Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Is Government Inflating Cyber Threats?

A report from the Mercatus Center at George Mason University questions "alarmist rhetoric" and asks whether government agencies can meaningfully improve the security of critical infrastructure.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
The "alarmist rhetoric" surrounding the potential for "catastrophic cyber threats" has strong parallels with the inflated threats used to justify the lead-in to the Iraq War.

That assertion comes from "Loving The Cyber Bomb?" a report released on Wednesday by the Mercatus Center at George Mason University, a nonprofit think tank that promotes free-market and deregulation policies.

In particular, the report draws parallels between the justifications for the Iraq War--links between al Queda and Saddam Hussein's government, as well as its being on the verge of acquiring nuclear weapons--and the current rationale for greater government involvement in private-sector security, which is that a major critical infrastructure attack could bring the United States to its knees.

But while Iraq had backed terrorists and possessed chemical and biological "weapons of mass destruction," there was never any verifiable evidence to support the more serious claims. Likewise, there's no doubt that cybercrime is rampant and denial of service attacks on the rise. Legislators and bureaucrats, however, continue to warn of an imminent, catastrophic attack against the country's critical infrastructure.

For example, Department of Homeland Security Secretary Janet Napolitano delivered a speech on Monday at the University of California at Berkeley College, calling for cyber security to be a shared responsibility, and to make her case, opened the speech by linking terrorism and cyber attacks. Only, terrorists aren't launching online attacks. "There's zero evidence that cyber is really a tool for terrorist attack. That's the sort of rhetoric that I'd like to see people be more careful about," said report co-author Jerry Brito, senior research fellow at the Mercatus Center at George Mason University, in a phone interview.

What are the real dangers? His report warns that overinflating the potential fallout of an online attack could lead to unnecessary regulation of the Internet. It also cautions against "unwarranted external influence"--aka defense contractors--which "can lead to unnecessary federal spending." Finally, it offers a framework for rationally assessing existing online threats.

"I'm not suggesting the government should have no role in cyber security infrastructure, but we have to ask ourselves, when should the government have a role, and what should that role be?" said Brito.

Currently, the government position is that it should lead the cybersecurity charge. "So now you may be asking, how do you secure a distributed, decentralized, and fundamentally civilian space that is largely privately owned, straddles international boundaries, and has both virtual and physical elements?" said Department of Homeland Security Secretary Janet Napolitano in her speech on Monday. Her answer was that DHS has two missions: to protect non-military--aka dot-gov--federal agencies, as well as "leading the protection of critical infrastructure and its connections to cyberspace."

Not so fast, said Brito. There may be a case for the government to get involved, should the private sector need incentives for improving its security posture. "But we haven't heard that argument. What we've heard is, 'We're the government, we have to secure the critical infrastructure,'" he said. "Wait, stop, we haven't had the analysis yet--point me to the critical infrastructure you want to regulate, and tell me why they don't have the incentive to provide security themselves."

Furthermore, even for industries that lack such incentives--for example, many utilities, which operate as monopolies--"how is government going to do any better?" he asked. "It's just assumed that government is going to come in, and it will all be secure. And I'm not sure why we think that DHS will do better."

In her speech, Napolitano also argues for more government partnerships with the private companies that overwhelmingly control critical infrastructure industries. But government agencies have been arguing for public-private partnerships relationships ever since the Sept. 11 attacks, almost 10 years ago. "Maybe tells you what the private sector thinks about partnerships," said Brito.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-20001
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
CVE-2020-36317
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
CVE-2020-36318
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
CVE-2021-28875
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
CVE-2021-28876
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...