By Joseph Marks
But criticism of the analogies emerged almost as soon as the analogies themselves. Comparing cyber and terrorism overstated the consequences of even the most damaging cyberattacks, critics said. And the result was more often to scare people into doing nothing than to compel them to take cyber protections more seriously.
Using this kind of rhetoric actually made people less willing to pay attention to cyber threats, Chris Painter, the top State Department cyber official during the Obama administration, told me.
“The best you can say for the analogy is the intent was to raise awareness and get people to focus on cybersecurity. But it didn’t really end up raising awareness,” Painter said.
But they still frequently crop up
During those years, there has been a wave of escalating and consequential cyberattacks. But none of them has come close to the massive human cost and culture-shaking significance of the Sept. 11 attacks.
There are no definitive cases in which a cyberattack caused the loss of a single life — though there has been at least one instance in which someone may have died because a ransomware attack against a hospital delayed their care.
“A lot of the predictions people made 10 and 20 years ago, including me, have been proven wrong,” Jim Lewis, a former top cyber official at the State and Commerce departments, told me. “You can keep saying ‘just wait until next time,’ but eventually you sound like Chicken Little.”
They were nearly all committed by adversary governments, including Russia, China, Iran and North Korea, rather than nonstate terrorist groups. The only significant exception is the recent wave of ransomware attacks against U.S. businesses, schools and cities, which government officials and analysts say are mostly conducted by cybercriminals in Russia acting with the Kremlin’s tacit approval.