How Congress fear mongers cybersecurity

Fear mongering about cybersecurity is common, and pernicious. It puts pressure on policymakers to take measures more drastic than necessary--which under the mindset of the current Congress often means an attempt to militarize the Internet.

By "militarize," I mean placing agencies such as the National Security Agency in a position of monitoring the Internet for instances of malicious code--and in the process, having too-broad access to all types of communications, whether containing a virus or not. House passage of the Cyber Intelligence Sharing and Protection Act is a prime example.

But attempts at militarization occur not just because of the way our current set of lawmakers think. Fear mongering and militarization go hand in hand because a fair portion of the fear mongering is conducted according to a military frame of reference. Cries of "Cyber War!" carry pretty loudly.

But let's look at the most recent example of cyber fear mongering in action to get a better idea about why it is indeed false. I refer to that font of reasons to be fearful, the House Homeland Security Committee, which held a joint hearing of two subcommittees on April 26 regarding the cyber threat from Iran.

To kick things off, Rep. Patrick Meehan (R-Pa.), chairman of the counterterrorism and intelligence subcommittee stated that Iran is dangerous because its government 1) kills innocent civilians outside of its country, 2) kills innocent civilians inside its country, and 3) calls for the destruction for Israel.

All three charges are good explanations for why the government of Iran is an international pariah. But in the context of cyber attacks, so what? The Iranian government is evil, therefore ipso facto it has a sophisticated cyber attack operation? Both conditions can exist independently, you know.

But okay, Meehan goes on to say that Iran has reportedly invested "over $1 billion in developing their cyber capabilities." Whoa! A billion bucks! That's…one thirteenth of what federal agencies spent on unclassified cybersecurity efforts last fiscal year. Federal networks, of course, aren't impervious to attack even for the ginormous amount of money thrown at securing them--and it's true that cyber operations favor offense over defense--but still, a ratio of 13:1 suggests a slight disparity in resources at hand.

Well, maybe Meehan was implying that the Iranians aren't attacking federal networks, but other targets with lower levels of annual spending. Typical examples along these lines include industrial control systems, or heartland hospitals, or the traffic light system, etc.

But assuming Iranian cyber operators get as far as doing serious damage to a regional electrical grid, how long does Meehan suppose it would be before we start bombing Tehran? Though it was probably implicit (or maybe even clandestinely explicit) long before last year, in May 2011 the White House openly announced the United States may respond militarily to a cyber attack.   

Pinpointing the source of an attack--the problem of attribution--can be an inexact business, of course, but neither would such an attack occur in a vacuum. Besides computer forensic evidence there would be other means for identifying the perpetrator, especially if connected to a nation-state such as Iran. And this makes a government-sponsored attack unlikely, since even evil governments are usually rational when it comes to self-preservation.

In short, throughout the hearing Meehan and others relied on emotional language and ignorance of additional facts and context in order to fear monger about cyber threats. Cybersecurity is a real and serious problem and the status quo is not acceptable over the long term. But in creating false fears, Meehan and others miss out on solving actual problems in favor of imaginary ones. Let's hope President Obama was serious when he said he would veto CISPA. - Dave