Reliable Security Information

Same Old Story: Improve Cybersecurity

"President Obama announced a sweeping new initiative to beef up the nation's defenses against attacks on the nation's increasingly important computer networks, including a plan to put a cyber-security chief in the White House," reported USA Today, along with many others.

"Cyber-space is real and so are the risks that come with it," President Obama told the nation.

It was familiar.

Over the past decade, a great many US government officials have uttered similarly pleasing sounds. Obama administration officials and advisors are no different. For an earful and eyeful from the current line-up, view the Whitehouse's entirely unremarkable video on the subject.

"The national dialogue on cybersecurity must begin today," states the Obama administration's recent cyberspace policy review.

"People cannot value security without first understanding how much is at risk. Therefore the Federal government should initiate a national public awareness and education campaign informed by previous successful campaigns."

These are statements which sound good, but only superifically. Instead, they tend to really insult the intelligence of anyone who has followed US government campaigns to educate the public over risks from cyberspace in the past eight years.

Fundamentally, the US government's 'education' on the issue has always boiled down to employing a small army of officials, as well as experts from the private sector, to convey dire messages: The country is so dependent on the networks, it can be turned off like a switch by a variety of enemies who choose to attack through cyberspace. The enemies can be nations we don't like, teenagers, disgruntled insiders, organized crime, or just crazy people.

The famous meme on turning the country off like a floor lamp was originally called "electronic Pearl Harbor," later modified to "digital Pearl Harbor." An authoritative collection of government outreach educational statements on the threat from cyberspace in the press, collected from 1994-2000, can be read here.

A more recent sighting of government officials educating the public, often anonymously, on the dangers of not defending the nation's infrastructure in cyberspace is here -- this time on cyberspies from China said to be installing software boobytraps within important systems. And a critical summary of ten common red-herrings used to 'educate' the public on the issue over the past few years is here in "10 easy steps to writing the scariest cyberwarfare article ever."

"I've written on computer security hysteria for twenty years and I can tell you this: The U.S. federal bureaucracy has never produced a good economic figure for computer security damages," wrote one of this author's colleagues, Rob Rosenberger, on his Vmyths computer security and opinion site, in February. "It's all about hype, not accuracy."

Rosenberger was addressing the claims of various government officials on the scope of damage the country was thought to be suffering from cyberattacks. He was comparing the statements from Dennis Blair, the Director of National Intelligence, on the threat of cybercrime earlier this year, with those of Richard Clarke, the country's cybersecurity czar in 2002.

"Okay, so now along comes Barack Obama with his 'open' government," continued Rosenberger. "[Dennis Blair] all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces ... [it] can do nothing more than quote wild dollar values spouted by two companies -- one of them not even involved in economic assessments."

The problem is not that there hasn't been a conversation with the American public on cybersecurity or that not enough attention has been furnished. There has. And it's been entirely monochromatic, larded with unpleasant scenarios, claims and frightful rumors meant to incite action, in alliance with experts chosen from companies in the private sector which always stand to gain richly from further spending on cybersecurity. Danger, danger! We're losing billions of dollars a year! China or some other nation will turn off the water and power!

Empirically, this manner of nonsense -- which has been shoveled for years -- has been a turn-off, the exact opposite of what the Obama administration wants. Many people, when confronted with stories about lurking cyber disasters, ignore them. They already have too much experience with removing, or getting someone else to remove, spyware and viruses from their home computer. And while they are probably aware that malicious knocks on the firewall running on their broadband-connected PCs occur every few minutes, they are somewhat less concerned about menaces said to be endangering the day-to-day economic health and safety of the nation.

So when Barack Obama reverts to citing dollar figures on losses due to cyberspace incursions, these repeat a general practice of fudging. And when he stated today that in other countries, "cyberattacks have plunged entire cities into darkness," he is repeating unconfirmed rumors.

It is not the best start.

Update, 4:00 pm PST: Thinking alike on rumint/urban legend.

Follow-up at Popular Science: An urban legend about blackouts is not a data point just because it's in a policy review.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed