For nearly two decades, government analysts have warned of a “cyber 9/11” or a “cyber Pearl Harbor” following the Sept. 11, 2001 terrorist attack, whose 20th anniversary is tomorrow.
But criticism of the analogies emerged almost as soon as the analogies themselves. Comparing cyber and terrorism overstated the consequences of even the most damaging cyberattacks, critics said. And the result was more often to scare people into doing nothing than to compel them to take cyber protections more seriously.
Most cyber watchers hope the terms are fully retired before the nation marks another 9/11 anniversary.
Using this kind of rhetoric actually made people less willing to pay attention to cyber threats, Chris Painter, the top State Department cyber official during the Obama administration, told me.
“The best you can say for the analogy is the intent was to raise awareness and get people to focus on cybersecurity. But it didn’t really end up raising awareness,” Painter said.
The analogies have fallen increasingly out of favor during the past decade.
But they still frequently crop up.
During those years, there has been a wave of escalating and consequential cyberattacks. But none of them has come close to the massive human cost and culture-shaking significance of the Sept. 11 attacks.
There are no definitive cases in which a cyberattack caused the loss of a single life — though there has been at least one instance in which someone may have died because a ransomware attack against a hospital delayed their care.
“A lot of the predictions people made 10 and 20 years ago, including me, have been proven wrong,” Jim Lewis, a former top cyber official at the State and Commerce departments, told me. “You can keep saying ‘just wait until next time,’ but eventually you sound like Chicken Little.”
Indeed, the biggest cyber events of the past decade have had little in common with 9/11.
They were nearly all committed by adversary governments, including Russia, China, Iran and North Korea, rather than nonstate terrorist groups. The only significant exception is the recent wave of ransomware attacks against U.S. businesses, schools and cities, which government officials and analysts say are mostly conducted by cybercriminals in Russia acting with the Kremlin’s tacit approval.
Many cyberattacks have been slow and grinding rather than sudden and catastrophic.
Chinese government-backed hackers stealing U.S. companies’ intellectual property and trade secrets, for example, has been going on for years, costing the U.S. government between $225 billion and $600 billion annually, according to government estimates.
Russia’s digital interference in the 2016 election didn’t involve any death or destruction but sparked intense political divisiveness and doubts about the election’s legitimacy.
A handful of current and former cyber officials aren’t ready to jettison the 9/11 analogy entirely.
“The most effective use of that analogy is it’s a tragedy that it took the events of that day to do what we should have been doing on Sept. 10, [2001],” Suzanne Spaulding, a former top cyber official at the Department of Homeland Security, told me. “If there’s value in the analogy, it’s more about Sept. 10 than Sept. 11.”
Spaulding added: “If you’re talking about a cyber event that would result in several thousand deaths, then that’s the context in which the analogy has been derided.”
Sen. Angus King (I-Maine) was a co-chair of the Cyberspace Solarium Commission, which urged a major rewrite of how the government manages cyber policy last year. He struck a similar chord when he said the group’s goal was to make recommendations similar to those from the 9/11 Commission Report in 2004, but before a 9/11-scale disaster.
Former Defense Secretary Leon Panetta famously warned about a “cyber Pearl Harbor” in a 2012 speech. He also warned in the speech that “a cyberattack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11.”
Panetta told CyberScoop in April the phrase was a way of grabbing the attention of a public that wasn’t prone to worry about cyberattacks.
“Using that language is basically, you know, a club across the head when you’re dealing with that jackass who won’t pay attention,” he said.
He acknowledged the phrase may have outlived its usefulness.
When I asked about the “cyber 9/11” phrase on Twitter, the response from experts and practitioners was almost uniformly negative.
Jacquelyn Schneider, a fellow at the Hoover Institution:
Our focus on single catastrophic events in cyber has come at the detriment of solving the hard and insidious problems (like ransomware, intellectual property theft, and large scale data exploitations) that erode digital trust https://t.co/SrLbvXvwwZ
— Jacquelyn Schneider (@JackieGSchneid) September 8, 2021
Jeffrey Vagle, a Georgia State University law professor:
Agreed. The term is useful for fear-based marketing, but is not all that useful for substantive conversations as it is (purposely) vague in its meaning/scope.
— Jeffrey Vagle (@jvagle) September 8, 2021
Tony Cole, chief technology officer at Attivo Networks:
I don’t like equating 9/11 to a single enormous cyber attack. Could we have a very large impactful cyber event? Sure. However if it happened, and it was also a major casualty event, then the attackers better be prepared for a kinetic response. This makes it unlikely to happen.
— Tony Cole (@NoHackn) September 8, 2021
Bryson Bort, founder of the cybersecurity company Scythe:
So few people understand their computers beyond knowing what apps are on their phone. We need an informed citizenry to be stronger, not a scared one of Cyber 9/11 when the threat is a death by a thousand cuts.
— Lord 🦄 CyberBottom, Earl of Pwn, 7th Duke of C2 (@brysonbort) September 8, 2021
Some weren’t so sure the phrase has no value.
Lauren Sukin, a PhD candidate at Stanford focused on international security:
The analogy can be useful. In a new working paper, Katie Hedgecock and I find that the public reacts very similar to cyberterrorist attacks on NYC as terrorist attacks on NYC. The means of the attack has very little effect on public support for retaliation to the attack.
— Lauren Sukin (@Lauren_Sukin) September 8, 2021
And, while the phrase is inapt now, that could still change, Columbia University Senior Research Scholar Jay Healey warned:
I both strongly agree with this while also warning not write off how cyber conflict might change tomorrow
— Jay Healey (@Jason_Healey) September 8, 2021
Prior to 9/11 we thought we knew what terrorism was about, only to be shocked to our core when those expectations were challenged
The keys
Security researchers are fed up with Apple’s bug bounty program.
The company’s insular culture, slow time to fix bugs and failure to pay some researchers what they’re owed have hampered the program, which aims to reward security researchers who find vulnerabilities in the company’s software, Reed Albergotti reports. The company has a huge backlog of unfixed bugs, according to a current employee and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement.
“It’s a bug bounty program where the house always wins,” said Katie Moussouris, the CEO and founder of Luta Security. Apple also limits communication and feedback on why it makes decisions about paying researchers for bugs they submit, Reed reports.
Apple rebutted the claims. “The Apple Security Bounty program has been a runaway success,” Ivan Krstic, head of Apple Security Engineering and Architecture, said in a statement. The company has nearly doubled how much it pays in bug bounties compared with 2020 and leads the industry in the average payout per bounty, Krstic said.
Hackers breached the United Nations earlier this year.
The hackers probably got into internal U.N. systems by buying a stolen username and password on the dark web, security researchers told Bloomberg’s William Turton. The breach was confirmed by Stephane Dujarric, a spokesman for U.N. Secretary General António Guterres. He said the networks were breached in April.
“We can also confirm that further attacks have been detected and are being responded to that are linked to the earlier breach,” Dujarric said.
The U.N. had already been implementing “corrective actions” by the time researchers notified them of the breach, according to Dujarric. Resecurity, a cybersecurity firm that said it independently discovered and reported the hacks, disputed the statement. The firm said its researchers later saw hackers in U.N. networks.
Arizona officials are threatening to withhold 42 percent of Maricopa County’s budget if it doesn’t hand over routers and passwords.
County officials met to discuss how they should respond to the ultimatum, the Arizona Republic’s Jen Fifield reports. They have until Sept. 27 to decide whether to turn the equipment over.
A few state Senate leaders had subpoenaed the information in January, as Republicans undertook a partisan election audit.
“The supervisors provided the vast majority of what the senators requested in their January subpoenas, including the county's ballots, voting machines and election information, which kicked off the months-long audit of the 2020 general election,” Jen writes. “But they did not provide the county's routers or copies of routers, which are not used to transfer election results.”
Maricopa County officials say that handing over sensitive equipment like Internet routers would pose a cybersecurity risk.
Government scan
Hill happenings
House lawmakers want to fund an FTC digital division to police online privacy and cybersecurity violators.
House Democrats proposed allocating about $1 billion to the division, Tony Romm and Cat Zakrzewski report. The bill would also give the Commerce Department $10 billion to monitor supply chains for cybersecurity and national security threats. Lawmakers announced the boosts as they race to finalize a sprawling $3.5 trillion spending plan by next week.
Industry report
The cybersecurity industry needs to consider new initiatives to boost diversity, a think tank said.
The recommendations from Aspen Digital and the Aspen Tech Policy Hub include:
- Setting up a coalition to look at the value of cybersecurity certification programs
- Gathering and publishing anonymous data on attributes of successful cybersecurity hires
- Examining whether rigorous criminal background checks weed out good candidates
- Forming a task force to track whether executives are following through with cybersecurity diversity, equity and inclusion initiatives
- Creating a coalition to publish best practices on how to set up diversity, equity and inclusion mentorship programs
A less diverse cybersecurity workforce could harm the nation’s cybersecurity, Mai Sistla, deputy director of the Aspen Tech Policy Hub, told us. It raises the likelihood cyber pros will misunderstand how different groups interact with technology and build products or protocols that don’t work for them, she said. “If you don’t have a diverse industry, there are all these perspectives you’re missing,” Sistla said.
Global cyberspace
Cyber insecurity
Daybook
- Director of National Intelligence Avril Haines; Gen. Paul Nakasone, who leads the NSA and U.S. Cyber Command; National Cyber Director Chris Inglis and others speak at the two-day Intelligence and National Security Summit, which begins Sept. 13.
- Chris Krebs, the former Cybersecurity and Infrastructure Security Agency, keynotes the Insider Risk Summit on Sept. 14.
- Rep. John Katko (R-N.Y.), the top Republican on the House Homeland Security Committee, and Google executive Jeanette Manfra, a former CISA official, discuss cybersecurity at a Washington Post Live event on Sept. 14 at 12:30 p.m.
Secure log off
Today’s second @washingtonpost quarantine TikTok features a bad dream that @ByChrisVazquez told @KashaPatel about https://t.co/UkKgS9q0tG pic.twitter.com/Qu8KcejwqX
— Washington Post TikTok Guy 🪑 (@davejorgenson) September 9, 2021