Sanity About Security: Kicking Off a Series

I hate negativity! Therefore, as a counterweight to chronicles of "security theater" nuttiness on this site and from Jeffrey Goldberg in the magazine and online, let's kick off a little hall-of-fame feature. It's time to honor people who manage to talk about real threats the nation faces, and ways to cope with them, without succumbing to threat-inflation, chicken-little-ism, fear-mongering, budget-boosting, and the general, cowering, "be very afraid" mentality summed up by the robotic reminders that the "current Threat Level is Orange."

To start, a retrospective award for recent efforts to counter the idea that the United States is involved in a "cyberwar." James Lewis, of the Center for Strategic and International Studies, is one of the nation's real experts on all the bad things that can happen when governments, criminals, corporations, and other ominous-sounding groups misuse electronic information. I quoted him several times in my article on cyber-threats early this year. But as he pointed out in his speech last month in China, the idea that this constitutes electronic warfare between countries is intellectually lazy and politically and economically dangerous.

It's lazy, because it confuses the theoretical capacity to do harm from actually inflicting harm. It's like saying: I'm carrying a pack of matches, so therefore I am actually an arsonist. (Now, the TSA might think that way, but...) It is dangerous not just because it hypes mutual suspicions but also because distracts attention from the real, ongoing source of cyber-menace: the unglamorous but serious reality of corporation-vs-corporation espionage and "normal" criminal fraud.

Lewis has made this point before, but in a recent speech to the China Institutes of Contemporary International Relations (PDF here), he laid it out:

Powerful misperceptions on both sides [US and China] shape these decisions but there is one misperception we can clear away immediately. We are not in a cyber war.

War is the use of force to achieve political ends. It involves using force to attack, damage or destroy an opponent's capability and will to resist. A cyber attack would damage data and perhaps physical infrastructure, create uncertainty in the mind of an opposing commander, and be used for political effect....

Advanced militaries also have missiles and aircraft and plans to use them, but they will not use these weapons outside of a larger armed conflict. No one would launch a missile or an aircraft at the United States on a whim or as a test, as this would invite a devastating response.... [Similarly] outside of a larger armed conflict, cyber war is unlikely.

That is: if the US and China are already shooting at each other, they might try to bring down the other's cyber networks too. Otherwise, "cyber war" just is not plausible. Naturally Lewis's argument is more nuanced than the way I'm summarizing it, and it concludes with an assessment of the things we should be worrying about more than we do. But if you read it you'll find yourself cringing the next time someone refers to the harsh new reality of "cyber war." Which is a start.