Cybersecurity pros want to stop talking about a ‘cyber 9/11’
For nearly two decades, government analysts have warned of a “cyber 9/11” or a “cyber Pearl Harbor” following the Sept. 11, 2001 terrorist attack, whose 20th anniversary is tomorrow.
Those warnings – focused on the dangers of a catastrophic cyberattack with 9/11-level consequences – started as early as 2003 and peaked early in the Obama administration when cyberspace was beginning to be viewed as a major new domain for conflict.
But criticism of the analogies emerged almost as soon as the analogies themselves. Comparing cyber and terrorism overstated the consequences of even the most damaging cyberattacks, critics said. And the result was more often to scare people into doing nothing than to compel them to take cyber protections more seriously.
Most cyber watchers hope the terms are fully retired before the nation marks another 9/11 anniversary.
Using this kind of rhetoric actually made people less willing to pay attention to cyber threats, Chris Painter, the top State Department cyber official during the Obama administration, told me.
“The best you can say for the analogy is the intent was to raise awareness and get people to focus on cybersecurity. But it didn’t really end up raising awareness,” Painter said.
The analogies have fallen increasingly out of favor during the past decade.
But they still frequently crop up.
During those years, there has been a wave of escalating and consequential cyberattacks. But none of them has come close to the massive human cost and culture-shaking significance of the Sept. 11 attacks.
There are no definitive cases in which a cyberattack caused the loss of a single life — though there has been at least one instance in which someone may have died because a ransomware attack against a hospital delayed their care.
“A lot of the predictions people made 10 and 20 years ago, including me, have been proven wrong,” Jim Lewis, a former top cyber official at the State and Commerce departments, told me. “You can keep saying ‘just wait until next time,’ but eventually you sound like Chicken Little.”
Indeed, the biggest cyber events of the past decade have had little in common with 9/11.
They were nearly all committed by adversary governments, including Russia, China, Iran and North Korea, rather than nonstate terrorist groups. The only significant exception is the recent wave of ransomware attacks against U.S. businesses, schools and cities, which government officials and analysts say are mostly conducted by cybercriminals in Russia acting with the Kremlin’s tacit approval.
Many cyberattacks have been slow and grinding rather than sudden and catastrophic.
Chinese government-backed hackers stealing U.S. companies’ intellectual property and trade secrets, for example, has been going on for years, costing the U.S. government between $225 billion and $600 billion annually, according to government estimates.
Russia’s digital interference in the 2016 election didn’t involve any death or destruction but sparked intense political divisiveness and doubts about the election’s legitimacy.
When I asked about the “cyber 9/11” phrase on Twitter, the response from experts and practitioners was almost uniformly negative.
Tony Cole, chief technology officer at Attivo Networks:
“I don’t like equating 9/11 to a single enormous cyber attack. Could we have a very large impactful cyber event? Sure. However if it happened, and it was also a major casualty event, then the attackers better be prepared for a kinetic response. This makes it unlikely to happen.”
Read the full article by Joseph Marks on The Washington Post.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise