When members of Congress talk cybersecurity, it doesn’t take long for the discussion to turn apocalyptic. The Feb. 27 meeting of the Senate Intelligence Committee was no different when Lindsey Graham, R-S.C., asked Gen. Keith Alexander, retiring director of the National Security Agency (NSA) and commander of United States Cyber Command, to describe in 30 seconds what a major cyberattack could do to the United States.
“I think they could shut down the power in the Northeast,” Gen. Alexander responded. “Shut down the New York stock exchange … shut down some of our government networks … impact our transportation areas … water supplies, they could do damage to that.” If something like this occurred, according to Alexander, the wreckage could include thousands of dead Americans and trillions of dollars in damage.
“On the cyber front, you’ve described a Pearl Harbor on steroids,” Graham replied. Alexander did not disagree.
While there are legitimate cyberthreats in the world, these melodramatic hypotheticals don’t help real cyberdefense and deterrence. Instead they serve only to create a sense of urgency around passing rash and overreaching laws that undermine Americans’ privacy even more — a tall task after whistle-blower Edward Snowden’s revelations. (Full disclosure: The American Civil Liberties Union, for which I work, represents Snowden.)
Should you panic or lose sleep over the prospects of a cyber–World War III? No. Don’t unplug and move to a cabin in the woods just yet. As an average person, you are far more likely to be affected by everyday Internet crime that can be thwarted by sensible precautions. If there are immediate risks, it is that your credit card number will be stolen or you will be enticed to click on a phony link and share sensitive information.
But even when talking about sensitive targets that have far-reaching implications, such as electrical grids and government systems, the demonstrated weak points invariably rest with human error — failing to change default passwords, plugging compromised memory sticks into computers or losing entire unencrypted laptops. Of course, this sort of mundane incompetence is not the basis of Jason Bourne movies and isn’t incredibly sexy. The slow grind of fixing these sorts of problems won’t necessarily net contractors large contracts or land a member of Congress on “Meet the Press.”
One of the most troubling aspects of overhyping cyberwar and cyberterrorism is that it can easily become a bait and switch to allow the military to operate inside the United States, which violates constitutional principles about a civilian-controlled country. Instead of focusing on how to better protect those electrical grids directly, for example, the conversation often turns to how companies and the government should be unleashed on the Internet, with privacy and First Amendment rights of everyday users seen as expendable.
For example, the intelligence committees in Congress are fixated on the idea that revoking all modern privacy laws would allow corporations that hold our sensitive data to share information with the NSA to protect the Internet and all the important services connected to it. While they trot out scary examples of attacks from Iran or China on the critical infrastructure that makes modern American living possible, they certainly aren’t writing legislation smartly targeting those threats. Instead some in Congress have proposed empowering companies to share and to distribute any data they deem relevant to cybersecurity with one another and with intelligence agencies. They also propose giving complete civil and criminal liability protection to these companies for any actions they take against users, regardless of the outcome.
Just like the expansion of government authorities in the name of the war against terrorism in the 2000s, real but manageable cybersecurity threats can become a pretext for surveillance and other forms of government overreaction if we are not careful. With the constantly emerging stories of government overreach in terrorism investigations, we should all be skeptical of turning these agencies loose in the name of cybersecurity if we haven’t already done so. Many of the Snowden stories over the last nine months have highlighted how our vague and broad surveillance laws have allowed the government to collect and use our personal data in terrorism investigations. It is possible and even likely that these surveillance systems are being used domestically and abroad for cybersecurity programs too.
Indeed, the Snowden disclosures have shown that one of the biggest threats to cybersecurity maybe the same agency tasked with defending it. The NSA has reportedly worked hard to undermine international encryption standards; has installed secret backdoors in the security architecture of popular devices made by Apple, Cisco, Dell and others; and has purchased zero-day attacks, which exploit unknown security vulnerabilities in computer applications, from hackers. These activities don’t create a safe and secure Internet; they destroy it.
Without a full airing of current cyberprograms, no one should consider expanding the NSA’s authorities here at home. As Alexander said at last month’s hearing, this topic deserves a full dialogue between the U.S. government and its people. That can’t happen in a meaningful way until we understand what’s really going on, without being cowed by exaggerated fears. That includes not only what’s happening here within our borders but also what is exactly meant by “cyberwar” — what triggers it, what is a proportionate response, who makes the decisions and how they will be held accountable if things go terribly wrong.
The calls for filtering the Internet or letting companies share your sensitive digital information with the government are part of the Big Data myth that hasn’t been born out since 9/11. The leaks by Snowden have confirmed that Big Data grabs to find the needle in the haystack aren’t effective for terrorism purposes. We should be demanding proof that they are necessary in the cybersecurity realm too.