For decades, we have heard a lot of talk from American officials, industry experts, and others about the supposed threat of a “cyber 9/11,” “cyber Pearl Harbor,” “cyber Katrina,” or even “cyber Sandy.” In short, we have been warned repeatedly that “cyber doom” is coming. Indeed, as recently as this fall, cyber doom was in the news as a result of the cyber attack on Sony.
But the latest World Wide Threat Assessment (WWTA) [PDF] presented to Congress by the Director of National Intelligence, Gen. James Clapper, says that “Cyber Armageddon“ is unlikely. Rather, the assessment “foresee[s] an ongoing series of low-to-moderate level cyber attacks form a variety of sources over time, which will impose costs on US economic competitiveness and national security.” This threat, it says, “cannot be eliminated; rather, cyber risk must be managed.”
Some have argued that such scenarios were always about threat inflation and fear mongering and have applauded the admission by intelligence officials who once trafficked in such rhetoric that these scenarios are unlikely after all. Has the era of cyber doom fear mongering come to an end? Not likely.
Key intelligence officials, like NSA Director Admiral Michael Rogers are still using this rhetoric. Just three days before the release of WWTA, Rogers defined “cyber Pearl Harbor” and said that one had already occurred.
Asked to define a ’cyber Pearl Harbor’, a phrase used in 2012 by then-Defense Secretary Leon Panetta, Rogers replied: ‘An action directed against infrastructure within the United States that leads to significant impact—whether that’s economic, whether that’s in our ability to execute our day-to-day functions as a society, as a nation.’ He added that the hack of Sony Pictures Entertainment last November met that dire criteria. Movie studios fit into the U.S. government’s broad definition of critical infrastructure.
With this comment, Admiral Rogers follows in the footsteps of Amit Yoran, former head of the Department of Homeland Security’s National Cyber Security Division, who claimed in 2009, “Cyber 9–11 has happened over the last 10 years, but it’s happened slowly so we don’t see it.” Of course, there was no evidence then that anything like 9/11 had occurred in or through cyberspace, just as the hack of Sony is nothing like Pearl Harbor now.
Why do such outrageous claims persist even in the face of contradictory evidence and assessments?
One reason is that, despite claims to the contrary, the use of “cyber doom” is primarily about emotions not facts. Its function is to motivate a response through the use of fear, not to describe accurately the true nature of the threat and its likely impacts.
Among those who use cyber doom rhetoric when speaking in public or to the media, there is often a disconnect between the threat as implied in that rhetoric and the diagnosis of threats that these same individuals provide in more formal settings like threat assessments for Congress. For example, though Admiral Rogers warned publicly of “cyber Pearl Harbor” in February 2015, less than a month later, in his testimony to Congress, his description of the cyber threats facing the United States focused primarily on censorship as a threat to “Internet freedom,” theft of intellectual property, and disruption of networks and access to information. Cyber attacks against critical infrastructure were mentioned, but as in the past, were framed as a “potential” future threat that could “perhaps” result in sabotage during a wider conflict (page 10).
Diagnosing the cyber threat as primarily about espionage, theft, and disruption while simultaneously relying on doom scenarios out of step with that diagnosis has been a feature of U.S. public policy discourse on this issue since at least 2008. And as long as officials believe there is still a need to motivate a response, cyber doom will continue to be a feature of U.S. public policy discourse on cyber security, even if their own assessments find such scenarios unlikely.
Finally, even if cyber doom is down right now, it is likely not out. The winds of cyber war discourse are ever changing. Identification of what is threatened, by whom, and with what potential impact has changed over time, often in ways that seem to mirror larger security concerns that are not primarily about cyber security. Through it all, cyber doom rhetoric has survived, again, primarily for its affective characteristics. But even if it is experiencing a decline at the moment, wait a few months and the cyber discourse weather is likely to change and cyber doom could well make a comeback.