Beyond Cyber Doom

Cyber Attack Scenarios and the Evidence of History

The constant drumbeat of cyber-doom scenarios encourages the adoption of counter-productive policies.

Recently, news media and policymakers in the United States have turned their attention to prospective threats to and through “cyberspace.” “Cybersecurity” threats include attacks on critical infrastructures like power, water, transportation, and communication systems launched via cyberspace, but also terrorist use of the Internet, mobile phones, and other information and communication technologies for fundraising, recruiting, organizing, and carrying out attacks. 

Frustration over a perceived lack of public and policymaker attention to these threats, combined with a belief that “exaggeration” and “appeals to emotions like fear can be more compelling than a rational discussion of strategy," a number of alarmists have deployed what one scholar has called “cyber-doom scenarios.” These involve hypothetical tales of cyberattacks resulting in the mass collapse of critical infrastructures, which in turn leads to serious economic losses, or even total economic, social, or civilizational collapse. These tactics seem to have paid off in recent years, with cybersecurity finding its way onto the agendas of top civilian and military policymakers alike. The results have included the creation of a White House “cybersecurity czar,” the creation of the military’s U.S. Cyber Command, the drafting of a plan for Trusted Identities in Cyberspace, and the consideration of several cybersecurity-related pieces of legislation by the U.S. Congress.

Cyber-doom scenarios are more a reflection of long-held, but ultimately incorrect, assumptions and fears about the fragility of modern societies and infrastructure systems than they are a realistic portrayal of what is possible as a result of a cyberattack. Research by historians of technology, military historians, and disaster sociologists has shown consistently that modern technological and social systems are more resilient than military and disaster planners often assume. What’s more, they have shown that fears and assumptions to the contrary often lead to a centralized, militarized quest for top-down control that is ultimately counter-productive to achieving stated policy objectives. 

Influenced by cyber-doom scenarios, current U.S. cybersecurity policy, with its creation of a military Cyber Command and suggestions for an “Internet kill switch,” is tending towards the centralized, militarized, control-oriented, fortress mentality that research suggests is neither prudent nor effective. Instead, research suggests that effective prevention of, defense against, and mitigation in response to cyber attacks require the promotion of resilience by way of repair, maintenance, and modernization of our technological systems and decentralization, self-organization, economic strength, and good governance in our social systems.

Sean Lawson is an assistant professor in the Department of Communication at the University of Utah. His research focuses on the relationships among science, technology, and the development of military theory and discourse, in particular the intersections of national security and military thought with new media, information, and communication technologies.