Imagine if in early 1941, the government were warning Americans of an attack on Pearl Harbor but could not decide whether to declassify the fact that the Japanese had aircraft carriers and had conducted surprise naval attacks against rivals before. The military might fret that they were seen as vulnerable, despite millions spent on defense, and intelligence officers would worry they might betray sources and methods. This is similar to what we face today with US government warnings of a digital equivalent.
We have been warning about a “cyber Pearl Harbor” for at least 20 of the 70 years since the actual Pearl Harbor. Recently, US defense secretary Leon Panetta used this imagery again saying the collective result of cyber attacks could be could be ‘“cyber Pearl Harbor. . . an attack that would cause physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.” Many cyber professionals quickly complained that such a comparison is overused, inaccurate, or trite. While the possibility of a catastrophic first cyber strike is indeed not a new idea – and likely fails to capture just what such an attack would be like –Panetta is using this loaded phrase to startle people, to convince them we are not paying enough attention to our cyber problems. He is therefore probably right to re-raise the specter of a cyber Pearl Harbor, but the government needs to back up this warning with hard, declassified data.
The US government approach, led by the Department of Homeland Security, remains poorly designed to convince people of the need for action, as it is centered on the “Stop. Think. Connect” campaign. While useful to get out the basic ideas, the program has itself failed to connect as it compares cybersecurity to “hygiene” or looking across the street to ensure it is safe. Not only does the photo on the webpage banner of Harold the smiling deportation officer somewhat detract from the message, but most of us are connected all the time with no time to think beforehand. Worse, the worst online threats are not ones that can be so easily defeated – if an attacker shows even a modicum of sophistication or determination, they are likely to succeed even if you’ve stopped and thought.
It is no surprise that America remains unconvinced and that the administration is reaching for more visceral imagery. The cyber Pearl Harbor meme has a long history. In 1991, Winn Schwartau warned Congress that “Government and commercial computer systems are so poorly protected today they can essentially be considered defenseless — an Electronic Pearl Harbor waiting to happen.” Then-deputy attorney general Jamie Gorelick in 1998 raised the bar even higher: “Some day we will wake up to find that the electronic equivalent of Pearl Harbor has crippled our computer networks and caused more chaos than a well-placed nuclear strike.”
But these past warnings, like Panetta’s, have lacked any sufficiently worrying specifics. Moreover, these warnings are not part of an overall campaign and their impact is further diluted by often being mixed in with other cyber topics mostly unrelated to security, like online pornography or poker, Internet freedom, or illegal file sharing.
A better solution is clear. A simple model for thinking about risk communication was created by Peter Sandman, the doyen of the field. He explains that situations are either high or low hazard (“how much harm it’s likely to do”) and high or low outrage (“how upset it’s likely to make people”). When people are upset about a problem that is not very serious (cyber terrorism) then the proper risk communication strategy is Outrage Management to calm them down. But, if hazard and outrage are both high, then the strategy is Crisis Communication – “we’ll get through this together.”
But cybersecurity is not like either of those. It is more like pandemic planning and Sandman describes high-hazard, low-outrage problems as Precaution Advocacy: “alerting insufficiently upset people to serious risks. Watch out!” A government campaign centered on Precaution Advocacy would seek to “arouse some healthy outrage and use it to mobilize people to take precautions or demand precautions” to convince people of the threat of cyber crime, cyber espionage or attacks on critical infrastructure.
The overall effect has been to leave too many Americans unconvinced of the need for new legislation or other protective measures by the government or industry, so Panetta’s imagery of Pearl Harbor can be an important starting point. Yet, without a compelling message, without a clear statement of the facts, the government has left the field to those who fear any improvement in security must come at a loss of liberty and privacy.
Is it any surprise the government is not considered a very credible voice when it provides no worthwhile metrics and provides no proof because such information is classified? If the Chinese are stealing so much of our information that it is “the biggest transfer of wealth through theft and piracy in the history of mankind” then the government must try to prove it, not just assert it (or leak it). Cybersecurity champions should learn and start applying Sandman’s 20 tried-and-true techniques for successful Precaution Advocacy, including the importance to keep messages short, interesting and clear; to seize teachable moments; and “express empathy for apathy.”
We have had all sorts of teachable moments, yet several administrations have concealed the details rather than taught them. Sometimes details are concealed because of a mistaken faith in counterintelligence, or a forlorn hope of bringing a court case. Other times, releasing details of the incident could theoretically have revealed vulnerabilities in government defenses or in the stolen details of a major weapon system.
In Precaution Advocacy people need to be convinced there is a problem. DHS should lead this charge to give American citizens the information they need to see the problem is severe and one they should be outraged about. Nearly every American has a personal experience with cyberspace, yet may not be equipped to understand how the then-Chairman of the Joint Chiefs of Staff could see cyber as “one of two existential threats that are out there, the other being nuclear weapons.”
To get sufficient attention to his warning, the secretary of defense (along with the secretary of homeland security and director of national intelligence) must cut through these excuses and release details on past incidents and current information on just how bad the threat is today, declassifying documents if necessary.
Moreover, the administration and Congress can give a much clearer message by disentangling cybersecurity from measures to fight online piracy of movies, television and music. If Chinese espionage is a critical national security problem, the government must not call it “intellectual property theft” which puts it on the same level as pirated movies.
The US government must support statements like this one (from) with unclassified or declassified facts to win over enough of the doubters. If not, then it will never have a message convincing enough in the face of the threat. After two decades, yelling “fire” to get attention isn’t enough and people must smell the smoke and feel the heat on their own faces.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.