Cyber Threat Projection and the Insider Threat: Stuxnet Edition

June 2, 2012
Cyber Security
No Comment

[This post by CTOVision contributor Sean Lawson was also published at]

Experts who theorize about cyber conflict talk about the ability to “project” power in and through cyberspace. They also warn of the danger from the “insider threat,” a trusted individual with access to sensitive systems or information who either deliberately or accidentally compromises them. Yesterday’s revelations by the New York Times, which seem to lay to rest any remaining doubt about U.S. involvement in the Stuxnet cyber attack on Iranian nuclear facilities, suggest that “projection” and “insider threat” should take on new meaning in the context of cyber conflict.

In psychology, “projection” is the practice of seeing in others the thoughts, desires, feelings, beliefs, or actions that you yourself harbor but do not wish to acknowledge.

For years, the U.S. has been playing the cyber victim. We have been told repeatedly that others are developing cyber weapons to use against us and that they are stealing our secrets and getting an unfair advantage. When making these claims, one cyber attack incident more than any other has served to “prove” just how dangerous the threat is to the United States: Stuxnet.

In fact, other than Stuxnet there have been few if any instances of cyber attacks that caused physical damage. There have been no cyber attacks that come close to the kinds of doom scenarios that cyberwar proponents often use as a call to action. Thus, skeptics have raised the question: Why all the concern with something for which there is so little evidence?

Now we know that this is a case in which the U.S. doth protest too much! How do cyberwar proponents know that this is a real threat? They know because their warnings are a projection of their own thoughts and desires, as well as U.S. cyber capabilities and covert actions.

That the U.S. was behind Stuxnet is not a surprise. There have been good indicators of that for some time. The pattern of projection that we see in cyberwar proponents’ use of Stuxnet as evidence of an external threat to U.S. cybersecurity is also not new.

As I have argued previously, a key assertion by cyberwar proponents is that cyber bad guys, especially China, are eroding our economic competitiveness and even killing American jobs by using cyber attacks to steal our intellectual property. But there is plenty of evidence that the primary cause of our economic woes is not others stealing our secrets. It is our own lack of investment in education, research and development.

The same is true for failures of critical infrastructure, which are failing from lack of investment in repair, maintenance, and modernization, not as a result of malicious cyber attack by pesky outsiders.

The same is true of the 2008 financial crisis. Cyberwar proponents warn of hypothetical cyber attacks that could cripple the financial system. Do they mean attacks that will cost the U.S. government almost $8 trillion dollars, freeze credit markets, and leave many people without homes? Indeed, that would be bad! But we do not need to wait for a cyber attack. Plain old greed and lack of oversight led to these very results in 2008.

Now we see that the cyber threat is also a projection. Cyberwar proponents held up Stuxnet as proof of the danger we face. After all, as Gen. Michael Hayden as said, with Stuxnet “Someone crossed the Rubicon.” As it turns out, that “someone” was us.

But saying that the cyber threat is a projection does not mean that it is not real. It just means that the threat has a different origin. As with declining economic competitiveness, lost jobs, financial crisis, and failing infrastructure, we are dealing with an “insider threat” of a much more general kind. Jason Healey of The Atlantic Council has summed it up best. After noting that officials like NSA Director, Gen. Keith Alexander, point to Stuxnet as evidence that government needs to regulate private owners and operators of critical infrastructure systems, Healey writes,

The message to the US private sector therefore seems to be that they need to be regulated because they are not protecting themselves sufficiently against a weapon designed and launched by their own government. The arsonist wants to legislate better fire codes.

The bottom line is this: We are projecting onto others what we are doing to ourselves but do not wish to acknowledge.

This post by was first published at

Original Source