Former National Security Agency head General Keith Alexander is putting his post-governmental energy into his consulting firm, IronNet CyberSecurity Inc., which shops its services to banks and other clients for up to $1 million a month. At least one Congressmen was upset to hear about this, and fired off a letter last week to the groups hiring him, reminding them that “disclosing or misusing classified information for profit is, as Mr. Alexander well knows, a felony.”
There’s been a lot of (deserved) media attention in the past year about the connections between the government security apparatus and Silicon Valley—who knew what, when. Amidst all that, the booming business of cybersecurity is getting less scrutiny. Alexander is hardly the first top official to rotate into lucrative consultant work in the industry. Journalists need to be alert to the fact that any threat can be inflated, to not take figures at face value, and to guide their readers through the threat. Who is at risk, and of what? Too often, the very concept of “cybersecurity” goes unanalyzed.
The problem, the author Peter W. Singer told the Washington Post, is that we “bundle together a variety of like and unlike activities, simply because they involve Internet-related technology.”
The prefix “cyber” has long been an easy way to indicate something related to computers or the internet, and of course, in the 1990s, it meant sexytime in AOL instant messenger. The first use of “cybersecurity” dates to 1989, Annalee Newetz wrote for i09 last year, but it didn’t really take off in the military context until the 2000s. It’s now safe to say that the darker side of cyber—bullying, war, crime—has supplanted its chat-room vibe. The military has a Cyber Command and the White House a Cybersecurity Czar.
“Cyber” is also all over the media, and often as an enormous umbrella. The Washington Post declared 2013 “The year of Cybersecurity,” citing Snowden and the Syrian Electronic Army. A Twitter account calling itself “The Cyber Unit” (@cybercyber) has been excerpting the most prefix-abusing news stories into abstract tweets. “Cyberspace cyberspace cyberspace cyberspace cyber pearl,” reads a recent précis of a Wall Street Journal story.
Since the Snowden leaks, many journalists are scrambling to educate themselves in the highly technical and often secretive arts of encryption and online anonymity, and that’s a good thing. We also need to learn to evaluate threats by being as specific as possible in describing them, and who might be affected.
Journalists have previously shown cyber-figures can be fungible. For example, officials, including President Obama, often use the stat that $1 trillion per year is lost to cybercrime. It originated with the security firm McAfee, and it has been thoroughly picked apart by reporters. And yet, the number still gets cited. A new report out this June, written by former intelligence officials for a think tank and also funded by McAfee, puts the cost at $445 billion. A few write-ups made glancing reference to the $1 trillion figure without commenting much on the discrepancy. Bloomberg quoted one skeptic, who noted the figure involves valuing intellectual property, which can be exaggerated. (Some tech blogs were more critical.)
Government figures also need dissection. A general told Congress in 2010 that, “every day, America’s armed forces face millions of cyberattacks.” Singer, author of a new book on cybersecurity, has explained that, “To get those numbers, though, he was combining everything from probes and address scans that never entered U.S. networks to attempts to carry out pranks, to politically motivated protests, to government-linked attempts at data theft and even espionage. But none of these attacks was what most of his listeners in Congress thought he meant by an ‘attack,’ the feared ‘digital Pearl Harbor’ or ‘cyber 9/11.’”
The cybersecurity boom will surely attract its share of scams and stupid ideas. There’s a world of business reporting to be done on that. Those of us covering national security, politics, and government contracting ought to be watching as well. And thinking about what we mean by “crime,” “attack,” “security,” or whatever other word we preface with “cyber.”