The U.S. government's response to cyberthreats against the nation's critical networks must be grounded in public evidence, not "alarmist rhetoric," or lawmakers run the risk of creating policy decisions based on evidence that may turn out to be baseless, according to research paper released this week.
The paper's authors -- Jerry Brito and Tate Watkins of the Mercatus Center at George Mason University in Arlington, Va. -- argued that the dangers of "threat inflation" may lead to decisions based on inaccuracies, similar to the choice to invade Iraq when the country actually was not housing weapons of mass destruction.
A similar decision in the cyberworld may result in the unnecessary regulation of private and public networks and the unjust spending of federal dollars on cybersecurity, a scenario that could resemble the military-industrial complex.
"When a threat is inflated, the marketplace of ideas on which a democracy relies to make sound judgments -- in particular, the media and popular debate -- can become overwhelmed by fallacious information," the authors wrote. "The result can be unwarranted public support for misguided policies."
Watkins, a research associate for Mercatus' Technology Policy Program, told SCMagazineUS.com on Friday that part of the problem is confusion around the differences between traditional cybercrime, cyberespionage and cyberwar. He said much of the evidence being used to highlight the risk of attacks against critical infrastructure components, such as the power grid or financial networks, are incidents such as distributed denial-of-service (DDoS) attacks or credit card theft.
"We need to disentangle all of those things and analyze who is best suited to prevent those attacks and mitigate those consequences," he said.
The authors cited a December 2008 report by the CSIS Commission on Cybersecurity for the 44th Presidency, but Brito and Watkins said it lacked evidence to support a claim that failing to defend cyberspace is "one of the most urgent national security problems facing the new administration."
The report's recommendations didn't offer concrete examples of why the nation's security is at risk but instead pointed to things such as DDoS attacks.
"...[The] probing and scanning networks are the digital equivalent of trying doorknobs to see if they are unlocked -- a maneuver available to even the most unsophisticated would-be hackers," the authors wrote. "The number of times a computer network is probed is not evidence of an attack or a breach, or even of a problem."
The authors also called on the media to do a better job of reporting on cyberthreats, asking journalists to challenge their government sources when they reference "doomsday" scenarios.
"That's very reminiscent of the Iraq War," Watkins said. "We'd like to see a little bit less credulous reporting."
The authors additionally warned of a growing "cyber-industrial complex," which reflects a growing, cozy relationship among members of Congress and the lobbyists of cybersecurity companies. The paper compares this concept to the military-industrial complex, a phrase that emerged at the onset of the Cold War during President Eisenhower's farewell address.
"There are serious real online threats, and security firms, government agencies, the military and private companies clearly must invest to protect against such threats," the paper states. "But as with the Cold War bomber and missile gap frenzies, we must be wary of parties with vested interests exaggerating threats, leading to unjustified and superfluous defense spending in the name of national security."
Marcus Sachs, a former White House official and a member of the CSIS Commission, said federal lawmakers often speak in terms of sky-is-falling scenarios because that they are tangible. But the reality is, threats of espionage and traditional crime are more pressing.
"There may be unintended consequences of being too vocal about warfare when in truth you're talking about espionage and crime," he told SCMagazineUS.com on Friday. "The big one would be other nations thinking that we are building a capability in cyberspace and then they go and do that themselves and then you get the arms race."
Watkins said the government must be more open if it intends to regulate networks and increase cyber defense spending.
"Citizens should trust but verify, and that will require declassification and a more candid, on-the-record discussion of the threat by government officials," according to the paper.