Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats

Beyond Cyber-Doom: Assessing the Limits of Hypothetical Scenarios in the Framing of Cyber-Threats

Sean Lawson | Dec 19, 2012

Cybersecurity proponents often rely upon cyber-doom scenarios as a key tactic for calling attention to prospective cyber-threats. This essay critically examines cyber-doom scenarios by placing them into a larger historical context, assessing how realistic they are, and drawing out the policy implications of relying upon such tales. It draws from relevant research in the history of technology, military history, and disaster sociology to examine some of the key assertions and assumptions of cyber-doom scenarios. It argues that cyber-doom scenarios are the latest manifestation of fears about “technology-out-of-control” in Western societies, that they are unrealistic, and that they encourage the adoption of counter-productive, even dangerous policies. The paper concludes by offering alternative principles for the formulation of cybersecurity policy.

Introduction

“[T]hese war games are about the real effects of a cyberwar…about causing chaos in our streets at home due to sudden crashes in our critical infrastructure through manipulation of our banking, transportation, utilities, communications, and other critical infrastructure industries. These are all real scenarios…” (Patterson, 2010b).

“In seeking a prudent policy, the difficulty for decision-makers is to navigate the rocky shoals between hysterical doomsday scenarios and uninformed complacency” ( Dunn Cavelty, 2008 , p. 144).

Recently, news media and policymakers in the United States have turned their attention to prospective threats to and through cyberspace. Prospective cyber-threats include attacks on critical infrastructures like power, water, transportation, and communication systems launched via cyberspace, but also terrorist use of the Internet, mobile phones, and other information and communication technologies (ICTs) for fundraising, recruiting, organizing, and carrying out attacks (Deibert & Rohozinski, 2010). Out of frustration over a perceived lack of attention to these threats, combined with a belief that “exaggeration” and “appeals to emotions like fear can be more compelling than a rational discussion of strategy” (Lewis, 2010, p. 4), some cybersecurity proponents deploy “cyber-doom scenarios” (Dunn Cavelty, 2008, p. 2). These are hypothetical tales of cyberattacks resulting in the mass collapse of critical infrastructures, which in turn leads to serious economic losses, or even total economic, social, or civilizational collapse. These tactics seem to have paid off in recent years, with cybersecurity finding its way onto the agendas of top civilian and military policymakers alike. The results have included the creation of a White House “cybersecurity czar,” the creation of the military's U.S. Cyber Command, and the consideration of several cybersecurity-related pieces of legislation by the U.S. Congress.

In the last several years, several high-profile “cyberattack” incidents have focused news media and policymaker attention on cybersecurity. These have included two large-scale cyberattacks attributed to Russia: one against the nation of Estonia in 2007 (Blank, 2008; Evron, 2008) and one against the nation of Georgia in 2008 that coincided with a Russian invasion of that country (The Frontrunner, 2008; Bumgarner & Borg, 2009; Korns & Kastenberg, 2008; Nichol, 2008). In January 2010, Google's accusations of Chinese cyberattacks against it garnered a great deal of press attention and were featured prominently in Secretary of State Clinton's speech on “Internet Freedom” (Clinton, 2010). 1 Most recently, the United States and Israel have been implicated in the Stuxnet cyberattack against Iranian nuclear facilities (Sanger, 2012).

These are but the latest developments in an ongoing discussion of prospective cyber-threats. Over the last three decades, cybersecurity proponents have presented a shifting and sometimes ambiguous case for what exactly is being threatened and by whom. During the 1980s, the main cybersecurity concern was foreign espionage via the exploitation of the United States' increasing dependence on computers and networks. Then, in the 1990s, experts began writing about the supposed non-state, cyberterrorist threat to civilian critical infrastructures. In the opening days of the Bush administration, cybersecurity proponents replaced non-state actors with state actors as the dominant threat. But in the immediate aftermath of 9/11, the threat perception returned to terrorists using cyberspace to attack critical infrastructure. Then, in the run-up to the Iraq war in 2003, state actors once more became the supposed threat, with Saddam Hussein's Iraq making the list of states with a cyberwar capability (Weimann, 2005, p. 133–134; Bendrath, 2001; Bendrath, 2003; Dunn Cavelty, 2008). Recent policy documents identify a combination of state actors working directly or indirectly via non-state proxies—e.g. “patriotic hackers” or organized crime—to target private intellectual property and government secrets (The White House, 2009a; White House Press Office, 2009; Langevin et al., 2009).

Despite persistent ambiguity in cyber-threat perceptions, cybersecurity proponents continue to rely upon cyber-doom scenarios as a key rhetorical tactic for motivating a response to cyber-threats. This essay critically examines cyber-doom scenarios by placing them into a larger historical context, assessing how realistic they are, drawing out the policy implications of relying upon such tales, and offering alternative principles for the formulation of cybersecurity policy. It draws from relevant research in the history of technology, military history, and disaster sociology to examine some of the key assertions and assumptions upon which cyber-doom scenarios rely. It argues that cyber-doom scenarios are the latest manifestation of long-standing fears about “technology-out-of-control” in Western societies, that tales of infrastructural collapse leading to social and/or civilizational collapse are unrealistic, and that the constant drumbeat of cyber-doom scenarios encourages the adoption of counter-productive policies focused on control, militarization, and centralization. As an alternative, it is argued that cybersecurity policy should be based on more realistic understandings of what is possible that are informed by empirical research and guided by principles of resilience, decentralization, and self-organization.

Read the full article at the Journal of Information Technology & Politics

' '