US Army Gen. Keith Alexander, commander of US Cyber Command and director of the National Security Agency (NSA), delivers opening keynote remarks September 25, 2013 during the fourth annual Cybersecurity Summit held in Washington, DC. Jim Watson/AFP/Getty Images

When members of Congress talk cybersecurity, it doesn’t take long for the discussion to turn apocalyptic. The Feb. 27 meeting of the Senate Intelligence Committee was no different when Lindsey Graham, R-S.C., asked Gen. Keith Alexander, retiring director of the National Security Agency (NSA) and commander of United States Cyber Command, to describe in 30 seconds what a major cyberattack could do to the United States.

“I think they could shut down the power in the Northeast,” Gen. Alexander responded. “Shut down the New York stock exchange … shut down some of our government networks … impact our transportation areas … water supplies, they could do damage to that.” If something like this occurred, according to Alexander, the wreckage could include thousands of dead Americans and trillions of dollars in damage.

“On the cyber front, you’ve described a Pearl Harbor on steroids,” Graham replied. Alexander did not disagree.

While there are legitimate cyberthreats in the world, these melodramatic hypotheticals don’t help real cyberdefense and deterrence. Instead they serve only to create a sense of urgency around passing rash and overreaching laws that undermine Americans’ privacy even more — a tall task after whistle-blower Edward Snowden’s revelations. (Full disclosure: The American Civil Liberties Union, for which I work, represents Snowden.)

Should you panic or lose sleep over the prospects of a cyber–World War III? No. Don’t unplug and move to a cabin in the woods just yet. As an average person, you are far more likely to be affected by everyday Internet crime that can be thwarted by sensible precautions. If there are immediate risks, it is that your credit card number will be stolen or you will be enticed to click on a phony link and share sensitive information.

But even when talking about sensitive targets that have far-reaching implications, such as electrical grids and government systems, the demonstrated weak points invariably rest with human error — failing to change default passwords, plugging compromised memory sticks into computers or losing entire unencrypted laptops. Of course, this sort of mundane incompetence is not the basis of Jason Bourne movies and isn’t incredibly sexy. The slow grind of fixing these sorts of problems won’t necessarily net contractors large contracts or land a member of Congress on “Meet the Press.”

One of the most troubling aspects of overhyping cyberwar and cyberterrorism is that it can easily become a bait and switch to allow the military to operate inside the United States, which violates constitutional principles about a civilian-controlled country. Instead of focusing on how to better protect those electrical grids directly, for example, the conversation often turns to how companies and the government should be unleashed on the Internet, with privacy and First Amendment rights of everyday users seen as expendable.