Like most people who have  a passing concern with the cyber infrastructure upon which modern society depends, the warning from no less a personage as  F.B.I. Director Robert Mueller that cyberterrorism is “real and rapidly expanding” seemed like a pretty good cause for concern. 

Terrorists have shown “a clear interest” in pursuing hacking skills, he told thousands of security professionals at the RSA Conference in San Francisco. “They will either train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyberattacks,” he said.

Mueller sought a joint effort by the government and hi-tech companies to fight terrorism online. Sure, it would be expensive and intrusive — very expensive, and very intrusive — but what else could we do to stop them from destroying our way of digital life?  I certainly didn’t want Al Qaeda in control of twitter.

Accordingly Brooklyn Law professor Derek Bambauer, the threat of cyberterrorism is, well, overstated.  At PrawfsBlawg, he calls it a “myth.”

UPI’s article on cyberterrorism helpfully states the obvious: there’s no such thing. This is in sharp contrast to the rhetoric in cybersecurity discussions, which highlights purported threats from terrorists to the power grid, the transportation system, and even the ability to play Space Invaders using the lights of skyscrapers. It’s all quite entertaining, except for 2 problems: 1) perception frequently drives policy, and 2) all of these risks are chimerical. Yes, non-state actors are capable of defacing Web sites and even launching denial of service attacks, but that’s a far cry from train bombings or shootings in hotels. (Emphasis added.)

Mueller lied to me? Seriously?

The response from some quarters is that, while terrorists do not currently have the capability to execute devastating cyberattacks, they will at some point, and so we should act now. I find this unsatisfying. Law rarely imposes large current costs, such as changing how the Internet’s core protocols run, to address remote risks of uncertain (but low) incidence and uncertain magnitude. In 2009, nearly 31,000 people died in highway car crashes, but we don’t require people to drive tanks. (And, few people choose to do so, except for Hummer employees.)

Yes, I left the gratuitous attack on Hummers in. The H1 may have been cool if enormously wasteful, but there is no excuse for the H3. None.

So this is a manufactured threat, created in anticipation of capabilities since none currently exist, and of low risk regardless, which makes it remarkably similar to the physical attacks on our soil.  Let’s not forget that about 3000 died in the World Trade Center attack. While a significant number, it remains about 10% of what we annually give away for free to drive fun cars.  Lost lives and lost lives, whether we accept the cause of death as an element of normality, or fear it as our gravest threat.

Bambauer offers a four prong explanation for government’s crying “the sky is falling”:

First, terror is the policy issue of the moment: connecting to it both focuses people’s attention and draws funding.

Second, we’re in an age of rapid and constant technological change, which always produces some level of associated fear. Few of us understand how BGP works, or why its lack of built-in authentication creates risk, and we are afraid of the unknown.

Third, terror attacks are like shark attacks. We are afraid of dying in highly gory or horrific fashion, rather than basing our worries on actual incidence of harm (compare our fear of terrorists versus our fear of bad drivers, and then look at the underlying number of fatalities in each category).

Lastly, cybersecurity is a battleground not merely for machines but for money. Federal agencies, defense contractors, and software companies all hold a stake in concentrating attention on cyber-risks and offering their wares as a means of remediating them.

When you put it that way, it sounds pretty much like every fear-mongering initiative that offers fabulous potential to scare the living crap out of the public and thus gain its approval to sink vast amount of money into its prevention and, if played right, willingness to give up an entirely new level of personal privacy in our online endeavors.  You know, to protect us from the terrorists, all programs and servers need backdoors for the F.B.I. and C.I.A. to gain access at will.  For our own sake. No, really.

In a comment to the post, Orin Kerr, who also spends a good deal of time thinking binary, offers an astute observation:

When the evidence of a threat is largely classified, public discussions of security threats tend to be frustrating because values often masquerade as empirical evidence. One side always says there is a huge threat; another side always responds that there is no real threat. In my experience, these sorts of empirical claims are often created by normative values: The more one favors a particular response, the more one assess the threat to match that response. But perhaps I’m too cynical.

Does this mean our government is crying “wolf” or outsiders just can’t appreciate the accuracy of the threat because we lack access to the secret information it possesses?  That each side harbors its own bias comes as no surprise.

The problem is that the two sides are as far apart as possible, one screaming about the end of the digital world and the other saying it’s just bunk.  Both Kerr and Bambauer note that their respective proponents are sincere in their beliefs, which, of course, gets us absolutely nowhere.

To the extent that those in government use the threat of cyberattack as a justification for sinking a ton of money into its defense, and relinquishment of ever more privacy rights in the name of safety, my bias is that they’ve failed over the past decade to demonstrate that they can be trusted.  Consider the efficacy of the TSA’s approach to airplane safety, and wonder what they might come up with to protect us from cyberattack. 

Sure, the two are unrelated, but they have a hammer and they will beat us to death with it if given the chance.  In the meantime, I’m more concerned with your lousy driving and the reasonable possibility that you’re going to cash your Hummer into me, leaving just as dead.