October 29, 2014

Cyber Attacks Likely to Increase

Elaborations: More Expert Responses

Following are additional provocative and thoughtful answers from other respondents, organized in the same format as those in the summary. First, the insights of those who responded “yes” to the question, next the thoughts of those who answered “no,” closing with additional observations.

Themes among those who responded ‘yes,’ there will be major cyber attacks

‘Yes’ respondents theme 1) Internet-connected systems are inviting targets. The Internet is a critical infrastructure for national defense activities, energy resources, banking/finance, transportation, and essential daily-life pursuits for billions of people. The tools already exist to mount cyber attacks now and they will improve in coming years—but countermeasures will improve, too.

Robert E. McGrath, an Internet pioneer and software engineer who participated in developing the World Wide Web and advanced interfaces, replied, “Cyber attacks are already pervasive, and it is trivial even for children to acquire the means to inflict serious damage. The United States has already attacked other countries, and other deliberate attacks are suspected. Losses are already in the tens of billions. ‘National sovereignty’ is pretty meaningless on the Internet anyway, so I can’t say anything about it. It is only a matter of time before there is a serious incident, i.e., one that journalists recognize as an event.”

John E. Savage, chair in computer science at Brown University and a fellow of the IEEE, and the ACM, wrote, “The integration of national critical infrastructures such as the electrical grid, the financial industry, and corporations into the Internet has created a system that is more fragile than is generally recognized. Computer security in these systems has been and is very weak. While it is unlikely that any one major nation is likely to try to damage the critical infrastructure of another given the potential for blowback, accidents and misunderstandings are a serious possibility. An example of this is the aggressive posture of China vis-a-vis its surrounding waters. They have claimed control over the entire South China Sea through which 25 percent of the world’s maritime shipping occurs and now are claiming sovereignty over a large portion of the East China Sea. If tensions rise over their assertions and an accident occurs at the same time that shuts off the electricity in a large portion of the United States and malware attributed to China is found within computers controlling the electric grid, escalation and further damage are likely. The undersea cable system carries more than 95% of the global Internet traffic. This includes at least $10 billion in financial transactions per day. Damage to a large portion of this system lasting days or weeks could easily reach the threshold cited in the question. The Federal Bank of Boston handles more than $4 billion in transactions per day for the Federal Reserve. If its systems were damaged, the threshold could be reached in a few days.”

Mikey O’Connor, an elected representative to the GNSO Council of ICANN, representing the ISP and connectivity provider constituency, said, “Cyber infrastructure constantly teeters on the edge of collapse. However, the odds of a ‘successful’ cyber attack causing extreme harm continue to rise—to almost-certainty between now and 2025—as attackers shift from individuals with limited resources to state-funded warriors. The severity and breadth of harm that can be caused also continues to rise as dependence on cyber-resources increases. Similarly, developing countries will become more vulnerable as they ramp up their Internet capability and dependence.”

Jeff Jaffe, the CEO for the World Wide Web Consortium, the standards-setting body for the Web, wrote, “In the past, the hardest security threat to defend against has been the insider threat. That will continue, with untold losses in economic espionage and other security losses.”

Mike Liebhold, senior researcher and distinguished fellow at the Institute for the Future, wrote, “Growing pervasive threats will inevitably have an enormously negative impact on: Privacy, e-commerce, finance, infrastructure, and world peace.”

Olivier Crepin-Leblond, managing director of Global Information Highway in London, UK, replied, “The probability of a major cyber attack is not ‘if’ but ‘when.’ Unless a global cyber-warfare non-aggression pact (like the nuclear non-proliferation treaty, or the treaty against chemical warfare) is signed between the world’s powers, chances are that the cyber attacks will be state sponsored. There is also a high chance that cyber attack technologies will be making it into terrorist hands. Without a global cyber-warfare non-aggression pact, it will be impossible to distinguish whether a cyber attack is state sponsored or independent terrorism. To-date there is talk in many locations, including in the Council of Europe, to draft a global cyber warfare convention, but no country around the world is ready to take the first step to engage in such a convention, for fear of giving up its privilege of using such methods in the future. It might indeed be too early to sign such a pact if we cannot know to what extent cyber attacks could cripple our economies.”

Ian O’Byrne, a professor at the University of New Haven, wrote, “Governments are beginning to use cyber attacks as a means to wage war. A growing online criminal contingent is beginning to get quite sophisticated with attacks to the general public (e.g., the Cryptolocker virus). These trends will continue. Be sure to do your back-ups, people.”

Peter S. Vogel, Internet law expert at Gardere Wynne Sewell, LLP, wrote, “All indications are that cyber attacks will escalate. In particular the recent report from the National Intelligence Council predicts significant widespread harm. Assuming the widespread media reports in 2013 about government cyber directed attacks against other governments and businesses are true, there is no reason to believe this will subside by 2025.”

Ian Peter, pioneer Internet activist and Internet rights advocate, wrote, “Tens of billions of dollars is not that much in terms of what damage can be done in a cyber attack, so yes. Equally, I believe investment in countering cyber attacks will exceed tens of billions of dollars per annum if it hasn’t done so already. Whether cyber attacks carried out by nations or cyber attacks carried out by individuals pose a greater threat at that time is difficult to guess. Both are likely to become more serious issues.”

Jan Schaffer, executive director of J-Lab, developing innovative digital journalism, wrote, “Edward Snowden was smart, but there is surely someone out there who is smarter. Cyber attacks will be (if they aren’t already) the Achilles heel of any nation targeted by an enemy.”

Dennis McCann, A computer-training director who was previously a senior technical consultant at Cisco and IBM, commented, “As the third and fourth worlds go digital, cyber wars will occur by or to first-world nations. There is no limit to the vulnerabilities of a digital world and this is even today the most significant technical challenge we face.”

Charlie Firestone, executive director of the Aspen Institute Communications and Society Program, responded, “There will continue to be an arms race between those seeking to gain access to protected sites, for whatever reason, and those devising protective solutions. Some attacker, at some point in the next 12 years, will beat a country or major economic enterprise that has let its guard down (in terms of keeping up with the latest security techniques).”

Leah Lievrouw, a professor of information studies at the University of California-Los Angeles, noted, “The escalating use of cyber warfare and ‘cracking’ techniques by ‘legitimate’ governments, military and law enforcement, and corporate interests, as well as by insurgent political groups, criminal enterprises, repressive regimes, industrial espionage, etc.—coupled with state-sponsored efforts to weaken infrastructure security (e.g., cryptography) to ensure their unrestricted access to data ‘anytime, anywhere’—would seem to promise a high probability of a major disruption at some point in the next decade with the potential for extensive harm. Extensive interconnectedness has enormous, demonstrable benefits, and corresponding potential for ‘networked’ damage.”

A research scientist working at a major search engine company responded, “It’s constant escalation between them and us (however you define those pronouns). Eventually, a nation-state will launch a serious attack (or maybe just let one get away from them by accident) that will cause a massive information network collapse (e.g., by bricking all the routers on a national backbone network). When that happens, the economic fallout (from uncompleted transactions, inability to deliver time-sensitive information, etc.) will be in the tens of billions. Physical damage will be harder to cause, but still possible. Taking over traffic signals would be one way to do that. Overriding train switching systems or simply jamming all aviation frequencies for a period of a few hours would do the same thing.”

Tony Siesfeld, director of the Monitor Institute wrote, “It is only a matter of time. As our lives are stored on our own devices and critical information stored through the system (from doctors to tax authorities to our favorite retailers), we become extremely vulnerable to either an intervention that snoops and steals our information or an intervention that disrupts or disables the network and exchange of information over a wide area for an extended period of time.”

Susan Caney-Peterson, a self-employed writer and editor, wrote, “The technically inept and ignorant politicians of the early 21st century in the United States will have acted slowly and poorly to threats from Eastern Europe and China. Attacks will have taken place on the US electrical grid, with Chinese hackers having compromised it back in the 2000s with no one acting on it then. Attacks on individual data will have become routine and only the wealthy will have precautions in place, thanks to the hiring of privacy experts, which become as necessary as tax accountants were in the past. More money will be spent by the government on gathering data on individuals than on national cyber security, until the cyber equivalent of 9/11 takes place.”

Peng Hwa Ang, director of the Singapore Internet Research Center at Nanyang Technological University and longtime participant in global Internet governance discussions, wrote, “Because of the greater reliance on networks, should there be an attack on the network, lives will be affected. Already, the cut (deliberate or otherwise) of mobile services has caused deaths in some of the locales of such cuts. It is difficult to imagine no major cyber attack in 20 years.”

Francois-Dominique Armingaud, a retired computer engineer from IBM now teaching security at universities, wrote, “Unfortunately, wherever there is use there will be misuses. We can work to limit it, but as with a garden the job must constantly be done. Computers were initially designed without thinking they would communicate. Communications were designed without thinking there would be rogue users. A complete redesign of computer and communication architectures could possibly lead to better security by 2025.”

David P. Collier-Brown, a system programmer and author, wrote, “Attacks on old infrastructure, notably power, traffic-lights, railway crossings and railroad switching. Predominantly by non-geographically-concentrated terrorists, as terrorists based in a particular country or state-sponsored attacks invite convention-arms responses. Some on first-generation automated systems like 2013 cars, under the same geographical-origin constraints.”

Alex Halavais, an associate professor of social and behavioral sciences at Arizona State University, said, “It may be that we don’t even know it is an attack, which is the scary part. The indignation of Google and the rest with the NSA owning their foreign data stores belies the more troubling bit, which is that some of the largest platforms we use are desperately insecure.”

Dominic Pinto, a trust and foundation manager active in the Internet Society and IEEE, said, “Forcing everything pretty well online exposes everything to the risk of being hacked—if not by commercial interests and of course the more ordinary criminals but of course as we now know on a huge scale by the state through their security agencies (whether or not the politicians or the bureaucracies actually know and control these activities).”

Rajnesh Singh, regional director in the Asia-Pacific region for the Internet Society, wrote, “I do think we are seeing—sometimes in small doses and sometimes larger—instances of the waters being tested—be it by individuals, groups or entities and nation-states. When nation-states start building cyber defense and attack regimes, there is far much more to it than hype. However, we should be mindful that we don’t end up destroying that which sustains us. The Internet, and all that it enables, is a large part of the world economy and has allowed tremendous opportunities for progress and socio-economic development. Any disruption could have a multiplier effect and end up causing unintended consequences long term that may impact the instigator as well. I expect the technical community will rise to the challenge and offer solutions that will continually improve the capabilities of users at large—threats will evolve and so will solutions to the threats.”

Miguel Alcaine, International Telecommunication Union area representative for Central America, responded, “Nations, companies, organizations worth an attack, have already started their continuing work to prepare for a potential attack. The race between potential attackers and the ones defending different assets will never stop, and such a race by itself will have a price tag in the billions of dollars if not more. The trend to have some sort of national or institutional defense will continue. It is also healthy to highlight that the lower the defenses of an entity, also the lower the potential profit of attacking them.”

William Schrader, co-founder and CEO of PSINet Inc., the first commercial ISP, predicted, “Absolutely, cyber attacks will have massive destructive impact some time in the next 11 years somewhere on earth. All nations have economic systems which are tightly interwoven among industrial production and distribution, commercial operations, communications, stock markets, financial institutions, personal lives, military and policy operations, and political balance (or imbalance). The critical infrastructure vulnerabilities are known to management of that infrastructure, to the authorities and to those determined to disrupt them. There has been a constant battle among forces to disrupt and forces to maintain during the past two decades. The risk and impact of this type of threat cannot be over-hyped. I choose not to identify specific vulnerabilities or attack scenarios.”

David Bernstein on the future of cyber attacks

David Bernstein, president at The Bernstein Agency, a marketing and research consultancy, wrote, “For every lock, there is someone out there trying to pick it or break in. This is human nature, and I have no doubt it will continue to happen. Yet, I believe that as the threats increase, companies and countries will continue to build more protection, redundancies, and methods to safeguard against criminals. In the past, it has been those inside organizations who pose the greatest risk to security. As a result, I expect greater scrutiny and oversight to those inside our most sensitive areas of national banking, military, and infrastructure.”

Thorlaug Agustsdottir, public relations manager for the Icelandic Pirate Party, wrote, “See Vanity Fair magazine’s Enter the Cyber Dragon from 2011 and the follow-up story from … 2013. This is a huge issue for the years to come. The technical/code aspect of Web crime will become ever more advanced, as will social engineering and phishing methods. Internet security and privacy issues are without a doubt the largest issues of the years to come.”

Kalev Leetaru, Yahoo fellow in residence at Georgetown University, responded, “This scenario is quite possible as infrastructure becomes more Internet-connected and the value to hackers increases, and with many rogue states now creating their own cyber armies.”

Karen Riggs, a professor of media arts at Ohio University, replied, “Technological advances and implementation reflect values of producers and consumers. As a society increases its dependency on information and communication technologies to assemble, hold, manipulate and share information, it increases vulnerability to its population. This risk includes deepening communication channels among perpetrators whose goals are to create joint action with those whose interests are similar to theirs. Among the most terrible of risks will be using data and manipulating technical communication to collapse economic systems in such sectors as banking and stock markets. Another likely scenario is that enemies of states will infiltrate ICT systems not simply to steal secrets but to push their own agendas, often in subtle ways, through the destruction of data and message integrity. Nations will be less able to maintain filters between their states and citizens. Finally, social and international definitions of threat and enemies of state will continue to be challenged, as actions by such individuals and collectives as Wikileaks, Edward Snowden, and Anonymous develop greater muscle.”

Marc Prensky, futurist, consultant, and speaker, replied, “We are already under massive cyber attacks around the world related to intellectual property. Billions or even trillions of dollars have already been stolen. I believe the concept of intellectual property as we know it won’t survive. Little people are unlikely to be harmed in great numbers by this, but countries and their relationships will face major upheavals.”

Pamela Wright, the chief innovation officer for the US National Archives, responded, “It is certainly conceivable that there will be a major cyber attack by 2025. In many ways, we are still in the Wild West days of the Internet, with patchy regulations, and huge variances in modernization for basic infrastructure such as power, water and transportation. Private companies spend a great deal of attention ensuring that they can thwart determined opponents. In this age of shrinking government and across the board government budget cuts, I am already concerned about the vulnerability of the public infrastructure.”

Bob Ubell, the vice dean for online learning at New York University, replied, “Relentless increases in cyber attacks for consumer information, intellectual property, and government secrets, among other data, is unlikely to abate. Chances are that the spiral will continue to increase exponentially as happened over the last decade.”

Gina Neff, an associate professor at the University of Washington, wrote, “More systems will be online created by more vendors. These connected entry points into the ‘Internet of things’ will create more vulnerabilities for cyber attacks.”

Thomas Lenzo, a technology consultant, responded, “So far, major cyber attacks have been made on defense contractors, major financial institutions, and other large targets. Those targets have responded and hardened themselves against future attacks. However, the majority of businesses are small- to medium-size, and they, as well as most home technology users, do not have the defenses needed to thwart a major attack. We will see cyber attacks that cause many of those businesses to go out of business. Recently, a small town lost eight years of its records to a malware attack. The cost of the damage has not been calculated. In the future, there will be more of these types of cyber attacks. As for loss of life, we will see that when a major health care system or a SCADA [Supervisory Control And Data Acquisition] system is the victim of a cyber attack.”

Mary Joyce, an Internet researcher and digital activism consultant, replied, “There is no reason to believe that hackers won’t continue to out-innovate infrastructure defenders. So long as data infrastructure is constrained in its function and design and hackers are unconstrained in the methods they can use to infiltrate it, those who own and defend infrastructure will be at a disadvantage.”

Danny Gillane, an information science professional, wrote, “The longer the Internet exists, the more people will be exposed to it and to the technology needed to use it for good and for bad. Sooner or later someone—either for political reasons (terrorism, for example) or for criminal reasons—will take down part of the utilities infrastructure leading to economic loss or property loss on a large scale or will steal something or will take down a major economic player, such as Amazon, the Federal Reserve, the Internal Revenue Service.”

John G. McNutt, a professor at the University of Delaware, replied, “War in 2025 will be low-intensity conflict and major conflict via technology.”

Adam Nelson, founder of Kili.io, a cloud infrastructure in Africa, responded, “The question is whether a major cyber attack will have caused widespread harm to a nation’s security and capacity to defend itself and its people. With 200 countries in the world and the fact that so much critical infrastructure is rooted in cyberspace and given the 11-year horizon—it seems inevitable that such an event will happen.”

Amy Crook, an IT employee at a large firm, wrote, “Theft in the tens of billions of dollars is definitely possible. Smaller nations have a greater risk of being harmed, since larger nations have more resources to put toward defending themselves from cyber attacks. It will become more apparent that nations such as China are actively working toward goals of cyber attacks on other countries. I don’t know how it will threaten a nation’s sovereignty. It seems unlikely that allies of any one country will stand idly by if that country is attacked in such a way. I don’t know if I can imagine a scenario in which a country is robbed totally anonymously, in part because it would be in the best interest of all other nations to put resources into solving that puzzle in order to protect themselves.”

Glen Farrelly, a self-employed digital media researcher and consultant, wrote, “As long as the benefits for cyber attacks remain as attractive as they are now, cyber attacks will continue, which will become only increasingly destructive as more of our lives and societies rely on digital networks.”

Bud Levin, a futurist and professor of psychology at Blue Ridge Community College in Virginia, wrote, “I cannot imagine a formal, structured, or government-led defense that will prevent determined, networked, and labile hackers. Offense, by whatever label, can be wrong most of the time yet still succeed. Defense only has to slip up once, and it will sooner or later. We have thought the virtue of the Net to be its ubiquity and de-centralization. However, we’ve centralized it in terms of standards and practices and methodologies and overseers, creating new vulnerabilities as we attempt to improve on old. The more standardized and centralized, the more vulnerable to assaultive change.”

Scott McLeod, director of innovation for the Prairie Lakes Area Education Agency in Iowa, responded, “We’re fooling ourselves if we think that there won’t be several major cyber war and/or hacking incidents aimed at governments, not just corporations and other organizations. This is a constant battle right now. It’s only a matter of time before something really significant occurs, particularly as more of our physical infrastructure becomes connected to the Web via the Internet of Things and other similar movements.”

Daren C. Brabham, assistant professor at the Annenberg School for Communication and Journalism at the University of Southern California, wrote, “There will definitely have been a major cyber attack by 2025. It will probably be perpetrated by the US or China on another country. I believe attacks on a country’s stock market or on a country’s missile defense system is the most likely application of a cyber attack initially. We will see the development of new major divisions (if not a new branch entirely) of the military focused on military applications of cyber warfare, along with medals and officer ranks for these specialists.”

David Solomonoff, president of the New York Chapter of the Internet Society, said, “Likely attacks are getting easier and there a lot of new technologies—medical prostheses, critical infrastructure, Internet of Things, that are not properly secured.”

A self-employed interactive communications specialist for a religious news organization responded, “Cyber warfare is no different from other warfare—those looking to harm will find a way and those who are harmed will realize they were not prepared in some way. While advancement will continue and countries will invest more and more in defense, someone will find a way inside—and it could come from within their own country.”

A self-employed attorney responded, “Because our businesses and government do not respect privacy, they also do not respect our security. Add to their hubris, the fact that as media companies consolidate and exercise more power, groups like Anonymous will continue to grow and agitate to remind the general complacent public of what is at risk.”

An international project manager at Microsoft wrote, “The first major attack on a nation’s infrastructure will probably be by terrorists. They could, for example, cause the meltdown of a nuclear reactor. However, some nations might also start to use cyber attacks that are not easily identifiable as such but cause the loss of lives or major damage.”

The editor in chief of an international digital trade journal commented, “We’ve seen several cyber attacks come relatively close to causing major, widespread harm already. One or more major banking networks are likely to be the first to suffer a catastrophic collapse, and it would not surprise me for full-scale cyber warfare to erupt between China and one or more Western nations. The groundwork for that sort of thing already has been laid.”

An anonymous respondent wrote, “There is a clear rivalry between China and the United States and the gap is widening. As the United States is more networked in many areas it is also more vulnerable to cyber attacks. This vulnerability might be used by China and other nations by first striking cyber attacks instead of sending troops.”

A webmaster wrote, “Nation-states appear to be engaged in recruiting talent for cyber-war activities. The trend will continue and at some point another war will be fought that will include a cyber front. Likely there will be both direct economic consequences and collateral damage as the utility of cyber warfare is tested.”

David Hughes, a retired US Army Colonel, wrote, “It is simply going to happen. First of all in a singular incident, which will then trigger the design and building of parallel or backup capabilities, requiring billions in investment, both government, corporate/institutional, and eventually individuals at their homes.”

‘Yes’ respondents theme 2) Security is generally not the first concern in the design of Internet applications. It seems as if the world will only wake up to these vulnerabilities after catastrophe occurs.

Dave Rusin, a digital serial entrepreneur and former digital global corporate executive, responded, “Cyber attacks are new form of war—economically driven. It is the new reality. Today, America’s cyber security is like Swiss cheese. Solutions should be driven by the free market sector as the creativity will be fast and furious. On any given day, most politicians—outside of some briefing of what they want to hear—are not making me feel ‘Happy, happy happy …’ Our politicians can’t listen to generals or intelligence agencies on how to efficiently deal with traditional events leading to war, cyber-what? Eventually billions will be spent by government on cyber whatever—just follow the money, we are at risk, because those contracts will have more to do with campaign contributions, who you know, and keeping a politician in office, than an aggressive proactive and defensive-objective, clean, cyber strategy.”

Frank Pasquale, a law professor, wrote, “As the wealthy segregate themselves into enclaves or diversify their residences across continents, they (and the political class they heavily influence) will continue to disinvest in infrastructure. Moreover, intelligence agencies and leaders of critical infrastructure will disdain the types of immutable audit logs that could help record and detect and solve vulnerabilities, because they don’t want to be held personally accountable for failures. The situation leaves both electrical grids and banking infrastructures vulnerable to catastrophic attack.”

Brian Butler, a professor at the University of Maryland, wrote, “Since we have not had these (at least not publicly) the will isn’t there to deal with it at the level of resources needed. Hence, it is just a matter of time until a perfect storm of unaccounted for vulnerabilities and overconfidence, and external threat coincide. This is another place where the entrepreneurial mantra of ‘fail often’ plus overconfidence will eventually lead to problems, though there is a possibility that the increasing risk aversion among baby boomers, with their substantial influence, might balance this out.”

David Allen, an academic and advocate engaged with the development of global Internet governance, responded, “It depends upon further progress toward global governance schemes—overall—that actually work. By no means is that certain.”

A CEO for a company that builds intelligent machines observed, “We haven’t yet had our chance to see the impact of mutually assured destruction on the cyber battle field yet, but the seeds are germinating between the United States and China on this front today, and by 2025 we’ll have had our Hiroshima. The problem is that there are several actors here and not all of them are sovereign nations. Any list would include multinationals—who might find an incentive to destabilize a resource-rich government, terrorist organizations—who find fear an ample reason to pull together significant resources), and techno-anarchist groups—who might bring down a power grid or financial market for fun or spite. The threat is very real, and because a profit motive is necessary for anything significant to be done here, I think progress will always be slow. It’s easier to get us excited about blowing things up than building yet another defensive wall.”

Dale Richart, a marketing and advertising client liaison, responded, “This probably will not happen by 2025, but perhaps not long after. I do believe I will live to see a devastating event brought about by a cyber attack that will result in a global resolution to abolish some acts of major cyber attack. I doubt we are generally aware of the current level of threat and we need to be exposed to better informative journalism.”

A behavioral researcher specializing in design in voting and elections commented, “The world is a dangerous place. The Internet was built to be free, open, and democratic. That kind of architecture has holes in it, as the NSA has learned (and created with and without the help of corporations that are on the backbone). From my work in voting and elections, I can tell you that one of the major vulnerabilities is in voting systems. Some countries already have Internet voting. Several are piloting elections held online. There is great pressure in the United States to move elections online and states will try it. The advantage that the United States has in the way its electoral system is set up is that it is widely distributed. Conducting attacks during a major election would be extremely difficult considering that there are thousands of voting jurisdictions in the United States that run their own elections. It would be difficult but not impossible. We’ve already seen election department servers attacked. There’s no personal data there that isn’t publicly available elsewhere, so that’s not the driver. These attacks are practice sessions. They’ll probably escalate and expand.”

Maureen Schriner, a university professor, responded, “The vulnerabilities to these attacks lies in the nature of the infrastructure, the lack of common governance over the Internet, and the lack of willingness by multinational corporations to change processes. Until a major cyber attack occurs, the people and institutions that control cyber infrastructure won’t have incentives to change.”

Will Stuivenga, an information science professional in the state of Washington, said, “It is almost inevitable that something of this nature will eventually occur. Human nature and history have shown that effective counter measures will not be implemented until an actual event demonstrates the necessity of doing so. And even then, some nations probably won’t have the wherewithal to take effective counter measures, even if they wished to do so.”

A professor and CEO with 25 years of experience in technology research and entrepreneurship responded, “There will be many attacks and accidents, many of these with terrible consequences. Whether any single one of them will be to this scale is hard to predict, but we will be able to build and deploy more flexible, more immune-system-type defenses before that happens. It is still too easy for too many deciders to ignore security out of sheer ignorance or because the costs can be externalized. Maybe we need a couple more mega-events before that becomes less of a problem.”

Daniel Miller, a professor at University College in London, wrote, “It would be foolish to underestimate the capacity of the military to employ new technologies. And since these work at a distance they will be very attractive. There are obvious imbalances in different nations’ capacities to launch and defend themselves from such attacks, which is why it is likely to be successful. Only after which will we see the required international mobilization to prevent further escalation.”

A self-employed digital communications consultant commented, “This is just a matter of time. Our government’s digital infrastructure is a joke. When giant corporations like Target or social networks like Facebook are having a hard time fending off cyber attacks, it gives you little hope that our government is in any way prepared to handle a big breach. Some country is going to get hit hard. It might not be the United States, but someone is going to have to handle this by 2025.”

Carol Wolinsky, a self-employed marketing research consultant, wrote, “Chinese incursions into the databases of major newspapers, the recent attack on Target and other examples demonstrate the determination and capability of those who wish to disrupt the security and safety of the world’s citizens. Al Qaeda and other terrorist groups have similar motivations. The United States lacks the political will to focus on and pay for technology improvements that would slow down or eliminate these threats; the primacy of the United States on the world stage will be in the past and will never recover. Eastern Europe and Asia, where many of the security threats originate, will be ascending.”

Gary Kreps, professor of communication and director of the Center for Health and Risk Communication at George Mason University, wrote, “Serious breaches in cyber-security in the future are inevitable. However, I am hopeful that these serious incidents will raise public concern for security and lead to new programs and policies for safeguarding information systems in the future.”

A law school professor commented, “The grid controls even today. Banking, food, and power are all subject to attack. Those that want to control have always led the way, leaving those that want to help lagging. The question will be the severity of the attack and how widespread. Small attacks happen daily, but don’t affect the daily lives of most of the world. Kill the electrical grid in just one major economy and the ripple effect will probably not stop until there is a return to a pre-tech age. A small group can act to bring down a much larger group because of inertia and the human nature of refusing it can happen until it’s too late.”

The grants coordinator at academic center for digital inclusion responded, “People are unable to effectively collaborate across systems. Given ample mismanagement and miscommunication already evident, a major cyber attack seems unavoidable.”

Linda Young, a freelance writer, responded, “This nation has done nothing to make sure that the Internet is secure. It has done nothing to ensure that hackers can’t shut down the nation’s water, wastewater, and electrical supply systems. It has done nothing to make sure that banking is secure from attacks. It has done nothing to make sure that medical records can’t be hacked and altered.”

A software engineer who works for a major US technology company said, “I fear that computer security by 2025 will not be much better than it is today. We will have more experience, but I expect that the level of complexity of software systems will increase to match. Nonetheless, I don’t believe that a major cyber attack will occur. I hope that the fear of an attack will cause critical systems to be hardened/isolated to the point where, although possible, cyber attacks against them will lose their anonymity benefits. At which point, they enter the standard military portfolio and, likewise, will be reserved for times of war. Minor attacks, on the other hand, I expect will continue to be frequent, although will often be carried out by lesser entities than states.”

A middle manager in the digital division of a public media company wrote, “We will be shocked by our vulnerability when the inevitable happens. Imagine all the robotic cars crashing into one another, or the discovery of billions being siphoned out of bank accounts. It is the primary risk to our digital future—we may find we cannot accept the risk of our digital vulnerability.”

Stephen Abram, a self-employed consultant with Lighthouse Consulting Inc., answered “no” on this question, but his answer suggested he was uncertain fixes would be made. “War seems to always be with us. It’s not entirely science fiction that digital security is a moving target and the holes are discovered through attacks and not solved through barriers and moats any longer. If by 2025 we have solved this problem I’d be surprised.”

Jon Lebkowsky, Web developer at Consumer’s Union, responded, “A cyber attack of the magnitude described here is as avoidable as the Y2K bug, but I wouldn’t say it’s overhyped. The hype will drive prevention.”

A University of Missouri assistant professor of library and information science wrote, “Hackers will probably gain access to more major banks, Internet companies, and the federal government. It’s the golden prize. Hopefully it will not happen while I’m flying or driving my robotic car, though.”

Liam Pomfret, a doctoral student in digital issues at the University of Queensland, Australia, responded, “Given such events as the Sony PlayStation Network hack, and known vulnerabilities in the US power grid, there’s certainly a great deal of potential for an attack causing significant economic harm (though any loss of life would likely be caused only indirectly). Particularly given the Sony case, it’s obvious that many large organizations are lacking sufficiently sophisticated security. I don’t see many firms taking much more care in this area either, simply because of the cost to them to do so, and the relative lack of punishment they’ve received from either consumers or governments when such privacy breaches have occurred. Even should a firm be punished, rarely have the executives who allowed such a situation to occur suffered from any personal liability, making the punishments relatively toothless.”

‘Yes respondents theme 3) Major cyber attacks have already happened, for instance the Stuxnet worm and attacks in nations where mass opposition to a regime has taken to the streets. Similar or worse attacks are a given.

The IEEE Spectrum publication wrote in February 2013: “[The Stuxnet] worm was an unprecedentedly masterful and malicious piece of code that attacked in three phases. First, it targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers. The worm’s authors could thus spy on the industrial systems and even cause the fast-spinning centrifuges to tear themselves apart, unbeknownst to the human operators at the plant.” This reportedly helped slow down Iran’s nuclear-material development program by destroying up to a fifth of its centrifuges, though Iran has not acknowledged the problem—and it has been widely speculated that the US and Israel were the developers of the 500-kilobyte worm.

A notable number of respondents cited Stuxnet and other acts against various populations as evidence that cyber attacks were now integrated into national military and intelligence strategies.

David Golumbia, an assistant professor at Virginia Commonwealth University, said, “They already have, repeatedly, and this trend will only accelerate.”

Nathan Rodriguez, a PhD student at the University of Kansas, wrote, “It is difficult to envision a scenario where a nation does not experience widespread harm as the result of a cyber attack during the next decade. Iran’s nuclear program was dealt a tremendous blow as a result of the Stuxnet virus. I do not think it would be inaccurate to claim the United States is in some ways already amidst a new Cold War with China in the digital realm that will continue to deepen—all under the cloak of plausible deniability.”

Jerome McDonough, an associate professor at the University of Illinois, responded, “Given the damage done by Stuxnet and the significant use of cyber attacks in the Georgia/Russia conflict, I suspect we may already have passed the ‘widespread harm’ [test] you’ve established.”

Andrew Bridges, a partner and Internet law litigator and policy analyst at Fenwick & West LLP, wrote, “Arguably this has already happened with the Stuxnet. An attack on GPS satellite systems or time stamping systems could be devastating. I don’t think the threats relating to these systems have been hyped. I do not know whether major economic enterprises can thwart these attacks.”

Adam Rust, a research director for a US-based organization advocating for economic justice and opportunity, wrote, “It is already happening. Cyber attacks are a front in war. Look at what happened in Estonia, in Syria, in Georgia.”

The principal engineer for an Internet of Things development company wrote, “Cyber attacks will become an increasingly important part of state against state warfare, as well as becoming a weapon used by non-state ‘terrorists.’ It has already started with the United States and Israel cyber attacking Iran to cripple their economy and nuclear industry. The next step will probably be more aggressive and open cyber attacks between the West and China.”

Lucas Gonze, a respondent who did not share other self-identifying details, said, “Information technology has already been weaponized. Nations are already in hot conflict. Cyber attacks have been waged. With the Stuxnet/Flame attacks on [the Iranian nuclear plant] Nataanz, the Iranian capacity to build nuclear weapons was reduced. It is entirely possible that tens of billions have already been spent by the Iranians. So this question is not very theoretical. If the question is whether major powers such as the United States or China will suffer such losses, that is an ideological slant in the question.”

An assistant professor at New Mexico State University wrote, “The cyber Cold War has already had some hot skirmishes in the 2000s. It seems likely that there will be some significant casualties by 2025. The US-Israeli developed suite of cyber-weapons known as Stuxnet has already demonstrated a more complex suite of behaviors than many experts had imagined when deployed against Iran (and probably other targets as yet undisclosed). Unlike nuclear weapons, which require heavy industry and large investments of time and resources to develop and deploy, cyber-weapons are extremely cheap and require little more than brains, information, and readily available inexpensive hardware to develop and deploy. In this game, the attacker has an enormous advantage, because very few of the millions of possible target systems were designed with defense against cyber-attack in mind.”

‘Yes’ respondents theme 4) Cyber attacks are a looming challenge for businesses and individuals. Certain sectors, such as finance and power systems, are the most vulnerable. There are noteworthy divides between the prepared and the unprepared.

Steve Jones, a distinguished professor of communications at the University of Illinois-Chicago, responded, “I don’t think this is likely, though it isn’t impossible. One of the things that causes some hope is that most critical systems are not interconnected (Internet notwithstanding) so an attack on one is unlikely to disrupt others. The one that may be most vulnerable, as we’ve seen in the recent simulated attack, is the electrical grid, and there is certainly potential for attack and serious disruption via that vector.”

Bryan Alexander, senior fellow at the National Institute for Technology in Liberal Education, responded “no” but elaborated, “The real research and development in this field isn’t directed at nations. Instead it’s about taking money from those who have it—i.e., crime. National cyber attacks seem to be tending less towards the notorious ‘electronic Pearl Harbor’ and more towards harassment and sabotage. So we can expect successors to Stuxnet: ‘Oops, it looks like a Chinese aircraft carrier lost power for a day.’ ‘Huh, the American embassy in Paris is suffering a DDoS attack.’”

Neil McIntosh, a British journalist working for a major US news organization, wrote, “It would be easy enough to worry only of Hollywood-style attacks on infrastructure; electricity grids, military facilities, and so on. I’m sure there’s risk enough there. But greater, more realistic (and harder to defend against) danger may lurk in less glamorous places. For instance, the global banking industry has individual players whose failure would, on their own, bring their host nation to its (financial) knees. This would undoubtedly have an impact on that nation’s sovereignty and—by extension—its ability to defend itself. It doesn’t take a huge leap to imagine a situation in which a major financial institution finds its systems under attack; an attack that, then, brings into play those huge sovereign risks. I’m afraid I find this scenario plausible.”

Andrew Chen, an associate professor of computer science at Minnesota State University-Moorhead, responded, “The ‘smart grid’ is the most substantial danger. Cyber attacks that target a ‘smart grid’ will result in loss of power to large numbers of places simultaneously, causing infrastructure damages. Likely places that this will cause substantial damages will be airports, trains and train stations, draw bridges, traffic signals, and so on. No single instance will be ‘widespread harm,’ but all of these together will add up to that in only a short period of time. Unless there is some unforeseen major new technological development (such as widespread availability of quantum cryptography-based one-time-pads), the only way to prevent this will be to refrain from adopting ‘smart grid’ technologies.”

Meg Houston Maker, writer, editorial strategist, and private consultant, responded, “I’d like to believe that cyber attacks would be more likely to cause property and national security breaches than loss of life, and that they’re more likely to occur in less developed nations, or regions experiencing conflict or warfare. However, it seems clear that messing with the national grid during times of extreme weather events or hacking the public transportation system could pose a vital threat.”

Matthew Henry, a CIO in higher education, replied, “Cyber attacks will be huge and will cause physical and human life loss. Vulnerabilities within utilities will be the greatest danger, followed by dangers to medical areas. Financial vulnerabilities will continue to the level of causing loss of assets to corporations, governments, and individuals.”

Larry Magid, technology journalist and Internet safety advocate, wrote, “It is my hope and belief that those responsible for physical infrastructure will find ways to isolate critically important systems from a vulnerable grid. I do think that banking and information services will remain vulnerable but not things like power plants and water systems. My big worry though is whether autonomous vehicles and drones might be increasingly vulnerable.”

Jesse Stay, founder of Stay N’ Alive Productions, replied, “It won’t be what you think, though. Citizens will have more control over their own security rather than the nation controlling cyber security. As such, the citizens who are more security conscious will be more protected than those that are not. Currencies such as Bitcoin will also be more prevalent, and the need for citizens to know more about their own security will become even more important. Citizens will get smarter, and will be more empowered to protect themselves.”

Brittany Smith, a respondent who did not share a professional background, wrote, “Cyber attacks and cyber security will be the issues that define the upcoming decades. What is unfortunate is that many Americans are unfamiliar with cyber security and do not know how to protect their own information. Education and collaboration across sectors will be necessary to help us protect ourselves individually and collectively.”

Kevin Ryan, a corporate communications and marketing professional, responded, “Military and business will probably have their own special Internet with a great deal of protection. Enough cyber attacks have been occurring that the military will make security a priority. Well-funded corporate entities will follow suite with special networks. The common man will be vulnerable.”

An administrator for technology-focused units in educational nonprofits responded, “Vulnerabilities ripe for targeting by hackers may be found in the following areas, both public and private: power grids, financial institutions, defense institutions, medical institutions, educational institutions, business enterprises, and any other institutional gathering place or space. Most people and the institutions they inhabit or maintain are not yet attuned to being vigilant about keeping technology-enhanced spaces secure; thus, they are more careless and inattentive than they should be, especially in the face of known, not hyped, hacker persistence in invading such spaces.”

Evan Michelson, a researcher exploring the societal and policy implications of emerging technologies replied, “Attack is likely yes, but in addition to targeting national security and corporate targets, such cyber attacks could be aimed at small businesses. Imagine a denial of service attack planned for ‘Small Business Saturday’ that targets local payment systems. The level of threat is higher than we currently expect.”

Some responses that straddle ‘yes’ and ‘no’

Several respondents in their narrative answers discussed the pros and cons related to likely cyber attacks and had answers that fit between the poles.

Raymond Plzak, former CEO of the American Registry for Internet Numbers, and current member of the Board of Directors of ICANN, wrote, “I would say significant yes, but widespread, no. Just as previous threats over the course of history were thwarted or averted, others succeeded by the use of surprise often coupled with innovation. Such will continue to be the case in the future. Only a thorough understanding of the environment and the ability to anticipate the outlying case or method while not fixating on them will continue to be the path to success.”

Lyman Chapin, co-founder and principal of Interisle Consulting Group, wrote, “Responding ‘no’ is a counter-intuitive answer to this question, but consider that the opportunity and the motivation to carry out such an attack have existed for at least a decade. The question really hinges on what we interpret as major. There will be cyber attacks, and damages will ensue, but I think enough diversity has been built into the system to enable it to survive.”

Dave Burstein, editor of Fast Net News, responded, “The US and other countries are spending billions of dollars developing cyber warfare capability and actively using it in modest ways. If we continue to have wars like Iraq, Afghanistan and the cold war against Iran we will likely use our capabilities. Yes/no is not the right way to answer this; it’s really ‘maybe.’”

Tim Mallory, an information science professional, responded, “The value of the damage is in the eye of the attacker and the victim. What may be seen as ‘billions of dollars of value’ may be meaningless to most people.”

A law school professor commented, “The grid controls even today. Banking, food, and power are all subject to attack. Those that want to control have always led the way, leaving those that want to help lagging. The question will be the severity of the attack and how widespread. Small attacks happen daily, but don’t affect the daily lives of most of the world. Kill the electrical grid in just one major economy and the ripple effect will probably not stop until there is a return to a pre-tech age. A small group can act to bring down a much larger group because of inertia and the human nature of refusing it can happen until it’s too late.”

An editor focused on how technology affects policy and society for a major US online news organization responded, “I agree with those who say that the cyber security threat is much like the Cold War nuclear threat: there is both an arms race and concern about mutual assured destruction. I believe that there will be many, many small and medium-size cyber attacks between now and 2025, but nothing on a major scale.”

An economist for a leading Internet company responded, “I can see attacks that will create inconveniences and monetary loss, but I do not expect widespread harm from pure cyber attacks. New and better forms of secure identification will emerge, which will help with many security issues. New crimes will appear and old ones will disappear, be we will not see dramatic changes in the overall level of criminal and terrorist activity.”

Themes among those who responded ‘no’ there will not be major cyber attacks

‘No’ respondents theme 1) There is steady progress in security fixes. Despite the Internet’s vulnerabilities, a distributed network structure will help thwart the worst attacks. Security standards will be upgraded. The good guys will still be winning the cyber security arms race by 2025.

David Cohn, director of news for Circa, responded, “It is, of course, a constant game of one-upsmanship. Criminals get bigger guns, defense gets bigger guns, and so forth. However—short of a major leap—the checks and balances here minimize the harm.”

Kevin Carson, a senior fellow at the Center for a Stateless Society and contributor to the P2P Foundation blog, wrote, “I expect a lot of small-to-medium attacks will lead to extensive decentralization and hardening, and to the degraded functioning of all large, visible institutions.”

Giuseppe Pennisi, an employee of the Economic and Social Council of the Republic of Italy, said, “I feel the era of major cyber attacks is over.”

Bill St. Arnaud, a self-employed green Internet consultant, wrote, “Businesses, research groups, network operators, and various Internet organizations have taken considerable steps in the past few years to thwart wide-scale attacks. The demise of the Internet from attacks has been predicted for years. There will still be thousands of small-scale attacks per day, but wide-scale, economically crippling attacks are extremely unlikely.”

Laurel Papworth, a social media educator, commented, “This is unlikely as we move to peer-to-peer networks the public are pretty good at spotting and dealing with threats, certainly members of the open source community are, more so than closed systems. It will be less vulnerable, not more.”

Even though he answered “yes” on the question, Nick Wreden, a professor of social business at University Technology Malaysia, based in Kuala Lumpur, sounded a similar theme: “The Internet was designed as a distributed system. This means that attacks can be localized or even blocked if necessary. One reason Libya shut down its Internet connections to the outside world was fear of attacks on its military infrastructure.”

Similarly, “yes” respondent Clark Sept, co-founder and principal of Business Place Strategies, Inc., made this point: “Those nations that are vulnerable as targets today are largely mutually vested and invested in avoiding such a catastrophe. Notwithstanding rogue agents, cyber security is today and will continue to be a major area of investment in the coming years. As a matter of global fiscal policy, the major players (nations and their central banks) are continuing to be mutually intertwined financially and, as such, will quietly agree in back-room style to stay clear of such cyber warfare, and to put in place appropriate measures to ensure cyber hegemony cannot occur.”

Dean Thrasher, founder of Infovark, Inc., commented, “I find it difficult to believe that modern, critical systems would be built without fail-safes, overrides, or other controls that could be used in the event of an emergency. Cyber attacks will continue to cause disruptions to companies and individuals, and perhaps entire government agencies, but it’s hard to imagine a cyber attack that would pose an existential threat for any nation.”

Christopher Wilkinson, a retired European Union official, board member for EURid.eu, and Internet Society leader, said, “Governments and corporations will invest heavily in thwarting attacks. There will be more cyber attacks, but damage on the scale suggested above is unlikely.”

Stuart Chittenden, the founder of the conversation consultancy Squishtalks, replied, “A tit-for-tat incremental escalation will arise, not a single catastrophic ‘hack’ or cyber assault. As one entity institutes a capacity to create or exploit a vulnerability, other entities will be developing remedies.”

Peter Janca, managed services development lead at MCNC, the nonprofit regional network operator serving North Carolina, commented, “The incremental nature of attack escalation is enabling governments and private entities to keep up, or at least not get so far behind that an earthquake event like the World Trade Center attacks of 9/11 is likely to happen.”

John Saguto, an executive decision support analyst for geospatial information systems for large-scale disaster response, responded, “It will not get this extreme. Whatever is ‘done’ can be ‘undone,’ so the paranoid ‘loss’ issue is more of inconvenience than real loss, perhaps there will be varying degrees of ‘loss’ not noting that will shift the balance of power. Now, nature on the other hand, is another story.”

Avery Holton, a professor at the University of Utah, said, “Security against such attacks is keeping pace with the attack planning. While there may be smaller scale disruptions, a major attack should not occur.”

David Burstein, CEO at Run for America and author of Fast Future: How the Millennial Generation is Shaping Our World, commented, “There will likely have been a collective group of smaller attacks by 2025, which in aggregate will have caused widespread harm, but the attacks we are going to see are more likely to be smaller individually than a so-called doomsday scenario. The most likely scenario will be ongoing corporate espionage, which by 2025 will allow companies in other countries to hack into American corporate systems and steal trade secrets to either rip-off individual products or to advance their own place in the market.”

Even though he responded “yes,” Bryan Padgett, a research systems manager for a major US entertainment company, spoke to this theme in his answer, “With the increased visibility on cyber security, more academia partnerships and companies are building operating systems and other products with security and redundancy in mind from the ground up, instead of trying to apply it after-the-fact on top of what was already created. There will no doubt be more exposure, especially as everyday items start to become connected, but enough protection will come from new areas of cyber security and cybercrime defense.”

Beth Bush, the senior vice president for a major healthcare professional association, said, “I believe that the United States has the computing power, the intelligence, and the ability to apply these to avert physical harm in the event of any cyber or other type of attack.”

Kit Keller, a researcher and consultant, responded, “While the terrorism threat to the United States is real, I am optimistically counting on cooler heads to prevail in terms of our international relations. Right now, Americans are hated in many parts of the globe. With a change in our policies this can be altered. If we’re not as hated, we’re less of a target.”

Lisa Dangutis, webmaster for The Sunshine Environment Link, wrote, “People have tried and failed in the past. The biggest threat to any countries security is data mining or logistical attacks. Which has happened in the past and succeeded. However, to date data mining has not cost lives or property loss and logistical attacks are generally caught. Theft of money is a risk with any computer system, but I think for harm we need to include human loss or property loss. Crash of a financial system would be bad, but it would be nearly impossible to harm an entire country. There are too many back ups in place. I don’t believe by 2025 it could happen on a national level. However, I believe there could be serious attacks to liberty but not enough to cause large widespread harm like Super-storm Sandy.”

An anonymous respondent predicted, “Information technology systems will remain sufficiently protected, and sufficiently fragmented, that widespread harm from attacks are unlikely. Additionally, there are significant economic disincentives to launch of a cyber attack from an organized nation-state—once a given country was identified as the source of an intentional attack, they would effectively be cut them off from large portions the Internet and that would cripple it economically. However, I do expect cyber attack strategies to gain in sophistication and effectiveness. Phishing attacks will continue to be effective as attackers are increasingly successful in disguising their intentions and at crafting deceptive communications. Username and password credentials, already often weak or traded on the black market, will be considered insufficiently secure for most sensitive transactions such as online banking, and will be replaced or augmented as a matter of course with easy-to-use two-factor authentication.”

Riel Miller, the head of foresight for UNESCO, based in Paris, wrote, “Assuming that vintages of systems remains significant—meaning that the vulnerability of uniformity is avoided—no one attack can be too devastating. Only if some so-called ‘brilliant’ plan manages to create a unified and homogenous infrastructure will this kind of danger really become serious.”

Michael Glassman, an associate professor at Ohio State University, said, “There may be attempts at cyber attacks but they will not be extraordinarily damaging. There are a couple of reasons why this isn’t as big a problem as it could be at this point. First it seems it is much easier to play defense than offense on the Internet. Defenders can move quickly and always understand their program much better than an intruder. Also the best hackers tend to be apolitical and very independent. They would be difficult for a government to recruit and would be much more likely to work as part of a crowd sourced response to a state attack.”

‘No’ respondents theme 2) Deterrence works, the threat of retaliation will keep bad actors in check, and some bad actors are satisfied with making only small dents in the system so they can keep mining a preferred vulnerability and not have it closed off.

Thomas Haigh, an information technology historian and associate professor of information studies at the University of Wisconsin, responded, “As the Internet becomes ever more vital it remains inherently vulnerable and the opportunities for an economically disruptive attack continue to grow. Likewise, as more power, transportation, and other systems are coupled to the network there will be real opportunity for physical disruption. However, I would expect the threat of conventional retaliation to deter such attacks just as, for example, it has prevented state-sponsored chemical weapons attacks.”

Fernando Botelho, a social entrepreneur working to enhance the lives of people with disabilities wrote, “International actors with the know-how and resources to mount a meaningful attack will not do so, as they are equally vulnerable. This is not to say that minor highly-visible attacks will not be used in political posturing.”

Uta Russmann, a professor of strategic communication management and new media based in Vienna, Austria, wrote, “A few nations will always have the knowledge and institutions (e.g., NSA spying on German leader Merkel) to thwart determined opponents as this is a situation in their focus.”

Thad Hall, an associate professor of political science at the University of Utah, wrote, “Such an attack is completely possible—the nation’s cyber security is quite porous—but the actors who have the greatest ability to pull off such an attack (another sovereign state) would be hurt because of the collateral damage.”

Even though he answered “yes” to this question, James Penrod, former CIO at Pepperdine University, the University of Maryland at Baltimore, California State University at Los Angeles, and the University of Memphis, struck this note: “There are enormous dangers to all nations and especially to the most highly developed nations, well beyond what most US citizens can imagine. However, the destructive power of such a war is so great that the leaders of developed nations will find ways to maintain an uneasy peace, as was the case in the Cold War. Should this not occur, the world might experience another dark age!”

Andrew Pritchard, a lawyer and PhD candidate, wrote, “The Cold War idea of mutually assured destruction should limit the prospects for all-out cyber war just as it did for nuclear war. A crippling cyber attack on a scale that jeopardizes national security or economic survival requires, at least for now, expensive technical capabilities and an impressive concentration of expertise. Most of the actors with the ability to put such resources together are national governments and large corporations—the sorts of rational actors unlikely to expose themselves to a proportional counterstrike.”

A law professor at Georgetown University and former Federal Trade Commission official wrote that while the first major attack might not be deterred, that model will likely be implemented in the long run. “A serious cyber attack is almost inevitable, notwithstanding concerted and well-intentioned efforts to guard critical infrastructure to protect against such an attack,” he wrote. “My sense is that at some point, this will become a global issue, and cyber-protection agencies around the world will band together to root out non-state attackers. Whether we’ll ever be able to safeguard ourselves sufficiently from state attackers is hard to assess, but at some point the same arguments for mutual deterrence—mutual assured destruction—might actually mitigate the risk. It is despairing to talk about this in Cold War terms, but at some point, the capacity of state actors to inflict massive harm on one-another through cyber attacks may become the best deterrent of all.”

‘No’ respondents theme 3) Hype over cyber attacks is an exaggeration of real dangers fostered by the individuals and organizations that will gain the most from creating an atmosphere of fear.

Peter McCann, a senior staff engineer in the telecommunications industry, responded, “The potential for destructive terrorist acts carried out through computer networks has been dramatically over-hyped. To the extent that computers are put in control of life-critical processes, there will be air gaps and safeguards in place that prevent malicious outside instructions from interfering in their operations.”

Darel Preble, executive director and founder of the Space Solar Power Institute, wrote, “The major damage to our national power grids is not from cyber attacks but from natural causes—squirrels, ants, ice, falling trees, wind, and simple human error.”

Ousmane Musatesa, an academic and self-described citizen of the world, wrote, “All these supposed threats are just scarecrows to push citizens in such a big distress that I give up all decisions to the association politics-economics powers.”

An anonymous respondent responded, “This is an overblown idea stoked by totally paranoid cybersecurity people. If terrorists wanted to take out the electrical grid, for example, they could do it a lot easier with bombs as opposed to having to mount a cyber attack. Only when cyber is cheaper and easier than bombs, guns, gas, nukes, and biological will cyber have any real threat. Right now cyber attacks are too costly. The bigger risk will be when cyber crooks drain Wall Street of all its cash. Now that is more likely.”

A director at Defense Distributed wrote, “This form of ‘cyber war’ is a nightmare scenario used by mostly Western governments to justify their own cyber operations, systemic oversight, and ‘kill switches.’ This scenario is not realistic even in 2025.”

Even though he answered “yes,” Aziz Douai, a professor of new media at the University of Ontario Institute of Technology in Canada, covered this same ground: “While it is probable, I think a major cyber attack will not happen by 2025 because insurgent groups and ‘terrorist’ organizations will lack the capability to launch such an attack. The hype surrounding the threat of cyber attacks will continue for various reasons including the fact that it justifies the infringement on privacy, setting up a panopticon-like Internet infrastructure, and the allocation of excessive budget for cyber warfare and security.”

A lecturer and researcher at a public university in Australia responded, “All of this talk about cyber attacks is meant to frighten us. It may be possible but the possibility is akin to the threat of nuclear attack in the 1950s, designed to keep us worried and allow agencies to protect us. I feel we are already under a form of cyber attack every time we leave the house or go online—by companies we have no idea about and by government agencies. Why might cyber-attacks be expected and from which quarter? Possibly by those who feel they are also entitled to benefit from advances in technology, but have been denied free access to those benefits? I am unable to answer the question posed, as it brings up too many questions of my own, e.g. how to ‘successfully thwart’? Perhaps by pre-emptive strike? I do not see these issues in black and white and therefore I cannot answer successfully or without some cynicism.”

An engineer at an Internet company responded, “The cyber war threat is mostly described by retired generals turned consultants who are more eager to sell their book than to help improve the security of the Internet. My guess is that the ‘natural’ Internet resiliency will make it easy to inflict local damages (we have already witnessed that many times) but very hard to inflict widespread damages.”

The digital editor for a major global news organization responded, “I am skeptical about the digital Pearl Harbor scenario; those who advance it have obvious vested interests in doing so. I think Thomas Rid’s thesis that cyber war will not take place has a lot of merit; this is really just a silly new name for sabotage, espionage, and subversion. The analogy with war is negatively useful.”