Containers Expo Blog Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, Zakia Bouachraoui, Pat Romanski

Blog Feed Post

Of Cyber Doom, Dots, and Distractions


On October 11, Secretary of Defense Leon Panetta gave a speech on “Defending the Nation from Cyber Attack” to the Business Executives for National Security in New York City. On the whole, the speech was unremarkable. It repeated what have become the standard, policy-maker talking points about cyber threats. Recently, these have come to include the admonition that we should not fail to “connect the dots” in regard to potential cyber threats the way we failed to prevent the terrorist attacks of September 11, 2001. What the Secretary of Defense and others fail to realize is that focus on hypothetical, worst-case scenarios and exotic means of achieving them can distract us from actual dangers. Ironically, cyber-doom scenarios like the ones deployed by Secretary Panetta in his speech were just such a distraction in the months leading up to 9/11.

Secretary Panetta’s Speech

Secretary Panetta began his speech by noting that when most people think of cyber security, they think of theft of personal identity information, intellectual property, or government secrets. “Those threats,” he said, “are real and exist today” (p. 1).

But the majority of the Secretary’s speech was not focused on the threats that are “real and exist today.” Instead, he called for immediate precautionary measures to prevent the realization of a number of hypothetical, cyber-doom scenarios.

The scenarios he outlined are not new, but have been used since the 1990s to raise fear of prospective cyber threats and, as a result, motivate a response. These scenarios include cyber attacks that derail trains, contaminate the water supply, shut down the power grid, or disrupt military communications systems. These types of scenarios, he said, “could be as destructive as the terrorist attack of 9/11” and warned twice about the “paralysis” and “shock” that such attacks could cause to the nation (p. 2).

In addition to speaking about the steps that the Department of Defense is taking in the area of cyber security, he ended his speech with a call for Congress to pass comprehensive cyber security legislation. In the meantime, however, he noted that the Administration is considering issuing an executive order. “We have no choice,” he said, “because the threat we face is already here” (p. 5). This is despite the fact that he had already distinguished between the “already here” threats and the hypothetical scenarios that served as his call to action. It is also despite evidence that the cyber attack-induced, nation-spanning “shock” and “paralysis” of which he warns are unlikely.

Connecting the Cyber Dots

Secretary Panetta’s final call to action was not a hypothetical future scenario, but rather, an analogy to the terrorist attacks of 9/11. He said,

Before September 11, 2001 the warning signs were there. We weren’t organized. We weren’t ready. And we suffered terribly for that.We cannot let that happen again. This is a pre–9/11 moment. The attackers are plotting.Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them. We need Congress, and we need all of you, to help in that effort (p. 6).

One might explain this invocation of 9/11 by pointing to the setting of the Secretary’s speech: the U.S.S. Intrepid in New York City. But this is not the first time that a U.S. policy maker has used the failure to “connect the dots” prior to 9/11 as an analogy to our current state of preparedness to face cyber threats. In fact, this has become a staple analogy for those advocating for passage of the Cybersecurity Act of 2012. In his statement to a Senate Homeland Security and Governmental Affairs Committee hearing about cyber security in February 2012, Senator Jay Rockefeller said,

I think back to 2000 and 2001, when we saw signs of people moving in and out of our country, we saw dots appear to connect, and we knew something new and different and dangerous might be upon us. Our intelligence and national security leadership took these matters seriously – but not seriously enough.

Then it was too late. 9/11 happened.

Today, with a new set of warnings flashing before us, and a wide range of new challenges to our security and our safety, we again face a choice. Act now, and put in place safeguards to protect this country and our people. Or act later, when it is too late. I urge the Senate to act now.[1]

Similarly, in his floor statement introducting the Cybersecurity Act of 2012, Senator Joseph Lieberman warned,

The fact is our cyber defenses are not what they should be, but such as they are they are blinking red. Yet, again, I fear we will not be able to connect the dots to prevent a 9/11-type cyber attack on America before it happens. The aim of this bill is to make sure we don’t scramble here in Congress after such an attack to do what we can and should do today.[2]

Cyber-doom Prior to 9/11

In the decade between the first Gulf War and the terrorist attacks of 9/11, the U.S. defense community was gripped with what one scholar has called a “VUCA worldview,” that is, a belief that the world was newly volatile, uncertain, complex, and ambiguous, and therefore dangerous.[3]

This sentiment was expressed just months before the 9/11 attacks by then-Secretary of Defense Donald Rumsfeld. The Secretary told a group of military professionals attending Armed Forces Day at Andrews Air Force Base in May 2001 that “the challenges to freedom are unending” and that their “task is to defend your nation against the unknown, the uncertain, the unseen and the unexpected.” In addition to terrorism and proliferation of WMD and missiles, his list of potential threats included cyber-attacks.

Secretary Rumsfeld was not alone in identifying cyber threats as one of the most dangerous potential threats to emerge from the fog of a VUCA world. In March 2001, National Security Advisor Condoleezza Rice had also raised the alarm about potential cyber threats. Even President George W. Bush, in a June 2001 speech, identified “biological and informational warfare” as “the true threats of the 21st century.”

Rice and Rumsfeld cannot be entirely faulted for worrying about prospective cyber attacks. After all, cyber-doom scenarios had become quite popular in the 1990s. For example, in 1994, futurist and bestselling author, Alvin Toffler, told a reporter that

They [terrorists or rogue states] won’t need to blow up the World Trade Center. Instead, they’ll feed signals into computers from Libya or Tehran or Pyongyang and shut down the whole banking system if they want to. We know a former senior intelligence official who says, ‘Give me $1 million and 20 people and I will shut down America. I could close down all the automated teller machines, the Federal Reserve, Wall Street, and most hospital and business computer systems’.[4]

Similarly, members of Congress worried openly about the potential threat of cyber attack. In 1999, Rep. Curt Weldon asserted that cyber attacks could pose a greater threat than WMD. Some members of Congress were keen to make sure that the Bush Administration kept its eye on the ball with respect to cyber threats. Former Senator Bob Bennett said in April 2001,

One of the first things that happened after the Bush administration took office, is that Pat Roberts and I–Pat Roberts, senator from Kansas, who’s on the Armed Services Committee and has the responsibility for that committee. He and I contacted Condoleezza Rice and asked her to come to the Hill to talk to us, we thought, to let us alert her and kind of indoctrinate her in the size of the threat and the problem.

Hypothetical Distractions

We now know that while policy-makers worried publicly about the threat of cyber attacks, indications of a physical attack by al-Qa’ida were being missed. In retrospect, Marcus Sachs, a staff member of the President’s Critical Infrastructure Protection Board during the Bush administration, said,

‘Based on what we knew at the time, the most likely scenario was an attack from cyberspace, not airliners slamming into buildings’ […] Sachs acknowledges that, in hindsight, the effort was misdirected. ‘We had spent a lot of time preparing for a cyber attack, not a physical attack’, says Sachs. ‘Our priorities had to change a little bit’.

Cyber doom scenarios were, of course, not the only distraction prior to 9/11. But if we ask ourselves what policy makers were doing when they weren’t “connecting the dots” prior to 9/11, worrying about cyber doom is certainly among the answers. More importantly, cyber-doom scenarios were and are symptomatic of a tendency towards precautionary thinking that focuses on the possible (or merely imaginable) at the expense of the probable or already occurring.

If the distraction that such thinking caused prior to 9/11 was not enough of a warning about the inherent dangers of this mindset, then the invasion of Iraq should also serve that purpose. Much of the rhetoric from Bush Administration officials in the lead-up to the invasion was reflective of the idea that the world is full of threats that are unseen and unknown, perhaps even unknowable. In 2002, after his now infamous statement about “unknown unknowns,” when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary Rumsfeld answered simply by saying, “the absence of evidence is not evidence of absence.” When the reporter pressed, saying, “But we just want to know, are you aware of any evidence? Because that would increase our level of belief from faith to something that would be based on evidence,” Rumsfeld glibly responded, “I am aware of a lot of evidence involving Iraq on a lot of subjects.” He then called an end to the press conference.

What we learned from the Iraq case is that the fear of the unknown and unseen, which manifests itself in visions of impending doom, can come to drive policy, even in the absence of evidence of these visions’ possibility or probability. This kind of thinking can even result in a lack of evidence being held up as evidence. Any demand for more evidence comes to be seen as dangerous, a waste of time while the clock counts down to possible doom. As President Bush warned in October 2002, “we cannot wait for the final proof, the smoking gun could come in the form of a mushroom cloud.” Preventive action based in ignorance, therefore, becomes the preferred approach to policy.

The second Iraq war is but the most recent example of the dangers of letting a fear-based precautionary logic drive policy. Cyber security may just be the next example. James Lewis, writing in Foreign Policy, says that Secretary Panetta’s speech indicates that the Department of Defense is effectively taking over U.S. cyber security, a development that can only make sense if we have been focused on fantastical visions of cyber doom rather than the threats that are “real and exist today.” The only other possibility is that, as a nation, we really do want the military in charge of protecting our personal identities and guarding against illegal downloading of music and movies.

  2. CONGRESSIONAL RECORD, SENATE, Vol. 158, No. 24, 14 February 2012.  ↩
  3. Judith Stiehm (2002) The U.S. Army War College: Military Education in a Democracy (Philadelphia: Temple University Press).  ↩
  4. Thomas Elias, ‘Toffler: Computer Attacks Wave of Future’, South Bend Tribune (Indiana) (2 January 1994).  ↩

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com

IoT & Smart Cities Stories
Moroccanoil®, the global leader in oil-infused beauty, is thrilled to announce the NEW Moroccanoil Color Depositing Masks, a collection of dual-benefit hair masks that deposit pure pigments while providing the treatment benefits of a deep conditioning mask. The collection consists of seven curated shades for commitment-free, beautifully-colored hair that looks and feels healthy.
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
The textured-hair category is inarguably the hottest in the haircare space today. This has been driven by the proliferation of founder brands started by curly and coily consumers and savvy consumers who increasingly want products specifically for their texture type. This trend is underscored by the latest insights from NaturallyCurly's 2018 TextureTrends report, released today. According to the 2018 TextureTrends Report, more than 80 percent of women with curly and coily hair say they purcha...
We all love the many benefits of natural plant oils, used as a deap treatment before shampooing, at home or at the beach, but is there an all-in-one solution for everyday intensive nutrition and modern styling?I am passionate about the benefits of natural extracts with tried-and-tested results, which I have used to develop my own brand (lemon for its acid ph, wheat germ for its fortifying action…). I wanted a product which combined caring and styling effects, and which could be used after shampo...
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.