Deputy Defense Secretary Bill Lynn, the Department’s front man on cyber-security, rolled out the new strategy in an address at NDU last week.  As with every threat scenario, gauging and managing risk is key.

Lynn started with some helpful perspective.  “Disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud,” he noted. “The vast majority of malicious cyber activity today does not cross this threshold.”

Martin Libicki, RAND’s author of Cyberdeterrence and CyberWar, provided additional circumspection in the October 17^th, 2010 episode of This Week in Defense News.  Even within militarily-relevant cyberspace, “almost 99.9 percent of that stuff is just espionage going back and forth.”

Things still look ominous to Lynn, though.  He warned later in the speech:

"We stand at an important juncture in the development of the cyber threat.  More destructive tools are being developed, but have not yet been widely used.  And the most malicious actors have not yet obtained the most harmful capabilities.  But this situation will not hold forever.  There will eventually be a marriage of capability and intent…"

The Will and the Wallet (quite regrettably) has no independent intelligence service to assess this risk.  Permit us a more general observation, though.  In the traditional military domains – air, land, sea – actors’ of sophisticated capability also have sophisticated intent, and vice versa.  Al Qaeda has not yet detonated a dirty bomb, for instance, or even mastered surface-to-air missiles.  On the other hand, actors – let’s call them “states” – capable of building a nuclear program or fighting a conventional war understand the devastating consequences of either and are deterred.

Why wouldn’t this same pattern hold in cyberspace?  Why should we plan or budget for the most destructive capabilities falling into the hands of those with the most malicious intents?

None of this is to say cybersecurity isn’t important, of course.  To the contrary, Gordon Adams and I recommended cybersecurity as a top priority mission for the military in our Foreign Affairs article, and the Rivlin-Domenici Debt Reduction Panel did likewise.  Still, exaggerating the risk creates a bottomless demand for resources that makes prioritizing harder.