Evgeny Morozov piece in the weekend WSJ a bit back, and recent Bloomberg BusinessWeek story on Richard Clarke's latest tome. Morozov rails against the "cyber warmongers," in whose ranks one must definitely include Clarke, for reasoning both valid and hyperbolic.
I like Morozov in general: he is snarky in a good way, solid in his reasoning, and he likes to poke holes in the usual conventional wisdom. Here, let's say, Morozov is less than impressed with the usual "wargames" that prove, as they are designed to, that the US is COMPLETELY naked and unprepared for an electronic Pearl Harbor.
It's one of those inescapable predictions that must inevitably someday be right--right? The question is, How bad will it be? Will it constitute a whole new monster or just another degree of failure/collapse that's marginally bigger than the usual stuff we inflict upon ourselves with great regularity due to accidents, poor practices and bad design?
Morozov targets Clarke right off, who claims in his new book that "the cyberwar has already begun." That's a prediction you have to love, because no matter what happens, the man has got to be proven right by events, because, what the hell! By his logic, there's no such thing as a cyberpeace. So McConnell (former NSA head) says we'll automatically lose any cyberwar that happens (Really? Then who automatically wins? Oh, THEY do, of course.) and Panetta (CIA) goes bravely on the record to say that the next Pearl Harbor will be a cyber Pearl Harbor (of course it will, because we said so and we get to determine these things in advance--just like 9/11!).
Morozov says spending on cybersecurity is higher than ever ($55B between now and 2015), but so is our angst. He wonders out loud if the biggest scare-mongers on the subject tend to benefit from it, by selling books, and winning cybersecurity contracts from the USG (like McConnell's new employer, Booz Allen, or Clarke's new firm, Good Harbor Consulting).
This is why I don't make enough money consulting, let me tell you. I really need to focus on scaring people more.
Clarke defends his record by saying that the U.S. has created a very large and very expensive cybersecurity command, so that proves it's a huge problem that the government is trying to take seriously. Both his firm and Booz denies any connections between what their poster boys say and what the company earns, but you know the visibility and the connections and the message and the product all go together.
As Morozov says, we don't want "to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors."
Best-bit award goes to Obama's current cybersec czar, Howard Schmidt, who said that "there is no cyberwar," and that the term is "a terrible metaphor" and a "terrible concept." I think he's right, but I think those can easily become words to regret.
The web, Morozov points out, is a wild place still--a real frontier will few lawmen. We've democratized the connectivity and so too the criminality and malicious behavior--big surprise.
Here's where Morozov gets to the logic I usually employ in Q&A when I get this question: "Why don't you emphasize cyberwar more in your brief?":
Why have such tactics—known in military parlance as "computer network attacks"—not been used more widely? As revolutionary as it is, the Internet does not make centuries-old laws of war obsolete or irrelevant. Military conventions, for example, require that attacks distinguish between civilian and military targets. In decentralized and interconnected cyberspace, this requirement is not so easy to satisfy: A cyberattack on a cellphone tower used by the adversary may affect civilian targets along with military ones. When in 2008 the U.S. military decided to dismantle a Saudi Internet forum—initially set up by the CIA to glean intelligence but increasingly used by the jihadists to plan on attacks in Iraq—it inadvertently caused disruption to more than 300 servers in Saudi Arabia, Germany and Texas. A weapon of surgical precision the Internet certainly isn't, and damage to civilians is hard to avoid. Military commanders do not want to be tried for war crimes, even if those crimes are committed online.
I also tend to add: even if you, the weaker guy, shut down my nets for a bit and get some surprise attack accomplished, at the end of the day, I will still be there with my superior conventional military force, and I am likely to be able to make clear my unhappiness regarding whatever trick you just pulled. Fait accompli or no, you will now have me as a more committed enemy, and when I decide to strike back, the cybertricks won't be enough to protect you.
So Morozov says, quite sensibly: "We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism."
Why? Perfect security would come with huge social, political and economic costs--all of which, I would add, would eventually translate to military weakness.
Best point: "Recasting basic government problems in terms of a global cyber struggle won't make us any more secure."
So no, Mr. President, please don't turn cyberattacks into "weapons of mass disruption" because you'll be "diverting national attention from more burning problems while promoting extremely costly solutions."
Better to focus on promoting Internet freedom, Morozov says. He has a book coming out on the Internet and democracy, so he's hawking too, but in a non-hypeish way I instinctively admire.
And yet, Clarke's four big fixes aren't so bad either:
- Get serious about industrial espionage
- Create information quarantines (if it's super-secret, keep it totally disconnected from the Web!)
- Build, don't buy, security (if your security needs are unique, so too should be your solutions) and
- get started on cyber-arms control treaties (like one on nobody attacks each other's banks).
Pretty decent, actually.
My take remains the same: nets always race ahead of security, and since we're still--despite the Great Global Recession!--in a period of globalization's stunningly rapid expansion (what else do you call Asian investment everywhere across the Gap while the West's money pours into Asia?), it'll be that way for a long time to come. So, expect a lot of cyber stuff to happen. Get used to it. It'll be a natural part of our world.
But yeah, we'll get smarter and more resilient over time. Just because the criminals and baddies are able to exploit these new techs and nets faster and better than the rest of us right now doesn't signal their supremacy for all time--nor their omnipotence now. Frontiers get settled, rules catch up, life goes on.
So cybersecurity is real and important and we need to spend on it. It just ain't the sum total of our existence or even of the fights and conflicts that define our age. It's like the Web, part of damn near everything but hardly the hard core of anything--except pornography.