About cyber-fragility and the "pre-9/11" moment

In my "Cyber Warriors" article in the current issue, I mention that a variety of internet-security experts contend that we are living in a "pre-9/11 era" on this subject. But this they mean not that thousands of people will be killed and everything about U.S. politics and policy will be thrown up for grabs. Rather, the image is meant to suggest that policy and public awareness will be divided into "before" and "after" phases. And "after" this happens -- whatever "this" turns out to be in the cyber-destruction field -- people will ask why we weren't more vigilant ahead of time. A story just now in the Washington Post uses just the same imagery, talking about an exercise yesterday that was "staged... to demonstrate to a complacent public the plausibility of an attack that could in many ways be as crippling as the Sept. 11, 2001, terrorist strikes."*

From Gary Chapman, of the LBJ School at UT Austin, who has been writing about the internet aspects of national security since the 1990s, an objection to mis- and over-use of the "pre-9/11" imagery. Later on, I'll post a contrary view, from another tech veteran who thinks that the warnings are perfectly appropriate. Chapman writes:

"Concerns about cybersecurity and the potential for a national "catastrophe" initiated by hackers -- whatever their motivations or backing -- are reasonable; until people start using analogies to 9/11 or begin talking about a looming "digital Pearl Harbor." Admiral Mike McConnell [former NSA director, whom I quote several times in my article] has been raising such alarms, but count me as a skeptic. It is difficult to imagine the loss of any computer-dependent system comparing to the spectacle of 9/11, its implications for security for ordinary Americans, or the emotional impact of that event, particularly over the horrifying deaths that millions of people watched on television. Likewise, the significance of Pearl Harbor, which launched the country into the biggest war of all time, is not likely to be matched by a computer-related failure, even one that dramatically damages the global financial system. We should use the analogies to 9/11 and Pearl Harbor sparingly, if at all, and not for a possible failure of computer networks or digital transactions. Terrorists using weapons of mass destruction might qualify, but not computer hackers.

"Admiral McConnell believes that nothing will motivate Americans to take cybersecurity seriously until a disaster happens, which is probably true. But unlike 9/11 or Pearl Harbor, Americans are likely to blame the managers of institutions that are the targets of hackers, not the hackers or their sponsors, who will in any case be obscure or difficult to identify. McConnell apparently believes that the cybersecurity of big banks is a matter of national security, but it would be hard to imagine an industry with lower esteem in the eyes of the public these days, and therefore one that is highly unlikely to "come clean" about their vulnerabilities to hackers. The public, in its current sour mood about large institutions in the U.S., would probably support the *dismantling* of a system that makes the U.S. vulnerable to computer threats rather than more government spending to secure the Wall Street firms that precipitated the financial crisis and the recession."
In similar vein, a tech-policy veteran who asks not to be named writes:
"The loose talk about "digital Pearl Harbor" and "equivalent to 9/11" is regrettable, in my opinion. We should learn how to calibrate cyberthreats, which are serious but not in the same league. Something bad happening to PayPal or even CitiBank is not the same as planes bombing Hawaii or crashing into the World Trade Center, I'm sorry. We should resist these kinds of analogies."
By instinct and experience I am skeptical of "threat-inflation" sloganeering, whether about the cyber or the "real" world. (No doubt this point is at top-of-mind right now because I am sitting in an airport lobby where every five minutes the PA system delivers the news that "the current threat advisory as established by the Department of Homeland Security is 'Orange'." Tell me, please oh Lord, who on Earth is made safer or more secure, or which evil-doer anywhere is more hindered, by repetitive broadcast of this moronic boilerplate? What does the "current" level mean, if it never changes?** Why is it the same in Washington DC, which someone might want to blow up, and rural Mississippi, which is probably under less imminent threat? What am I supposed to do or think because it's "orange"? Is there any conceivable reason this system is still in place -- other than the fact that no political official dares take the risk of recommending that it be lowered? But I digress.)

Back to cyber-security: I think the 9/11 comparison is useful strictly in the terms mentioned above: That if there is some large disruption, the whole issue will be discussed in an entirely different way, and policies will change, in both positive and panicky overkill directions. Acting calmly right now would be preferable ... but so would a lot of other things that we not going to do.

Next up: a reader's argument that 9/11 allusions are indeed realistic when it comes to the potential damage done by cyber-threats.
* Update: I see that the Atlantic Wire is on this theme too. Escher-drawing style, it includes  a reference to my own Atlantic article on the topic.

** To be fair, it has only been at its steady "Orange" level for the past four and a half years, since the summer of 2005. So it's not that it "never" changes; it just hardly ever changes -- as wars begin and end, regimes rise and fall, world politics changes, terrorists are arrested or set free, etc.