Recycled Rumour and Pimped Hyperbole

What, with all the hubbub over cyberthreats, swine flu and Kazakhstani alien embassies, I clean forgot to mention Mike Tanji’s cautionary piece at Danger Room, Cyberpanic: It Sells. It’s a reworked version of his earlier Haft of the Spear post, Stop Reading About Cybersecurity, which I linked to a few weeks back.

Mike’s premise is that:

1. Cyberthreats are not new

2. The threat is overstated

3. We need a broad base of expertise to combat the reality of cyberthreats

4. Much of the current fuss is the result of an institutional funding grab

5. Don’t panic!

Hard to argue with this, to be honest, and the new US cyber capabilities report does address some of these issues directly and constructively. It is the case that cyberthreats are real, national counter-strategies lack focus, and security services (USAF, anyone?) are desperate to get their hands on R&D cash, as well as operational leeway. I was at the InfoSecurity 2009 show in London yesterday and can attest to the private sector’s scramble for business – and also the surge in university cybersec courses.

As with the terrorist threat, it’s important to characterise the situation properly and frame reactions constructively. The GWOT has been manna from heaven for a host of state and private actors. The fallout from ill-formed policy and strategy has been catastrophic in human terms in Iraq and Afghanistan, and has been severely deleterious to human rights across the world. Rhetoric preceded reality, and militarism trumped mitigation. Although the threat from cyberspace might not be new, it is poorly understood, evolving fast, and likely to be of more consequence in the near future. Response frameworks are patchy, inconsistent and run the risk of prioritising perception over truth.

Yesterday, PM Gordon Brown stated that the UK is stockpiling flu-blocking face masks, whilst the UK government’s own Chief Medical Officer admitted they were useless. A clear policy disconnect, I would suggest. The same situation seems to be developing with respect to cybersecurity. Anyone fancy pre-emptive strikes on Cancun? Or Chinese servers? At present, neither would be very useful, and both would be illegal. Keep breathing, people.