Earlier this week the National Intelligence Council released its Global Trends 2030 report. In this forward looking document, I found the discussion about potential cyber threats to be both useful and vaunted at the same time.
Let’s take the following statement about potential events that would cause the greatest disruptive impact: “The chance of nonstate actors conducting a cyber attack—or using WMD—also is increasing.” This association between a cyber attack and a WMD is purposeful to raise the former to the level of the latter in the readers mind. I do believe the role of nonstate actors in cyberspace will continue to grow into the future, but I wouldn’t use such hyperbole as a WMD attack to show the reader the disruptive potential of nonstate cyberactors.
On the other hand, I completely agree with the following statement from the report: “With more widespread access to lethal and disruptive technologies, individuals who are experts in such niche areas as cyber systems might sell their services to the highest bidder, including terrorists who would focus less on causing mass casualties and more on creating widespread economic and financial disruptions.” “To date, most terrorists have focused on causing mass casualties, but this could change. The future will include very large vulnerabilities: only a small number of people might understand critical cyber systems, for example, creating a risk that they could sell their services to the highest bidder, including terrorists who would focus less on mass casualties and more on widespread economic and financial disruptions.”
But I see an inherent contradiction between the above point and this statement: “For some attackers, cyberwarfare offers other advantages that have seldom been the case for most warfare: anonymity and low buy-in costs. These attributes favor the employment by disaffected groups and individuals who want to sow mayhem.”
I think the distinction between these three quotes is what is missing in our public dialogue about cyber attacks/cyberwar. “Sow mayhem” versus “widespread economic and financial disruptions” versus cyber attacks in the same league as WMD attacks. All three of these may be theoretically possible, but each is also very distinct from the others. “Sowing mayhem” in this context I believe means defacing websites, stealing passwords, knocking websites offline for a couple hours. “Wide economic and financial disruptions” is more akin to 'stealing the crown jewels’ type intellectual property theft or deleting all the financial data of the NYSE. Finally, the cyber/WMD nexus is the simultaneous take down of the electric grid, catastrophic malfunction of nuclear plants, and the disabling of all air traffic control systems.
The first of these is a low level threat that should give end users and some system admins a headache but not too much beyond that. The second requires the federal government, law enforcement, and the private sector to contemplate, plan contingencies for, and mitigate against. It is also the most pressing current threat we face in cyber. The last scenario is what DoD/IC/DHS planners must think about and try to prevent but with the understanding that this threat has the lowest probability. I think the governments attention to this last scenario will help us prevent such disasters, which is noteworthy because “As societies become more dependent on software and systems become more interconnected, the potential levels of damage that cyberweapons will be able to inflict will increase.”