We've been pointing out for years
that all the talk about "cyberattacks" and "cybersecurity" appear to be FUD, mostly designed to scare up money
for "defense" contractors looking for a new digital angle. And yet, we keep seeing fear-mongering report after fear mongering report insisting that we're facing imminent threats
of such a dire nature that multiple people keep referring to this ridiculous concept of the "cyber Pearl Harbor"
which is going to happen any day now
if we don't pass vaguely worded bills that will surely ramp up huge contracts
. And yet, every time we'd hear these cinematic scare stories, we'd point out that no one
has yet died from a "cyber attack" and ask: where was the actual evidence of real harm?
Yes, we've seen hack attacks that are disruptive or really about espionage. But that "big threat" coming down to get us all? There's been nothing to support it.
And perhaps that's because it doesn't exist. Amazingly, the Director of National Intelligence, James Clapper, actually admitted in a Senate hearing that there's little risk
of any "cyber Pearl Harbor" in the foreseeable future:
“We judge that there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” Clapper said in his statement to the committee. “The level of technical expertise and operational sophistication required for such an attack — including the ability to create physical damage or overcome mitigation factors like manual overrides — will be out of reach for most actors during this time frame. Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”
He later admitted that some others -- who weren't as knowledgeable -- might be able to sneak in some attacks here or there, but that the impact would likely be minimal:
“These less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system,” he said.
Of course, at the very same hearing, the NSA's General Keith Alexander kept up the propaganda about threats. Alexander has been among those who have been spreading FUD
about the "threats" -- including ridiculous claims about Anonymous shutting down the power grid -- so sticking to that line is hardly much of a surprise. This time around he focused on an increasing rate of attacks on Wall Street banks
He also pulled out the old "the Chinese are stealing our business secrets!" claim. That always sounds good for Congress, but it is unclear how much real impact it has had.
But the Cyber Command chief stressed that the U.S. needs to clamp down on this intellectual property theft, warning it will ultimately "hurt our nation significantly."
"For the nation as a whole, this is our future. This intellectual property, from an economic perspective, represents future wealth and we're losing that," Alexander said.
It doesn't appear he has any real basis for saying that. There are all sorts of ways to compete and to innovate, and falling back on relying intellectual property laws may be the least useful and least efficient manner for doing so.
It would be nice if we could stop all the blatant fear mongering and focus on any actual
problems, such as highlighting what important information isn't being shared today, since we keep getting told that it's our lack of information sharing that will lead to a cyber pearl harbor. Now that we know the threat isn't imminent, can we sit back and look at the actual evidence, understand what the real
problem is, and see if there's a way to solve it that doesn't involve giving up everyone's privacy rights?