This is a guest post by Brandon Valeriano and Ryan Maness.
Cyberwar is a pressing international security problem. The news media breathlessly covers any potential attack before the facts are in. Policy briefs and reports are produced on all levels of government and private industry. It would then behoove us to take a step back and examine opinions about the cyber security threat according to perceptions among policymakers, academics, and cyber security experts in order to understand how the threat emanating from the cyber security realm is constructed in the public discourse. Each constituency has its own view on the issue and how these views manifest is critical to perceptions about the wider societal threat coming from cyberspace.
According to Allison’s bureaucratic model of politics, where you sit in government determines where you stand or what opinions you have. Through surveys we can see that process play out. It is in the interest of cyber security experts to inflate the cyber threat. It is also in the interests of the news media to breathlessly hype up cyber fears to gain more page views. The threat of cyberwar is a real and pressing threat, but constrained by institutions and systems that limit the damage the tactic can do. Just how serious this threat is perceived can be predicted by one’s institutional setting and standard operating procedures.
On January 30, 2012, technological experts from around the globe were surveyed by McAfee and the Security and Defense Agenda (SDA) about the issue of cyberwar. Fifty-seven percent of these practitioners believe that states are currently engaged in a cyber “arms race.” It is unclear what a cyber arms race really is in this context (the raw data from the survey is not online) but the general idea is that capabilities and the threat from this issue area are increasing at all levels. Other findings in the survey are just as troubling and mystifying. Forty-three percent believe the worst case scenario, damage and disruption to a state’s critical infrastructure is also the most likely. A further forty five percent believe that cyber-security is just as pressing an issue as border security. Apparently, the great powers such as the US, UK, and Germany are lacking in their “cyber-readiness” when compared to smaller states such as Israel and Sweden mainly because they fail to share information internally rather than having any specific deterrent capabilities, at least according to the McAfee report.
With these opinions in mind, the SDA asked respondents which actions should be taken to curb this newest threat to international security. Opinions on the next course of action are just as troubling as the survey results. Apparently, a “global information sharing network should be established by states.” This is an odd perspective in that cyber threats are not uniform across states and centralizing the network could put states in a more vulnerable position. The next idea is to provide “financial incentives for improvements in security in both the private and public sectors.” An interesting proposal advocating bribery to improve networks much in the same way a parent bribes a child to do their homework. Finally, “diplomats need to start addressing this issue with more urgency,” with the help of cyber security experts (the subjects of the survey) of course. I would guess the next step is for a color coded cyber terror warning indicator (I suggest the highest threat be the color of Mountain Dew in order to honor the true cyber warriors – teenage hackers and computer programmers).
Why would the majority of cyber security practitioners argue for such expensive, expansive, and urgent measures when the biggest attack, arguably Stuxnet, required a physical injection of software to take effect? Clearly there is an interest to promote this threat in the cyber security community.
In contrast, the TRIP survey asked a sample of academics from U.S. universities “What are the top foreign policy problems facing the United States?” They were pitted against practitioners within the U.S. government who work within the national security apparatus (PDF). Academics deemed cybersecurity the least pressing foreign policy problem with only eight percent suggesting it is a top problem. This falls right behind the fear of oil reliance (12%) and global poverty (12%). Policymakers rank cybersecurity nearly as low as academics with 17 percent finding this a top foreign policy problem right above the issue of climate change (eight percent), global poverty (three percent), and oil reliance (four percent).
Academics find cybersecurity one of the least pressing threats in the system and policymakers tend to agree generally. So why is cybersecurity such a pressing issue according to the news media and cyber security practitioners? One might argue that cyber security practitioners know the reality better than academics and policymakers; suggesting their warnings about the coming cyber threat is just a harbinger to the future. Using the bureaucratic politics model, others might conclude that the cyber security industry is a biased party whose interests lie in promoting the cyber threat. The news media just parrots these perspectives because the quotes come easy and the news stories prey on the fear the average citizen holds towards technology. The danger in declaring cyberwar a ‘top threat’ comes from distracting our attention from more pressing problems like collapsing states, human rights abuses, the proliferation of terrorism and WMDs, and internal violence in the form of civil war. Cyberwar is a dangerous issue in contemporary security politics, but it is nowhere near the top threat facing the United States.