During an afternoon session at ICCS, Martin Libicki, Ph.D., senior management scientist at RAND Corporation, described how in 2010, top U.S. officials conducted a simulated cyber attack in which smartphone-based malware took down the cellular system and the power grid.
What followed, Libicki said, was “a panoply of poor ideas.”
In his talk, “Cyber 9/11: Race to React,” Libicki outlined the proposals that came out of the cyber attack simulation. These ideas—which he said are examples of what not to do on a cyber 9/11—included:
- a national “kill switch,” which would allow the president to shut down the Internet in order to curb further spread of malware. Libicki warned that clever hackers could easily hijack such a kill switch. “Why do hackers’ job for them?” he asked;
- a national firewall, or an intrusion detection and protection system mounted on the nation’s Internet service providers. This idea, though, would be not only exorbitant—implementing it could cost $20 billion per year—but also ineffective, since it wouldn’t protect against insider attacks and would instead create a false sense of security; and
- an Internet user license that would require users to be certified prior to being able to use the Internet. Libicki pointed out that this would bar many people from using the Internet, and it focuses too much on user behavior rather than on improving the architecture of the Internet itself.
It is equally important to craft the right narrative about a cyber attack, he said, by calling these attacks crimes rather than acts of war. On the practical side, there are established legal and financial structures in place to handle crimes, whereas wars tend to be ill-defined and costly.
Avoiding talk of war also has an important rhetorical upshot.
“Do we want [cyber] terrorists to think of themselves as criminals? Or do we want them to think of themselves as warriors?” he said.