Much current cybersecurity discourse is inspired by a vivid and compelling image: terrorists remotely taking over dams, nuclear power plants or other critical infrastructure in order to wreak havoc and kill large numbers of Americans. In , congressional staffers pushing for new government powers argued that their legislation was needed to prevent cyber attackers from accessing a system that could “cause the floodgates to come open at the Hoover Dam and kill thousands of people.” There’s only one problem: officials at the Dam told reporters that “Hoover Dam and important facilities like it are not connected to the internet.” The incident shows that threat inflation combined with the power of a vivid image or narrative can override facts and drive policy. Congress should be aware of the facts before charging forward with privacy-busting legislation like the .
Alarming cybersecurity stories continue to appear in the media. Even an attentive reader of the news over the past half-decade could be forgiven for believing that hackers have infiltrated the U.S. electricity grid, caused blackouts, and vandalized a local U.S. utility. When examined closely, however, none of those incidents holds up as an example of the dangers of cybersecurity vulnerabilities:
•In repeated statements – mostly vague hints and claims by unnamed security agency officials – , and that two U.S. blackouts were caused by hackers. Some cybersecurity officials reportedly claimed that the massive 2003 blackout that cut power across 8 U.S. states had been traced to . But, a detailed by the North American Electric Reliability Corporation pointed to numerous sources of the problem, a list that did not include hackers.
•Tłó±đ and have claimed that cyberattacks caused a blackout overseas, apparently in . However, Brazilian government experts who investigated the blackout for a year concluded that (the real cause was negligent maintenance by a power company) – and that the control systems for Brazil’s grid are (smartly) not even directly connected to the internet.
•Another set of scary headlines made the rounds after the failure of a utility’s water pump outside Springfield, Illinois. Computer logs indicated that system computers had been “hacked into” from a computer located in Russia. Breathless claimed it “could be the first known foreign cyber attack on a U.S. industrial system.” However, it soon emerged that the at the Illinois Statewide Terrorism and Intelligence Center (aka the Illinois “fusion center”). In fact, the pump failure was a routine burnout, and it was an who had logged into (not hacked) the Illinois computers remotely.
Unfortunately, in most of these cases, the number of people who saw the original, scary story probably far exceeds the number who saw and had the context to understand the correction or the fine print setting it in proper perspective. That does not mean the threat is not out there; a future cyberattack could be destructive and we should be taking common sense steps to try to prevent it. But the truth is no one knows just how real this risk is. Let’s have a cybersecurity debate based on the real facts, not hyperbole.