How Worried Should We Be About the Cyber-Threat?

In the past few weeks, there has been a spate of news stories that highlight wide-spread concerns that the United States is vulnerable to cyber-attack, cyber-espionage and id theft. For example, over the weekend, there was an article in the Christian Science Monitor about an on-going “spear phishing” campaign aimed against companies operating in the natural gas pipeline sector. The attack apparently began last December with a number of natural gas pipeline organizations reporting “either attempts or intrusions related to this campaign.”

That was preceded by an article in the New York Times that reported on an assessment of the U.S. ability to respond to man-man or natural disasters. The National Preparedness Report, performed under the auspices of the Federal Emergency Management Agency (FEMA), reported that, in general, the U.S. was fairly well-prepared for dealing with the effects of epidemics, natural disasters and even terrorist attacks, but not adequately prepared for dealing with a cyber-attack. The report states that:

“The Nation is highly reliant upon interdependent cyber systems, yet stakeholders have an incomplete understanding of cyber risk and inconsistent public and private participation in cybersecurity partnerships. Trends also point to cyber criminals’ continued focus on stealing customer records, including personally identifiable information, payment card data, email addresses, and other customer data.”

The report states that only 42% of state and local officials feel that they were adequately prepared for a cyber-attack, and that, “Cybersecurity was the single core capability where states had made the least amount of overall progress.”

In addition, there was an editorial in the Wall Street Journal by Martin Feldstein, chairman of the Council of Economic Advisers under President Ronald Reagan, in which he states:

“The United States is vulnerable to cyber-attacks by unfriendly nations and nonstate actors. Attacks through the Internet are now stealing billions of dollars of intellectual property from American businesses. Internet attacks can also bring down such critical infrastructure as the electricity supply, the air traffic system and the stock market. Congress can and should act to protect us from this widespread and increasing danger.”

Feldstein called on Congress to provide funding, say by diverting money from the US Defense Department budget, to help U.S.  infrastructure companies meet a mandatory level of cyber-security. He also states that, “Protecting the nation from cyber-attacks that steal technology and that can disrupt our daily lives should be at the top of the government's agenda.”

But not everyone is convinced that the cyber threats are as severe as being depicted.

Jerry Brito, a senior research fellow at the Mercatus Center at George Mason University and who directs its Technology Policy Program has voiced his doubts about the credibility of the threats posed by cyber-attack for some time, especially in regard to cyber-attacks against U.S. infrastructure systems. In a recently released video interview, Brito again challenges what he earlier this year called the “New Yellowcake” of the cybersecurity threat.

Brito says in a paper [PDF]  that:

“Cybersecurity is undoubtedly an important policy issue. But with a dearth of information regarding the true nature of the threat, it is quite difficult to determine whether certain government policies are warranted—or if this merely represents the latest iteration of threat inflation benefiting private and parochial political interests.”

In other words, how much of the cyber threat is being built up by companies and government officials to justify spending lots of money (and build a bureaucracy) to defend against it? For instance, an article in Government Executive last month reported that billions of dollars have been spent on improving the cybersecurity of the U.S. power grid without making it much safer.

Last December, James Lyne, who is director of technology strategy at the security company Sophos, also complained about the over-hyping of the cyber-security threat (although Lyne believes that the cyber-threat against national infrastructure is a sufficiently credible one that needs to be taken seriously). In an editorial published by the BBC, Lyne wrote that:

“… cybersecurity is all about proportionality and accuracy as to what the real issues are. Without it remediation becomes all the more difficult, particularly if companies gravitate towards remediating hyped theory rather than the real issues, with somewhat limited budgets.”

In a similar vein last month, Microsoft security researchers Dinei Florêncio and Cormac Herley argued in a New York Times editorial that cybercrime loss statistics are unintentionally or not highly inflated, and that:

“Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.”

This is not to argue that there aren’t any cyber victims or that they don't suffer any material harm. However, by exaggerating the profitability of cybercrime which Florêncio and Herley claim is very low, one ends up with a situation where you “encourage hopeful, if misinformed, new entrants, who generate more harm for users than profit for themselves.”

So what is your take on these conflicting perspectives? Is the cyber threat being over-hyped or not? Or is that what it takes to get people to pay attention to it?