Is hacking a real threat to the United States or is it just the latest overblown threat to national security, whose magnitude is being exaggerated to expand government budgets and power?

That's the question asked by Threat Level editor Kevin Poulsen at a panel in Computers, Freedom and Privacy in Washington, D.C., Wednesday. And it's important because the government is spending billions of dollars on computer security, and President Obama is elevating cybersecurity to a national priority, using language that makes even security experts wince.

Amit Yoran, a former Bush Administration cybersecurity czar, argues the answer is easy.

"Is hacking a national security threat?" Yoran said. "The one word answer is 'Yes.'"

As proof, Yoran pointed to stories about the denial-of-service attacks in Estonia, attacks on government contractor Booz Allen Hamilton and the recently reported breach of defense contractor computers that let hackers get at information on the Joint Strike Fighter.

"Cyber 9-11 has happened over the last 10 years, but it's happened slowly so we don't see it," Yoran said.

Poulsen called the threat of cyber-terrorism "preposterous," citing the long-standing warnings that hackers would attack the power grid — despite the fact that it has never happened. And he argued that calling such intrusions national security threats means information about attacks gets classified unnecessarily.

"If we can't publicly share info that the attackers already have — since it's about them — then we are doing far more harm than good," Poulsen said, arguing that classification makes it impossible for the security community at large to analyze or prepare defenses for such attacks.

Moreover, he pointed out the Joint Strike fighter example involved only unclassified information.

But security expert Bruce Schneier (a Wired.com columnist) said there are going to be cyberattacks that actually affect the real world, even though the risk is currently overblown.

"Remove the word cyber. It's just a new theater," Schneier said. "Of course there is espionage, and as data moves online, there is cyber-espionage. But is it a real threat?"

Schneier's answer is yes, but not as big a threat to infrastructure as natural disasters or bad code.

"We have to be robust against hackers and Murphy," Schneier said, referring to Murphy's law.

Dr. Herb Lin, a cyberattack expert at the National Research Council, called the scoffing naive, saying he could imagine hackers getting into classified command-and-control systems, for one.

But he lamented that much of the current dialogue is about about cyberwar and cyber-terror, when the largest threat is in cyber-espionage — which is not considered an act of war.

"We can see why the press and government agencies talk about cyber-terror and cyberwar," Lin said, referring ostensibly to page views and budgets, respectively. "But we don't consider spies inside the United States to be an attack on the United States."

Yoran did admit that cyber-terrorism was improbable, but stuck to his point that there are significant national security threats from hackers.

Lin says the government needs to think about getting its own cyberattack capability.

"Passive defenses alone are not sufficient," Lin said. "You have to impose costs on an attacker and maybe the only way to do that is a cyberattack yourself. The good guys have always had some sort of offense too."

Lin was dumbstruck by Poulsen's dismissal of the examples that the government, including President Obama, have used as evidence that there is a massive cybersecurity threat – specifically Obama's recent description of a November USB thumb-drive virus attack as one of the biggest cyberattacks against the U.S. military.

"Why is something that is an obvious threat not considered a threat to national security?" Lin asked.

"The point is that the way you frame these issues matters," Schneier explained.

In fact, they do matter — since now the government is pouring billions of dollars into cybersecurity for its own networks, and possibly the general public's net — a far change from the government's relative indifference to such issues until about two years ago.

Indeed, even Amit Yoran, who quit his post in the Bush Administration as cyber czar in October 2004 after having gotten little support during his one-year tenure, admitted his job might have been easier, and he might not have quit, if cyberattacks had the media attention then that they do now.

See Also: