What gets lost in ‘cyber Pearl Harbor’-style rhetoric
Over a year into the coronavirus pandemic, more people have become accustomed to doomsday talk. Americans following public officials’ remarks about cybersecurity, though, may have been expecting a kind of digital apocalypse for decades.
Phrases like “cyberbombs” and “cyber 9/11” have for years served as rhetorical catchphrases for national security officials trying to amplify their messaging or secure cyber-related funding from Capitol Hill. In 2012, then-Defense Secretary Leon Panetta warned the U.S. was under threat from a “cyber Pearl Harbor” that could involve foreign hackers derailing trains carrying lethal chemicals.
While the use of dire language might be helpful in generating attention, some former Western intelligence officials now are wondering whether the use of fear-inducing language has had its intended effect.
In recent weeks, the U.K. issued its Integrated Defense Review, a strategic national security document which describes how the government might use nuclear weapons in the event that an adversary attacked Britain with “emerging technologies.” Observers extrapolated on the vague language to interpret the meaning to assume the U.K. could use nuclear weapons in response to cyberattacks, although the review doesn’t explicitly state that.
The government’s chest-beating communication style is partly to blame for what Ciaran Martin sees as misconstrued headlines on the topic.
“The language of leaders has been that ‘cyber will be a catastrophe,’” said Martin, the founding head of the National Cyber Security Centre, part of the U.K.’s Government Communications Headquarters (GCHQ). “It [previously] was a more eye-catching way of talking about it rather than saying ‘the pernicious ubiquitous loss of data on a gargantuan scale on a daily basis.’ That’s very hard to conceptualize and it’s also very hard to describe the harm it does.”
The use of overheated terms could also unintentionally lead to deep-rooted second- or third-order effects that could have negative ramifications for global security, Martin added.
“The language of ‘cyber war,’ I think, engenders a certain amount of helplessness in mainstream organizations,” he said. “You infantilize people by essentially telling them it’ll be about big weapons of war. You end up, in a sense, accidentally conveying a message that this is something they can’t do anything about.”
In recent months, U.S. lawmakers have questioned whether a sweeping hacking operation involving the federal contractor SolarWinds amounted to an act of war. Members of the intelligence community, on the other hand, have described the incident as a broad espionage operation.
Marcus Willett, the first director of cyber at Britain’s GCHQ, urged a sober approach, writing in a March 31 editorial for the International Institute for Strategic Studies, a think tank, that “it is neither accurate nor sensible for U.S. commentators to characterise [the suspected Russian effort] as an act of war requiring warlike retaliation.”
As efforts to help conceptualize cyberthreats have matured over the past several decades, catastrophic cybersecurity language like “cyber Pearl Harbor” should be retired, according to Jan Kallberg, a research fellow at the Army Cyber Institute at West Point.
“‘Cyber Pearl Harbor’ might have served its purpose one to two decades ago to help us visualize the broad scope of impact cyber-attacks could have, but today it is an outdated metaphor,” Kallberg wrote in a recent Cyber Wire editorial. “The relevance is largely gone, and overusing it belittles the complexity of cyber.”
Leon Panetta suggested the reality is a little more complicated.
The former Defense Secretary and ex-CIA director says that using rhetorical language sometimes is necessary because, in his estimation, people outside the cybersecurity community still don’t have a firm grasp on the geopolitical stakes, or just how much their day-to-day lives could be affected by cybersecurity incidents.
“Using that language is basically, you know, a club across the head when you’re dealing with that jackass who won’t pay attention,” Panetta told CyberScoop in a recent interview.
Panetta acknowledged that the “cyber Pearl Harbor” terminology may be less useful than it was a decade ago and that in professional circles, crisis-laden terms may be less relevant.
“I don’t think we should underestimate the complexity involved in the issue, and the understanding of just exactly what technology is involved and the nature of the threat we’re talking about,” Panetta said. “At the same time, I think … you have to use language that the American people understand” if speaking publicly.
Months before Panetta delivered his 2012 remarks, hackers targeted Saudi Aramco, wiping or destroying more than 30,000 of the oil giant’s computers, forcing the company to conduct business on paper. It’s a breach security researchers suspected to have roots in Iran.
”Our adversaries were continuing to develop their cyber capabilities and I was concerned that not enough attention was being paid to the threat from a potential cyber attack,” Panetta says now. “And I really felt it was important to kind of highlight the potential damage that a cyberattack could have on our country.”
The U.K.’s Martin said he thinks that for now, many lawmakers’ understanding of information security is still evolving, suggesting that a lack of nuanced understanding in powerful political circles could be holding back the cybersecurity community from moving toward more complex discussions about hacking and cybersecurity.
But, to Martin and Kallberg’s concerns about cybersecurity details getting lost in translation, using obscure language can, instead of inviting outsiders to pay attention, distort meaning in a way that can be blinding and ultimately disengaging, according to research published last year in the Journal of Language and Social Psychology.
The study found that when people are exposed to jargon-like phrases in science or political contexts, they lose interest. The study did not touch on cybersecurity language specifically.
“Language is one part of our portfolio of status signals that we use to show off that we’re a part of a group…or that we’re competent,” said Zachariah Brown, a Columbia Business School doctoral candidate focusing on leadership and behavioral economics who has published research about when people use jargon in professional contexts.
“But … if you’re overdoing it, it actually reduces fluency,” said Brown.