October 29, 2014

Cyber Attacks Likely to Increase

Summary

The Internet has become so integral to economic and national life that government, business, and individual users are targets for ever-more frequent and threatening attacks.

In the 10 years since the Pew Research Center and Elon University’s Imagining the Internet Center first asked experts about the future of cyber attacks in 2004 a lot has happened:

  • Some suspect the Russian government of attacking or encouraging organized crime assaults on official websites in the nation of Georgia during military struggles in 2008 that resulted in a Russian invasion of Georgia.
  • In 2009-2010, suspicions arose that a sophisticated government-created computer worm called “Stuxnet” was loosed in order to disable Iranian nuclear plant centrifuges that could be used for making weapons-grade enriched uranium. The New York Times eventually published accounts arguing that the governments of the United States and Israel designed the worm and that a programming error allowed it to be propagated around the world on the internet.
  • The American Defense Department has created a Cyber Command structure that builds Internet-enabled defensive and offensive cyber strategies as an integral part of war planning and war making.
  • In May, five Chinese military officials were indicted in Western Pennsylvania for computer hacking, espionage and other offenses that were aimed at six US victims, including nuclear power plants, metals and solar products industries. The indictment comes after several years of revelations that Chinese military and other agents have broken into computers at major US corporations and media companies in a bid to steal trade secrets and learn what stories journalists were working on.
  • In October, Russian hackers were purportedly discovered to be exploiting a flaw in Microsoft Windows to spy on NATO, the Ukrainian government, and Western businesses.
  • The respected Ponemon Institute reported in September that 43% of firms in the United States had experienced a data breach in the past year. Retail breaches, in particular, had grown in size in virulence in the previous year. One of the most chilling breaches was discovered in July at JPMorgan Chase & Co., where information from 76 million households and 7 million small businesses was compromised. Obama Administration officials have wondered if the breach was in retaliation by the Putin regime in Russia over events in Ukraine.
  • Among the types of exploits of individuals in evidence today are stolen national ID numbers, pilfered passwords and payment information, erased online identities, espionage tools that record all online conversations and keystrokes, and even hacks of driverless cars.
  • Days before this report was published, Apple’s iCloud cloud-based data storage system was the target of a so-called “man-in-the-middle” attack in China that was aimed at stealing users’ passwords and spying on their account activities. Some activists and security experts said they suspected the Chinese government had mounted the attack, perhaps because the iPhone 6 had just become available in the country. Others thought the attack was not sophisticated enough to have been government-initiated.
  • The threat of cyber attacks on government agencies, businesses, non-profits, and individual users is so pervasive and worrisome that this month (October 2014) is National Cyber Security Awareness Month.

To explore the future of cyber attacks we canvassed thousands of experts and Internet builders to share their predictions. We call this a canvassing because it is not a representative, randomized survey. Its findings emerge from an “opt in” invitation to experts, many of whom play active roles in Internet evolution as technology builders, researchers, managers, policymakers, marketers, and analysts. We also invited comments from those who have made insightful predictions to our previous queries about the future of the Internet. (For more details, please see the section “About this Canvassing.”)

Overall, 1,642 respondents weighed in on the following question:

Major cyber attacks: By 2025, will a major cyber attack have caused widespread harm to a nation’s security and capacity to defend itself and its people? (By “widespread harm,” we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars.)

Please elaborate on your answer. (Begin with your name if you are willing to have your comments attributed to you.) Explain what vulnerabilities nations have to their sovereignty in the coming decade and whether major economic enterprises can or cannot thwart determined opponents. Or explain why you think the level of threat has been hyped and/or why you believe attacks can be successfully thwarted.

Some 61% of these respondents said “yes” that a major attack causing widespread harm would occur by 2025 and 39% said “no.”

Key themes: Yes, there will be major cyber attacks causing widespread harm

  1. Internet-connected systems are inviting targets. The Internet is a critical infrastructure for national defense activities, energy resources, banking/finance, transportation, and essential daily-life pursuits for billions of people. The tools already exist to mount cyber attacks now and they will improve in coming years—but countermeasures will improve, too.
  2. Security is generally not the first concern in the design of Internet applications. It seems as if the world will only wake up to these vulnerabilities after catastrophe occurs.
  3. Major cyber attacks have already happened, for instance the Stuxnet worm and attacks in nations where mass opposition to a regime has taken to the streets. Similar or worse attacks are a given.
  4. Cyber attacks are a looming challenge for businesses and individuals. Certain sectors, such as finance and power systems, are the most vulnerable. There are noteworthy divides between the prepared and the unprepared.

Key themes: No, there will not be major cyber attacks

  1. There is steady progress in security fixes. Despite the Internet’s vulnerabilities, a distributed network structure will help thwart the worst attacks. Security standards will be upgraded. The good guys will still be winning the cyber security arms race by 2025.
  2. Deterrence works, the threat of retaliation will keep bad actors in check, and some bad actors are satisfied with making only small dents in the system so they can keep mining a preferred vulnerability and not have it closed off.
  3. Hype over cyber attacks is an exaggeration of real dangers fostered by the individuals and organizations that will gain the most from creating an atmosphere of fear.

There was little disagreement that the spread and importance of the Internet in the lives of people, businesses, and government agencies exposes them all to new dangers.

As Jay Cross, the chief scientist at Internet Time Group, summarized his “yes” answer: “Connectedness begets vulnerability.”

Or, as Joel Brenner, the former counsel to the National Security Agency explained in the Washington Post this past weekend: “The Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as communications. Pervasive connectivity has brought dramatic gains in productivity and pleasure but has created equally dramatic vulnerabilities. Huge heists of personal information are common, and cybertheft of intellectual property and infrastructure penetrations continue at a frightening pace.”

There was considerable agreement among the experts in this canvassing that individuals—their accounts and their identities—will be more vulnerable to cyber attacks from bad actors in the future and that businesses will be persistently under attack. Many said the most vulnerable targets include essential utilities. Many also believe that theft at a larger scale than is now being experienced and economic disruptions could be likely.

The experts had varying opinions about the likely extent of damage and disruption possible at the nation-state level. Many argued that cyber attacks between nations have already occurred, often citing as an example the spread of the Stuxnet worm. The respondents also invoked the Cold War as a metaphor as they anticipated the world to come. They argued that the cyber deterrence of mutually assured disruption or destruction would likely keep competing powers from being too aggressive against other nation-states. At the same time, they also anticipate the current cyber arms race dynamic will expand as nations and other groups and individuals ceaselessly work to overcome security measures through the design of potent exploits.

Some expect that opponents of the political status quo in many regions of the world will work to implement cyber attacks against governments or other entrenched institutions. One “yes” respondent, Dave Kissoondoyal, CEO for KMP Global Ltd., put it this way: “I would not say that a major cyber attack will have caused widespread harm to a nation’s security and capacity to defend itself and its people, but the risks will be there. By 2025, there will be widespread use of cyber terrorism and countries will spend a lot of money on cyber security.”

Some observed that the Internet’s expansion will multiply vulnerabilities of all types, even inside one’s home. Tim Kambitsch, an activist Internet user, wrote, “The Internet of Things is just emerging. In the future, control of physical assets, not just information, will be open to cyber attack.”

Some respondents who know the technology world well, but are not privy to insider knowledge about cyber threats, expressed uncertainty about the state of things and whether the disaster scenarios that are commonly discussed are hyped or not. The vice president of research and consumer media for a research and analysis firm observed, “There are serious problems, but it’s not clear that those who are directing the hype are focused on the correct problems or solutions. So, the problem is both serious and over-hyped.”

Security-oriented experts expressed concerns. Jeremy Epstein, a senior computer scientist at SRI International, said, “Damages in the billions will occur to manufacturing and/or utilities but because it ramps up slowly, it will be accepted as just another cost (probably passed on to taxpayers through government rebuilding subsidies and/or environmental damage), and there will be little motivation for the private sector to defend itself. Due to political gridlock and bureaucratic inertia, the government will be unable to defend itself, even if it knows how. The issue is not primarily one of technical capability (although we’re sorely lacking in that department). The primary issue is a lack of policy/political/economic incentives and willpower to address the problem.”

These are among a number of broad themes threaded through the experts’ written elaborations in response to this many-layered issue. This report begins with a summary of key comments in three sections: first, remarks from those that expect a major cyber attack by 2025; second, a summary of the comments of those who disagree; and third, elaborations that go beyond the boundary of the specific question.

Following this initial 25-page summary of the findings, we include three more sections with additional insightful observations segmented in identical fashion.

Themes among those who expect ‘yes,’ there will be major cyber attacks

‘Yes’ respondents theme 1) Internet-connected systems are inviting targets. The Internet is a critical infrastructure for national defense activities, energy resources, banking/finance, transportation, and essential daily-life pursuits for billions of people. The tools already exist to mount cyber attacks now and they will improve in coming years—but countermeasures will evolve, too.

Joe Kochan, chief operating officer for US Ignite, a company developing gigabit-ready digital experiences and applications, wrote, “Cyber attacks will become a pillar of warfare and terrorism between now and 2025. So much of a country’s infrastructure—commerce, finance, energy, education, health care—will be online, and gaining control of or disrupting a country’s online systems will become a critical goal in future conflicts.”

Mark Nall, a program manager for NASA, responded, “Current threats include economic transactions, power grid, and air traffic control. This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure. In addition to current methods for thwarting opponents, growing use of strong artificial intelligence to monitor and diagnose itself, and other systems will help as well.”

Geoff Livingston on the future of cyber attacks

Geoff Livingston, author and president of Tenacity5 Media, responded, “Cyberwar is the battlefield of now. Don’t kid yourself. Battlefields in Sudan, Afghanistan, and Syria are real, but there is a new battlefield and every day wars are won and lost between individuals, businesses, and countries. The Pentagon and China’s military are regularly engaged in digital spats. We really have no idea how deep this goes, but we are much closer to William Gibson’s vision in the seminal cyberpunk novel Neuromancer than any of us would like to admit.”

Herb Lin, chief scientist for the Computer Science and Telecommunications Board at the National Research Council of the US National Academies of Science, replied, “More likely is cyber sabotage of individual enterprises. On a large scale, cyber attacks may be combined with kinetic attacks and the combination may cause large-scale damage.”

Christian Huitema, a distinguished engineer with Microsoft, observed, “We are already witnessing the theft of trade secrets, with impact well worth tens of billions of dollars. We are also seeing active development of cyber weapons by many world powers. Historically, such new weapons are always used at least once or twice before nations realize it is too dangerous and start relying on diplomacy.”

Stewart Baker, a partner at Steptoe & Johnson, a Washington law firm, wrote, “Cyberwar just plain makes sense. Attacking the power grid or other industrial control systems is asymmetrical and deniable and devilishly effective. Plus, it gets easier every year. We used to worry about Russia and China taking down our infrastructure. Now we have to worry about Iran and Syria and North Korea. Next up: Hezbollah and Anonymous.”

Lee McKnight, a professor of entrepreneurship and innovation at the Syracuse University’s School of Information Studies, said, “Cyber security extortionists just made $100 million in 60 days (see ‘Cryptolocker’). So on one hand it is easy to extrapolate and imagine significant harm done to individual users and institutions given the black hats’ upper hand in attacking systemic vulnerabilities, to the extent of tens of billions in financial losses; and in loss of life. But security systems are progressing as well; the white hat good guys will not stop either. While inter-connected digital systems will be far more pervasive in 2025, they will still be, largely, amalgams of not fully automated and interconnected systems, which also provides a degree of insulation against national cyber attacks causing the degree of harm to people and property imagined by this question. While in principle all systems are crackable, it is also possible to embed security far more deeply in the Future Internet than it is in the present Internet environment. Obviously it is in the interest of the cyber security industrial complex and its participating firms to hype threats. On the other hand, a great deal of critical infrastructure is very vulnerable to cyber and physical attack. Imagining bad scenarios where those facts intersect is worrisome, but I remain optimistic the good guys will keep winning; in general.”

‘Yes’ respondents theme 2) Security is generally not the first concern in the design of Internet applications. It seems as if the world will only wake up to these vulnerabilities after catastrophe occurs.

Patrick Tucker, futurist and author of The Naked Future: What Happens In a World That Anticipates Your Every Move? said, “Today, cities around the world use supervisory control and data acquisition (SCADA) systems to manage water, sewage, electricity, and even traffic lights. Independent analysis has found that these systems suffer from 25 different security vulnerabilities. That’s bad enough, but then consider how human error and incompetence makes these common systems even less secure. Many of the IT managers that use these systems haven’t changed the manufacturer-installed security codes. As writers Indu B. Singh and Joseph N. Pelton have pointed out in The Futurist magazine, that failure to take even the most basic security precautions leaves these systems open to remote hacking.”

Stuart Umpleby, a systems theory expert and professor at George Washington University wrote, “In addition to cyber attacks there are threats from individuals who have access (e.g., Manning, Snowden, Bernie Madoff, Steven Cohen). Digital equipment is vulnerable to solar flares and EMP (electromagnetic pulse). There can be overlooked or underestimated design flaws (e.g., the Y2K bug, Long Term Capital Management, financial derivatives, or the change in the Glass-Steagall Act). Possible solutions: 1. Decentralization can stop cascade effects. However, decentralization plus connection can lead to vulnerabilities since no one is in charge. 2. Oversight and regulation. However, technical regulation requires highly skilled people and the private sector pays higher salaries. Firms also try to keep secrets. In finance the banks are now in a position to write the rules that regulate them. Big banks are getting bigger. So far losses in the billions have been due to financial and political design flaws more than technical design flaws.”

Elena Kvochko, manager for IT industry at an international organization based in New York, noted, “The possibility of a widespread cyber attack on national critical infrastructure is a major concern for many governments. The scope and the consequences of such attacks may be different for different nations. However, a large portion of critical infrastructure facilities still rely on software and technology created decades ago and which has not been upgraded. The level of sophistication of adversaries generally progresses much faster, therefore, it is important to implement adequate measures to ensure a proper protection of critical assets and capabilities.”

An executive for a major national news organization in the US wrote, “The government and the private sector are responding too slowly to this threat. We’ve already seen the US Chamber of Commerce hacked, allegedly by the Chinese. We’ve seen numerous ‘botnet’ attacks on financial institutions that have rendered their sites unusable for hours at a time. And, at the moment, there’s little political will to impose minimal cybersecurity standards even on ‘essential’ businesses, such as electric utilities, telecommunications companies and financial institutions. Some Obama administration officials have warned of a coming ‘Cyber Pearl Harbor.’ Still, the public and many businesses seem sanguine about this possibility.”

Ben Fuller, dean of humanities and sustainable development at the International University of Management in Windhoek, Namibia, responded, “A major vulnerability lies in the capacity of nations and businesses to understand cyber threats and to take prudent preventative steps. For example, I am involved in the administration of .NA here in Namibia. A few years ago we were one of the first ccTLDs worldwide to implement Internet Domain Name System Security (DNSSEC). DNSSEC is an important security protocol for Domain Name System operations. Implementing DNSSEC is neither complicated nor prohibitively expensive. Namibia, despite its apartheid past, has grown into an upper-middle-income country according to the World Bank, hence our economy depends heavily on the Internet—the banking, financial, mining, transport, and tourism sectors in particular. Yet, local interest in adopting DNSSEC has been disappointing. This is one instance where network administrators are not taking advantage of existing tools to improve network security. One wonders if our experience with DNSSEC represents a larger pattern.”

Vanda Scartezini, a partner in Polo Consultores Associados, based in Brazil, replied, “I do believe one or two major attacks—attacking critical infrastructure such as general utilities like electricity or water, with huge consequences on day-to-day life—will happen until the real efforts on cyber security come to a common agreement among all nations. I believe it will happen in a small, developing country first and then a more relevant country will be the target and the impact will bring all parties to the table of negotiation followed by the action needed.”

‘Yes’ respondents theme 3) Major cyber attacks have already happened, for instance the Stuxnet worm and attacks in nations where mass opposition to a regime has taken to the streets. Similar or worse attacks are a given.

A notable number of respondents cited Stuxnet and other acts against various populations as evidence that cyber attacks were now integrated into national military and intelligence strategies.

The Stuxnet computer worm, according to a publication of the Institute of Electrical and Electronics Engineers, infected the software of at least 14 industrial sites in Iran several years ago. A worm is not like a computer virus, which must be installed—unwittingly—by a user in order to work. Instead, a worm spreads on its own among computers once it has been introduced to a network. In the case of Stuxnet the worm targeted computer systems tied to production of Iran’s nuclear program and helped destroy as many as a fifth of the centrifuges.

Jason Pontin, editor in chief and publisher of MIT Technology Review, wrote, “Oh, sure it is possible. Although not at your defined level, there has already been a ‘Pearl Harbor’ event: the Stuxnet computer worm that was used to attack Iran’s nuclear capabilities. Do we really believe that the infrastructure of a major industrial power will not be so attacked in the next twelve years? The Internet is an insecure network; all industrialized nations depend on it. They’re wide open.”

Stowe Boyd, lead researcher for GigaOM Research, said, “A bellicose China might ‘cyber invade’ the military capabilities of Japan and South Korea as part of the conflict around the China Sea, leading to the need to reconfigure their electronics, at huge cost. Israel and the United States have already created the Stuxnet computer worm to damage Iran’s nuclear refinement centrifuges, for example. Imagine a world dependent on robotic farm vehicles, delivery drones, and AI-managed transport, and how one country might opt to disrupt the spring harvest as a means to damage a neighboring opponent.”

Judith Perrolle, a professor at Northeastern University in Boston, wrote, “The US government’s series of cyber attacks on citizens, economic entities, and governments around the world has already done this. People have died from faulty equipment producing gas pipeline explosions and from drone bombings of civilians. US companies have lost billions worth of business as foreign customers no longer trust their products and services. One way to counter such attacks is by diplomacy and respect for international law, especially by the United States. As one of my students once titled a paper on Stuxnet: ‘People who live in electronic houses shouldn’t throw worms.’ A second line of defense is to design computer and information systems to be more secure. Our current systems are incredibly vulnerable, by design. US cyber security efforts seem dedicated to breaking into computer systems, not securing them.”

Maurice Vergeer, an assistant professor at Radboud University Nijmegen in the Netherlands, replied, “It probably will. Estonia was one of the first countries that suffered a major cyber attack some years ago. If an agency can create something like Stuxnet to sabotage Iranian nuclear facilities, it’s a question of time for another agency to come up with another piece of malware to sabotage essential infrastructure. The problem is that because of the Internet of things, this is even more likely because most computers and machines will be connected to the Internet. Even when security is tight, the human factor is probably the weakest link.”

‘Yes’ respondents theme 4) Cyber attacks are a looming challenge for businesses and individuals. Certain sectors, such as finance and power systems, are the most vulnerable. There are noteworthy divides between the prepared and the unprepared.

Henning Schulzrinne, Internet Hall of Fame member and a technology developer and professor at Columbia University, said, “Primarily financial services (both trading and financial transactions) and maybe the power grid seem vulnerable and their disruption is most likely to inflict large collateral damage. Both are dominated by legacy systems, with a limited willingness to make the necessary investments in upgrades and, particularly for utilities, limited technical depth in their staff.”

Jim Warren, longtime online freedom and privacy advocate and editor/publisher of microcomputer periodicals, responded, “It seems likely that there will be far more cyber-attacks for the purpose of theft and/or economic harm to their targets, than for the purpose of causing physical harm to individuals or groups.”

Tim Bray, an active participant in the IETF and technology industry veteran, made this basic point, even though he answered “no” to the overall question: “I’m sure there will be devastating economic attacks against companies, sectors, and perhaps whole economies, mostly executed by criminals for gain. But I don’t anticipate much in the way of successful state versus state attacks.”

Mike Roberts, Internet pioneer and former CEO with ICANN and longtime Internet Society leader, responded, “The distributed ‘network of networks’ architecture protects us from a concerted attack that brings down major sections of the Net. Having said that, businesses are forced to spend sums they never imagined in order to protect their ability to provide goods and services over the Net, and governments are discovering they can’t fake a commitment to security for their own facilities. The Obamacare server fiasco is just one of the more visible examples of politicians believing their own hype about the Net. There ought to be a highly regarded annual award for ‘demonstrated Internet security competence.’”

An employee of the Network Information Center observed, “The biggest vulnerabilities are with the financial, energy, and transportation sectors—which represent the soft underbelly of our society and are increasingly under siege from thwarted cyber attacks. In the end, I believe we can keep opponents at bay, but it will require a significantly larger investment by government and industry and the cyber security industry will become a significantly larger employer as a result.”

Ray Schroeder, associate vice chancellor for online learning at the University of Illinois-Springfield, wrote, “I fear a cyber attack that will bring down key parts of the national infrastructure and severely damage the economy. I do not expect the Internet itself to suffer irreparable harm. But through the Internet, such infrastructures as the power grid; water and sewage services; hard-wired telephone and cell phone networks may be impaired. These, in turn, would put enormous pressures on the economy and alternative service models. Daily, there are thousands of attacks that are thwarted. But, it is only a matter of time before a large-scale attack succeeds. The key will be to establish effective models for recovery and support.”

Themes among those who responded ‘no,’ there will not be major cyber attacks

‘No’ respondents theme 1) There is steady progress in security fixes. Despite the Internet’s vulnerabilities, a distributed network structure will help thwart the worst attacks. Security standards will be upgraded. The good guys will still be winning the cyber security arms race by 2025.

Bill Woodcock, executive director for the Packet Clearing House, responded, “Not unless there’s significant inflation between now and then. Direct losses associated with cyber attacks are always difficult to calculate and attribute. Indirect and intangible losses from large attacks may easily top tens of billions of today’s dollars, or even relative value accounting for enlargement of the economy between now and then. We’re at least 25 years into cyber attacks now, and although they get larger, and the economy and population becomes more dependent upon the resources that are vulnerable to them, they still don’t have the effect on physical assets and infrastructure that doomsday-predictors have always worried they would. I’m not sure that problem will get worse as people become more sophisticated. I think we’re already over that hump.”

Glenn Edens, director of research in networking, security, and distributed systems within the Computer Science Laboratory at PARC, a Xerox Company, responded, “Maybe I’m being optimistic but there is steady progress in security. Again, the basic architecture of the Internet is wrong on so many levels—so much needs to be fixed. The loss of financial gains is more likely than a loss of life.”

Isaac Mao, chief architect of Sharism Lab, said, “New security standards will help out.”

Paul Jones, a professor at the University of North Carolina and founder of ibiblio.org, responded, “Nations and others who hold necessarily secure information are getting better and better about protecting their essential assets. Yes, a bunch of credit card numbers and some personal information will leak. Yes, you may not be able to place an order for a few hours. But it’s less and less likely that say all pacemakers in a major city will stop at once or that cyber attacks will cause travel fatalities. I expect increased tension between individual needs, commercial needs, and national needs for privacy, mobility, and security. TOR [anonymizing software] everywhere? Perhaps.”

Karl Fogel, a partner with Open Tech Strategies and president of QuestionCopyright.org, said, “Most physical systems that have digital controls are complex enough, and have enough manual intervention built in, that a cyber-attack is just a problem to be dealt with rather than a catastrophe that causes a loss of power grid, airplane crashes, driverless car crashes, water supply poisoning, trains trapped in tunnels, etc. We already have such systems in many places, and there have not been cyber attacks that carry over directly into the physical realm with major consequences. I wouldn’t expect engineering principles to be significantly different by 2025.”

Robert Bell, of IntelligentCommunity.org, responded, “While the possibility of such widespread disruption certainly exists, it has become a priority among most industrialized nations to understand and respond to the threat. I expect smaller-scale incidents but not large-scale loss of life or billions of dollars of property loss.”

Ebenezer Baldwin Bowles, founder and managing editor of CornDancer.com, replied, “Cyber attacks a decade hence shall remain a nuisance but not a foundational threat to a mature nation-state or a fully funded transnational corporation—always costly per annum to defend against and mitigate after the fact, but never the gateway to an apocalypse. The Internet is too vast, too dynamic, too widely distributed, and too resilient to ever fall prey to an online assault by terrorist cells, cyber gangs, lone geniuses, or hostile military units. The Internet is vulnerable to ‘widespread harm’ only through direct and massive munitions-based attacks on significant nodes of the physical infrastructure—server farms, electrical grids, energy distribution systems. Determined online opponents are limited by the fundamental underlying structure of the Internet.”

‘No’ respondents theme 2) Deterrence works, the threat of retaliation will keep bad actors in check, and some bad actors are satisfied with making only small dents in the system so they can keep mining a preferred vulnerability and not have it closed off.

David Clark, a senior research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, noted, “The nation-states with the capability to deliver such an attack do not have the motivation to do so. While there will be some actors (e.g., terrorist organizations) that might have the motivation, they currently do not have the skills, and there are easier ways to cause this sort of damage. However, the odds of this outcome are not zero, only low in my view.”

Fred Hapgood, a science and technology writer, responded, “On this level, the tens of billions of dollars mark, the risk is very low. A loss on this level will trigger serious retaliation and the hackers responsible can never be 100% certain that they haven’t left a trail somewhere. So they will wait for the worst case, and the worst case will probably not arise. Maybe in the context of a shooting war. The stakes would have to be very high.”

Garland McCoy, president and founder of the Technology Education Institute, said, “Mutually-assured destruction worked then, works now, and will work in cyberspace.”

Bob Briscoe, chief researcher in networking and infrastructure for British Telecom, wrote, “There will have been major cyber attacks, but they are less likely to have caused widespread harm. They will be stealth attacks to extract information and exploit it for commercial and political gain. Harm to an enemy is only a desire of less-sophisticated individuals. Anyone who amasses the ability to mount a major cyber attack, better than their opponent, also doesn’t want to lose their position of advantage. They are likely to shift to strategies of gain for their own position, rather than explicit harm to their victim, which would alert their victim and close off their channels of attack, and set back their advantageous position.”

Justin Reich, a fellow at Harvard University’s Berkman Center for Internet & Society, responded “yes” to the question, but said, “The potential of threat is as real as the potential of nuclear annihilation. It hasn’t happened because mutually-assured destruction works, or at least it has for 70 years. We will have this constant, relatively low-grade probing, piracy, and state-sponsored cyber-terrorism.”

Todd Cotts, a business professional, wrote, “Cyber attacks will always be a threat, but it is unlikely that a future cyber attack causing widespread harm will occur, any more than today. Cyber warfare is real and will continue to be a growing threat. However, just as the United States has historically been the leader in military advances in the physical world, it will do so in the cyber world, and, as we all know, [such warfare] has been underway for decades now. The challenge will be in whether or not the government is capable of staying ahead of the cyber terrorists. As long as the government leans on a competitive marketplace of non-government companies specializing in technological advances in cyber security, the advances should keep the United States at par, at minimum, with advances by cyber terrorists. The reality is that the more we rely on cyber technologies for automation, communication, controls, security, etc., the more susceptible we are to crippling cyber attacks. Greater concern should be given to the other methods of warfare more likely to cause ‘widespread harm’: Nuclear being at the top of the list, followed by EMP [Electro-Magnetic Pulse].”

‘No’ respondents theme 3) Hype over cyber attacks is an exaggeration of real dangers fostered by the individuals and organizations that will gain the most from creating an atmosphere of fear.

Jonathan Grudin, principal researcher at Microsoft Research, responded, “Perhaps I am optimistic, but this concern seems exaggerated by the political and commercial interests that benefit from us directing massive resources to those who offer themselves as our protectors. It is also exaggerated by the media because it is a dramatic story. President Eisenhower worried that we would suffer if we had leaders who would not rein in the military-industrial complex, and it is clear our leaders are powerless to rein in the military-industrial-intelligence complex, whose interests are served by having us fearful of cyber attacks. Obviously there will be some theft and perhaps someone can exaggerate it to claim tens of billions in losses, but I don’t expect anything dramatic and certainly don’t want to live in fear of it.”

Mike Caprio, a software engineer for a consulting firm, wrote, “Cyber attacks are a boondoggle invented by military-industrial contractors to bilk governments out of billions of dollars. The infrastructure is not as fragile or attackable as they would claim.”

Kelly Baltzell, CEO for Beyond Indigo, wrote, “I believe cyber attacks do happen but think the threat level is completely hyped. Fear makes people cringe and not employ their own internal power and common sense. Right now with the NSA issues and such, we are finding out that the major countries are already spying, hacking, and causing problems. The use of the term ‘for national security’ invokes people to panic, fear, and give up the privacy they do have in exchange for what they think is safety. People just need to be rational and realize that other people in other countries just want to live, raise their families, and enjoy life. It takes a lot of energy to hate and create negativity on an ongoing basis.”