Don't Buy the Cyberhype

How to Prevent Cyberwars From Becoming Real Ones

Second Lieutenant William Liggett works at the Air Force Space Command at Peterson Air Force Base in Colorado Springs, CO.
Second Lieutenant William Liggett works at the Air Force Space Command at Peterson Air Force Base, Colorado Springs, July 20, 2010 (Rick Wilking / Courtesy Reuters)

These days, most of Washington seems to believe that a major cyberattack on U.S. critical infrastructure is inevitable. In March, James Clapper, U.S. director of national intelligence, ranked cyberattacks as the greatest short-term threat to U.S. national security. General Keith Alexander, the head of the U.S. Cyber Command, recently characterized “cyber exploitation” of U.S. corporate computer systems as the “greatest transfer of wealth in world history.” And in January, a report by the Pentagon’s Defense Science Board argued that cyber risks should be managed with improved defenses and deterrence, including “a nuclear response in the most extreme case.”

Although the risk of a debilitating cyberattack is real, the perception of that risk is far greater than it actually is. No person has ever died from a cyberattack, and only one alleged cyberattack has ever crippled a piece of critical infrastructure, causing a series of local power outages in Brazil. In fact, a major cyberattack of the kind intelligence officials fear has not taken place in the 21 years since the Internet became accessible to the public.

Thus, while a cyberattack could theoretically disable infrastructure or endanger civilian lives, its effects would unlikely reach the scale U.S. officials have warned of. The immediate and direct damage from a major cyberattack on the United States could range anywhere from zero to tens of billions of dollars, but the latter would require a broad outage of electric power or something of comparable damage. Direct casualties would most likely be limited, and indirect causalities would depend on a variety of factors such as whether the attack disabled emergency 911 dispatch services. Even in that case, there would have to be no alternative means of reaching first responders for such an attack to cause casualties. The indirect effects might be greater if a cyberattack caused a large loss of confidence, particularly in the banking system. Yet scrambled records would probably prove insufficient to incite a run on the banks.

Register for free to continue reading.
Registered users get access to three free articles every month.

Or subscribe now and save 55 percent.

Subscription benefits include:
  • Full access to ForeignAffairs.com
  • Six issues of the magazine
  • Foreign Affairs iPad app privileges
  • Special editorial collections

Latest Commentary & News analysis