Today I went to a talk by Irving Lachow at the think tank where I used to work on whether cyberterrorism is a myth or a menace. The conclusion is probably obvious: it’s basically not a real menace. There’s lots for everyone to worry about from organized crime and certainly lots more for the government-industrial complex to worry about from nation-state threats, but cyberterrorism is a mirage, and basically everyone who doesn’t have skin in the game (and even some people who do or might–such as myself) agree. I’ve talked about similar themes here and here and here, among other entries on this blog.
Lachow mentioned that he did his research on this topic through unclassified sources, then went onto JWICS with crossed fingers–and ended up standing by his initial conclusions. Terrorists do organizational and support stuff and “influence operations” (I guess this is a subtler version of PSYOPS) using networks, but they don’t really engage in cyberterrorism. And the stuff that gets called cyberterrorism basically doesn’t deserve the name. Lachow believes, as I do, that crime, espionage, and state-level network attacks are what we really ought to be concerned with: cyberterror should be considered a “lesser included threat”–although the risks for all of these threats will only increase with time.
One theme that he brought up that I and many others have mulled over is cyberdeterrence. Basically, nobody knows how to do it. The nuclear analogies are false. But (as I’ve mentioned here) for a really big attack, one that’s worthy of a strategic offensive move by a nation-state or terrorist group, there will be a kinetic component. Attribution won’t be a problem. Old-fashioned deterrence with guns still works just fine.
It’s taken decades to raise awareness of the vulnerabilities to our info systems; and a lot more still needs to be done. Are you sure squabbling over terms with the net effect of giving ammo to anti-internet security groups is for the best?
Sure it would be best to get the definition correct and still raise awareness (ie funding) but that won’t happen overnight. In the meantime downplaying the need for more security because the term isn’t the most correct won’t exactly help the community, in my opinion. Whens the last time you heard anything about the National Cyber Initiative?
And why can ‘global warming’ become ‘climate change’ to grab headlines (when things get colder) but ‘information assurance’ can’t use a more attention-getting title like ‘cyber-terrorism’ to do the same? Sure, over the long term people will look back and say ‘the threat was oversold’ or ‘they overpromised’, but in the meantime I say we can use all the help we can get. This appears to be academia splitting hairs.
I actually think bothering with definitions is a waste of time. Like Potter Stewart said: “I know it when I see it”. I think there’s a huge need for more security–that’s why EQ was started–but too many people have already cried wolf or said the sky is falling to not be clear about what the real threats are.
[...] actually may be true. At present, and as I’ve mentioned here, there is basically no such thing as cyberterrorism. But that doesn’t mean that there [...]