Cyber-warfare: WMD redux?
On NPR the other day, I heard a reporter, citing defense experts, compare cyber-warfare to a nuclear attack. The comparison struck me as outlandish: which kind of assault would you rather be on the receiving end of? In the latest Boston Review, Evgeny Morozov, a fellow at the Open Society Institute, suggests that significant skepticism about the threat posed by cyber-warfare is warranted.
Official reports on cyber-warfare and cyber-terrorism, he writes, "are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation."*
Details about the scope of the cyber-threat are hard to come by. In 2008, for example, a "senior CIA cyber-security analyst" made a widely quoted claim: "We have information, from multiple regions outside the United States, of cyberintrusions into utilities, followed by extortion demands." But Morozov underscores the vagueness here. When? Where? By whom?
True, both Estonia and Georgia have been the target of genuine cyber-attacks, either by Russian officials or private Russian citizens. (The details remain fuzzy.) In Estonia in 2007, online banking and other crucial services were essentially shut down for a month by outsiders overloading the system. (Such "distributed denial-of-service," or DDoS, attacks often involve thousands of computers, some of them co-opted by "trojan" software.) Something similar happened in Georgia during its August 2008 war with Russia.
But Morozov points out that Georgia is a "technological laggard," with only about 7 percent of its citizens online. Gumming up the Internet there is 1) easy, and 2) kind of beside the point.
Estonia is not a techno-laggard, but is "'cyberlocked,' with limited points of connection … to the external Internet." Similar conditions simply don't obtain in the United States or Western Europe.
Morozov suggests that DDoS attacks pose the greatest threats to private companies unshielded by potent governments (such as gambling sites banned in the U.S. and therefore operating "offshore," which are often the target of blackmail operations), and small nonprofits, which might be bombarded by their political enemies if they say or do something controversial.
Nonprofits simply lack the money to defend themselves. The Pentagon, on the other hand, has ample resources to deter denial-of-service attacks. And as for fears of hackers stealing nuclear codes or blowing up power stations -- well, keeping high-value information away from public networks, or else massively encrypted, is Network Security 101, Morozov maintains. It's well under control.
So what's fueling cyber-war hysteria? Morozov says much of the blame should fall on computer consultants who are using fear as a business strategy. Over the next few years, he writes, a burgeoning "cyber-security market" is slated to "grow twice as fast as the rest of the I.T. industry."
*The prize for excessive rhetoric has to go to this quote, from the C.E.O. of NetWitness, a cybersecurity startup: "cyber-9/11 has happened over the last ten years, but it's happened slowly, so we don't see it."
