Harry Oppenheimer is a research associate for national security at the Council on Foreign Relations.
In the wake of recent cyberattacks on Sony, there was a short public debate about what to call the computer breach. President Obama settled on cyber vandalism but a number of politicians, including Senator Robert Menendez (D-NJ), believed this understated the impact of the attack and called it a terrorist act instead.
There are a number of reasons to shy away from terrorism and cyberattack comparisons. Crucially, most cyberattacks so far have been designed not for political violence, but for military and industrial espionage. There may be, however, some lessons to be learned for cyber in how we talk about the threat and response to terrorism. This is especially important in a time where cyberattacks are making headlines on a consistent basis. The behind scenes nature of both counter terrorism (CT) and cybersecurity raise difficult challenges for policymakers who want to describe the threat realistically.
Most CT and cybersecurity measures are imperceptible to the public. Many of the most effective CT efforts rely on information gathering, forensic accounting, supply chain disruption, targeted attacks on terrorist camps, or other operations beyond the public eye. If forensic accounting to expose terrorist financing efforts were shared with the public, it would become useless. The public also doesn’t see the technical measures that are set up by the NSA and the Department of Homeland Security (DHS) to defend networks, the intelligence gathering on foreign cybersecurity groups, or the constant diligence required to quickly recognize and stop cyberattacks. Moreover, with cybersecurity and counterterrorism, the public often sees failures but rarely successes. That is, the successful cyberattack and the security shortcomings that lead to it make the news, while the attacks that are stopped remain out of sight. Indeed, they must remain so for the defensive measures to stay effective.
While technical and intelleigence measures need to be protected, there is a use for some number of publically facing measures. Unfortunately there is no cybersecurity equivalent to increasing airport security, searching bags at sporting events, or increasing the homeland security advisory system. Instead it will be especially important for the public to understand the efforts underway every day to protect the Internet and create resiliency. Without this knowledge, people will not be able to put attacks in the context of all the efforts to prevent them, leading to unnecessary anxiety among the general public.
It is impossible to stop every cyberattack even with the very best defensive measures. However, just because one cyberattack is successful doesn’t mean that the Internet is any less safe, but people don’t know this unless they are educated on the nature of cybersecurity. When an attack becomes public, it generally becomes the first time many people think about whether they have taken the proper measures to protect their security.
Officials can draw on their longer experience with terrorism to learn about how to talk about cyberattacks. Education has historically been the key—helping people understand the myriad of ways that they are being protected and providing them with ways to protect themselves. Think about public campaigns such as, “If you see something, say something.” As Janet Napolitano said of the campaign in 2011, “We want the public to live with information, but not to live in fear… when they have information, that helps reduce the level of fear." Enlisting the public in the fight has the tangible benefits of more information about threats and greater awareness of risks. If the government can create a program to enlist the public in fighting cyber threats they will make citizens participants in the process.
Similarly, DHS launched “Stop.Think.Connect” in 2010 as part of the annual National Cyber Security Awareness Month to increase awareness about cybersecurity risks. Having a program like this is a good start, but it needs to be effectively leveraged in order for it to do anything. For example, the program could be featured on websites that collect personal data with which people interact every day (e.g. banks, healthcare.gov, or tax e-filing). The same way that people see signs warning them to be vigilant in the subways, people should see signs telling them to be vigilant when logging into their bank account online. This would start the process of getting people to take a stake in their own security.
Whether hackers should be treated as terrorists doesn’t mean that dealing with terrorists can’t teach the United States something about the evolving Internet security landscape. A common framework can be useful and is not just hype from pundits and policymakers. By understanding how the public responds to terrorist threats policymakers can examine how the public digests cyber threats. Without such a comparison, the recent attacks on Sony will remain menacing for the public.