today’s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for soberly analyzing the cybersecurity threat.

Continue reading the full paper