A lack of public understanding could overinflate the cyber threat and have serious national security implications.
Decades of Chinese espionage and recent Russian cyber activities have pushed the cyber threat to the forefront of the minds of many U.S. security officials and lawmakers. Indeed, the Russian hacking of the 2016 presidential election caused domestic turmoil in the United States, but cyber scholars categorized these events as political warfare—distinct from cyber war—and Thomas Rid of Johns Hopkins University claims, “The world has never experienced an act of cyberwar.”1 In August 2017, however, the National Infrastructure Advisory Council for the President advised that the United States must take bold and immediate action to secure its infrastructure, as there is a “fleeting window of opportunity before a watershed, 9/11 level cyber-attack” is levied upon the nation.
Stephen M. Walt of Harvard University contends that the increased national attention on cyberspace could be subject to threat inflation because of a lack of understanding—as many aspects of this threat are technically complex, overclassified, and lumped together with other cyber activities.2 This concept of cyber-threat inflation has gained little attention in the United States, although it should be considered during U.S. cyber strategy formulation, budgeting, and national discourse. During the Cold War, inflated threats of communist aggression led the United States toward hawkish policies, unnecessary conflicts, and tremendous sacrifices in blood and treasure. Cyber-threat inflation could lead U.S. policymakers to make similar missteps in the cyber domain and have major national security implications.
Cyber Threat Inflation Factors
Security and intelligence analysts assess future threats and associated risks based on their knowledge and experiences and the information available. Chaim Kauffman, who studied threat inflation surrounding the U.S. war with Iraq in 2003, contends that all threats are ambiguous to a degree, and that threat inflation emerges from the manipulation or misperception of this ambiguity. Threat inflation exhibits one or more of these qualities:
1. Claims that go beyond the range of ambiguity that disinterested experts would credit as plausible.
2. A consistent pattern of worst-case assertions over a range of factual issues that are logically unrelated or only weakly related.
3. Use of double standards in evaluating intelligence in a way that favors worst-case threat assessments.
4. Claims based on circular logic.3
With these factors in mind, cyber threat inflation in the United States largely stems from:
Lack of public information. In Western democracies, the public, the media, and other institutions contribute to a “marketplace of ideas,” or a knowledge community that can correct misrepresentations and challenge dubious information with discourse. Because of the highly classified nature of cyber, however, public information regarding cyber threats tends to be incomplete, exaggerated, and released by authorities well after the fact. Retired Air Force General Michael Hayden, former head of the National Security Agency and Central Intelligence Agency, laments the “hideous over-classification” of activities in the cyber domain. These classification hurdles limit public discussion on the nature of the threat as well as potential solutions.4
From a psychological perspective, fear and insecurity rise when there is a lack of information regarding a real or perceived threat, which may then result in an overestimation or underestimation of risks.5 Thus, in the cyber domain, most Americans are informationally disadvantaged and are vulnerable to cyber-threat manipulation by government and business authorities.
Media hype. Cyber researcher Miriam Dunn Cavelty explains that news media love “cyber-anything” because of the correlation of massive cyber threats to major disasters—tapping into an enticing realm of sensationalist journalism with sensationalist headlines.6 Since the media tend to report only major cyber incidents, they create a hyper-focus on rare occurrences that may distort people’s perception of the magnitude, frequency, or likelihood of the threat. Another unfortunate tendency of cyber reporting is the use (or abuse) of a single anonymous source without additional validation. To amplify this issue, other news networks tend to repeat these stories to advance their own agendas and ratings.7 Other forms of media, such as books, movies, and video games, seep into modern culture and also lean toward the doom-and-gloom portrayal of cyber threats for dramatic effect.
Conflation and misunderstanding. One of the most challenging aspects of categorizing cyber threats among governments, industry, or military professionals is finding common ground in the definition of cyber activities. According to some analysts, the only way to distinguish between cyber crime, cyber terrorism, and cyber warfare is to understand the attacker’s intent.8 Intent is difficult to prove, however, and in cyberspace attackers tend to remain anonymous, victims tend to remain silent, and malicious cyber tools may not be discovered inside systems until years later. These factors lead to an analytical conflation of all cyber threats into a single phenomenon that is ambiguous, uncertain, and inflated.
In the absence of understanding or clarification of complex issues, the U.S. national security enterprise focuses on the catastrophic strategic-military aspects of cyber threats. This inadvertently increases people’s sense of vulnerability and dread.9
Financial motives. Dubbed the “cyber-industrial complex,” cyber-related companies sound the alarm to generate government spending on cybersecurity, similar to how the military-industrial complex thrived amid inflated Soviet threats.10
Cybersecurity has garnered a significant share of defense spending despite lean economic times. According to Taxpayers for Common Defense, a budgetary watchdog group that tracks unclassified federal spending, the Department of Defense (DoD) received $19 billion in fiscal year 2016 (FY16) for cyberspace operations—up from $5.5 billion in FY10, $7.4 billion in FY12, and $12.6 billion in FY14.11 These figures are for only DoD and do not include classified spending. For approximate comparison, in FY16 the Department of Homeland Security received $1.7 billion, the Department of Justice received $1 billion, and the Department of State received $33 million for cybersecurity programs. A growing cottage industry of cyber lobbying has evolved to urge members of Congress to support spending on cyber companies and facilities in their home districts.
U.S. National Security Implications
The 2017 National Security Strategy states that the United States’ ability to meet the challenges of the cyber domain “will determine our future prosperity and security.” Security strategies frame the landscape by anticipating threats and outlining how to deter or prepare for future conflicts. Threat inflation may corrupt one’s ability to perceive the risks accurately and encourage decisions that speed the nation on the path toward conflict. The most serious implications for U.S. national security center on the militarization of cyberspace and misperceptions by potential adversaries.
In 2011, DoD declared cyber a “military domain.” This signaled that the United States views cyberspace as a contested and competitive arena in which commanders must maneuver forces and capabilities to gain operational advantages against adversaries. The potential pitfall of this designation is that U.S. policymakers and military leaders will lean toward finding military solutions for a domain that largely is owned and regulated by nonstate institutions. In turn, the federal government may overinvest resources in only one pillar of cyber protection rather than seeking novel solutions in different sectors. Some scholars assert that an overassociation of cyber threats with national security causes a zero-sum mind-set, which leads to the perception the military should be at the forefront of mitigating cyber threats rather than businesses or civilian institutions.12
Cyber militarization also is redefining U.S. alliances and the threat perceptions of potential adversaries. For instance, in the past five years the United States and Japan have made cybersecurity a central component of their bilateral alliance, and today the countries have agreed to cooperate on retaliatory and offensive cyber measures for collective self-defense.13 China likely perceives cooperation in this domain as an additional attempt to contain its economic and military expansion, thereby creating a new axis of tension for Sino-Japanese relations.14
Across the globe, in 2008, NATO established the Cooperative Cyber Defense Centre of Excellence in the wake of Russia cyber attacks against Estonia. Shortly after those attacks, Estonia sought counsel from NATO on whether it could invoke Article V (the principle of collective defense, where an attack on one ally is considered an attack on all); however, the organization could not agree whether nonlethal actions justified collective military response or whether the Kremlin had directed the attacks. Since then, NATO has updated its mutual defense agreement to include cyber attacks if the action directly causes a loss of life. With these cyber clauses embedded into collective security agreements, nations have intertwined the digital domain with the physical domain, where the conflict in one area can induce a reaction in the other.
Other perils of cyber-threat inflation are the resulting mistrust and misperceptions of adversary nations. China still views the United States as having an advantage in cyber capabilities and influence over internet governance.15 As the United States mobilizes to enhance its cybersecurity, China believes it is developing dual-use technologies that will “infiltrate into China and Russia and spread false information, with an aim at sabotaging” their political stability.16 In response, China is attempting to weaken the U.S. role in cyber governance in the political realm.
Today, China and Russia are advocating for international rules that emphasize the importance of national sovereignty rather than openness in cyberspace. The United States believes these initiatives are intended to undercut its legal authorities to conduct intelligence or attacks in this domain.17
Deflate the Threat
The central issues underscoring cyber-threat inflation are an informationally disadvantaged public and a general tendency to think in terms of catastrophic cyber events. This public information deficit creates a dependency on politicians, security officials, and the cyber-industrial complex—all of whom may pursue inefficient, or even hazardous, policies without public scrutiny of associated facts or risks. At worst, an uninformed public could free political leaders to use an inflated cyber threat to create an unchallenged narrative to wage conflict.
Cybersecurity is a critical issue that intersects the public, business, and international sectors, and even individual civil liberties. A national cyber strategy must balance these realities. Perhaps if the United States followed General Hayden’s recommendation to release additional cyber information to the public, a wave of innovative and mutually supporting laws, technical standards, and practices could emerge as a bulwark against most cyber threats and could complement DoD cyber activities. Ideally, these policies would be the result of open discourse and wide examination of the threat, and not of unsupported anecdotes of a cyber Pearl Harbor.
1. Brandon Valeriano, Benjamin Jensen, and Ryan C. Maness, Cyber Strategy: The Evolving Character of Power and Coercion (New York: Oxford University Press, 2018), 39. Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies 35, no. 1 (2012): 5–32.
2. Stephen M. Walt, “Is the Cyber Threat Overblown,” Foreign Policy, 30 March 2010.
3. Chaim Kaufmann, “Threat Inflation and the Failure of the Marketplace of Ideas: The Selling of the Iraq war,” International Security 29, no. 1 (2004): 5–48, 8–9.
4. Rudy Takala, “Former Spy-Chief Complains About Hideous Over-Classification,” Washington Examiner, 28 October 2015.
5. Audrey Guinchard, “Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy,” Journal of Strategic Security 4, no. 2 (2011): 77.
6. Myriam Dunn Cavelty, “The Militarisation of Cyberspace: Why Less May Be Better,” In Cyber Conflict (CYCON) 2012, 4th International Conference, 149.
7. Jerry Brito and Tate Watkins, “Loving the Cyber Bomb–The Dangers of Threat Inflation in Cybersecurity Policy,” Harvard National Security Journal 3 (2011): 59.
8. Guinchard, “Between Hype and Understatement,” 79.
9. Cavelty, “The Militarisation of Cyberspace,” 141–42.
10. Brito and Watkins, “Loving the Cyber Bomb–The Dangers of Threat Inflation in Cybersecurity Policy,” 69.
11. “Database of Unclassified Federal Cyber Spending,” Taxpayers for Common Sense: Making Government Work.
12. Cavelty, “The Militarisation of Cyberspace,” 141–51.
13. Paul Kallender and Christopher W. Hughes, “Japan’s Emerging Trajectory As a ‘Cyber Power’: From Securitization to Militarization of Cyberspace,” Journal of Strategic Studies 40, no. 1–2 (2017): 118–45.
14. Kallender and Hughes, “Japan’s Emerging Trajectory as a ‘Cyber Power,’” 139.
15. Rich Abbot, “Harvard Brief Says U.S. Exaggerates Chinese Cyber Capabilities, Causes Dangerous Mistrust,” C4I News, 15 May 2015.
16. Gary Brown and Christopher D. Yung, “Evaluating the U.S.-China Cybersecurity Agreement, Part 2: China’s Take on Cyberspace and Cybersecurity,” The Diplomat, 19 January 2017.
17. Brown and Yung, “Evaluating the U.S.-China Cybersecurity Agreement.”
Major Yang enlisted in the Marine Corps in 1998 and is a 2005 U.S. Naval Academy graduate. He served in Operation Iraqi Freedom and in Okinawa, Japan. He currently is a doctoral fellow for the Commandant of the Marine Corps Strategist Program and first year PhD student at the School of International Service at American University. His research interests include grand strategy, information warfare, and China’s use of military force.