The possibility of a terrorist attack ranks high among Americans’ worst nightmares. Few realize, however, that a 9/11-type attack that occurred in cyberspace could be equally, if not more, devastating.

During an afternoon session at ICCS, Martin Libicki, Ph.D., senior management scientist at RAND Corporation, described how in 2010, top U.S. officials conducted a simulated cyber attack in which smartphone-based malware took down the cellular system and the power grid.

What followed, Libicki said, was “a panoply of poor ideas.”

In his talk, “Cyber 9/11: Race to React,” Libicki outlined the proposals that came out of the cyber attack simulation. These ideas—which he said are examples of what not to do on a cyber 9/11—included:

  • a national “kill switch,” which would allow the president to shut down the Internet in order to curb further spread of malware. Libicki warned that clever hackers could easily hijack such a kill switch. “Why do hackers’ job for them?” he asked;
  • a national firewall, or an intrusion detection and protection system mounted on the nation’s Internet service providers. This idea, though, would be not only exorbitant—implementing it could cost $20 billion per year—but also ineffective, since it wouldn’t protect against insider attacks and would instead create a false sense of security; and
  • an Internet user license that would require users to be certified prior to being able to use the Internet. Libicki pointed out that this would bar many people from using the Internet, and it focuses too much on user behavior rather than on improving the architecture of the Internet itself.

In the event of a cyber 9/11, Libicki said, it is critical that officials take the time to fully understand the problem, despite the urge to mount a response as quickly as possible. Acting on incomplete or erroneous information about a sophisticated cyber attack could ultimately worsen the problem.

It is equally important to craft the right narrative about a cyber attack, he said, by calling these attacks crimes rather than acts of war. On the practical side, there are established legal and financial structures in place to handle crimes, whereas wars tend to be ill-defined and costly.

Avoiding talk of war also has an important rhetorical upshot.

“Do we want [cyber]terrorists to think of themselves as criminals? Or do we want them to think of themselves as warriors?” he said.