Back to News & Commentary

The Political Effects of Conflating Separate Meanings of "Cybersecurity"

Jay Stanley,
Senior Policy Analyst,
老澳门开奖结果 Speech, Privacy, and Technology Project
Share This Page
April 23, 2012

Washington is in the midst of debating something called 鈥渃ybersecurity.鈥 But that term actually includes several very separate and distinct problems that call for very different solutions. Not only does conflating them confuse the issue 鈥 it also has very distinct political consequences. So let鈥檚 unpack the separate meanings of the term.

1. Criminal and malicious online behavior
As every computer owner knows, internet security is a very real problem for individual households and businesses. The open architecture of computers and the internet has led to an explosion of innovation, collaboration, and creativity 鈥 but the very openness that has fuelled so much innovation has also made us vulnerable to viruses, spyware, and other forms of malware. These problems are endemic among home computers and among a surprising number of professionally managed institutional machines as well. Much of this is due to the failure to perform basic computer security.

2. Espionage
Foreign governments have always tried to steal U.S. secrets 鈥 just as we have tried to steal theirs in the endless game of spy vs. spy. And of course if they can use the internet to do so, they will. Corporate espionage, meanwhile, may also be a problem, though that too is something that has always taken place, and always will, as competitors try to erase their rivals鈥 advantages in the marketplace.

3. Potential attacks on critical infrastructure (鈥渃yberterrorism鈥 or 鈥渃yberwar鈥)
Entirely separate from the day-to-day malware attacks and our intelligence agencies鈥 efforts to keep information out of public hands is the frightening image of terrorists using computer keyboards around the world to spill blood in the streets of America. Some of the more alarmist commentators have painted pictures of nuclear meltdowns, dams sweeping away towns, or chemical clouds billowing over cities. Others have warned about the danger of cyberattacks taking down the U.S. communications or financial systems. Such an attack has never taken place, and the truth is that no one knows how real this risk is. There has been much hype and exaggeration surrounding these scenarios. That certainly does not mean the possibility should be ignored 鈥 to the contrary, sensible policies should be enacted to prevent it, such as making sure dams and nuclear power plants are not connected to the internet. But there is simply no basis for declaring that such possibilities are an 鈥溾 to the nation, as a top FBI agent has asserted.

Closely intertwined with the discussion of cyberterrorism is talk of the (also hypothetical) scenario of 鈥渃yber warfare.鈥 Cyberwar is a poorly defined concept, many aspects of which are still being debated, including the circumstances under which an attack on our critical infrastructure might be considered an act of war. But insofar as the concept involves defending against critical infrastructure attacks using the public internet, the issues raised are not significantly different from those involved with 鈥渃yberterrorism.鈥

The political effects of conflating separate threats
I am far from the first person to point out the entirely different meanings that make up the term cybersecurity (see for example). But it鈥檚 important to recognize the political consequences of conflating these separate problems. By doing so, the security establishment and cybersecurity industry are able to cast cybersecurity as a problem that is both very real and extremely dangerous. But problems that are real 鈥 criminal and malicious online behavior 鈥 are not a threat to the nation, and problems that are a threat to the nation 鈥 鈥渃yberterrorism鈥 or 鈥渃yber warfare鈥 attacks that do significant physical damage鈥 remain hypothetical:

Fact?

Terrifying?

Everyday criminal malware

Yes

No

Cyber-terrorism or cyberwar

No

Yes

Blended 鈥渃ybersecurity鈥

= Yes

= Yes

Distributed denial-of-service () attacks, for example, are a genuine problem. At the same time, temporarily the Treasury Department鈥檚 web site with traffic hardly amounts to a critical threat to national security. Yet DDOS attacks, basic and unsophisticated as they may be, are frequently discussed in the grandest geopolitical national security terms, such as the alleged North Korean 2009 鈥溾 against the United States (which researchers later said actually appeared to have originated in Great Britain, or possibly ), or the over-hyped 2007 鈥溾 against the nation of Estonia.

We can鈥檛 have a rational debate or strike an appropriate balance of interests when everyday cybersecurity issues are blurred together with national security matters in this way, leading to hype and exaggeration and investing the issue with more weight and grandeur than it seems to merit.

We鈥檒l be posting about cybersecurity all week.

Learn More 老澳门开奖结果 the Issues on This Page