As the nation spent this week pondering the wisdom of its decision to invade Iraq a decade ago, a witness urged Congress on Wednesday to consider more carefully how the United States will respond to a cyber 9/11 should one occur and to weigh carefully the use of strong statements that could force the nation to respond forcefully to a cyberattack, whether doing so is wise or not.

Referring to last week's announcement by the U.S. director of national intelligence that cyberattacks were the biggest threat the nation faced, Martin Libicki, senior management scientist at the RAND Corporation, told the House Homeland Security Committee that making strong statements about cyberattacks "tends to compel the United States to respond vigorously should any such cyberattack occur, or even merely when the possible precursors to a potential cyberattack have been identified. Having created a demand among the public to do something, the government is then committed to doing something even when doing little or nothing is called for."

Put in perspective, cyber attacks might disrupt life, but they cannot be used to occupy another nation’s capital or force regime change. No one has yet died from a cyberattack either, he noted. Therefore, a cyberattack in and of itself, "does not demand an immediate response to safeguard national security," Libicki said during a hearing on cyberthreats against critical infrastructure from China, Russia and Iran.

In order to avoid a rash decision in the wake of an attack, he said the nation needs to exert now as much effort worrying about how to respond to such an attack as it spends worrying and warning that such an attack will occur.

"[W]e are right to be worried about a '9/11 in cyberspace,' but we also ought to worry about what a '9/12 in cyberspace' would look like," he said. +++inset-left

Martin Libicki.