Cyber 'bombs,' digital D-Days and other nonsense

It's catchy, but the rhetoric of traditional warfare has no place in modern security.

Illustration by D. Thomas Magee

Cybergeddon is coming. To the disappointment of many, it's just going to look like some dude sitting at a desk, typing, and probably farting into his Department of Defense office chair.

Secretary of Defense Ash Carter was quoted recently as saying the United States was going to be "dropping cyber bombs" on ISIS, and the newly invented rhetoric produced its desired effect.

In expressions of both eagerness and incomprehension, outlets wrote, "Pentagon hits ISIS with 'cyber bombs' in full-scale online campaign." Scientific American even went so far as to try and explain the skin-crawlingly crazy phrase in a piece titled "How U.S. 'Cyber Bombs' against Terrorists Really Work."

India Times took it all quite literally, in an article titled "There's Something Called a Cyber Bomb and the US Is Planning to Drop It on ISIS." It explained, "The proper definition of a cyber-bomb is still a little convoluted and has been kept under wraps mainly because an operation of such magnitude is yet to be carried out."

One month after officials injected that deranged rhetoric into popular consciousness, the FBI and Apple had a public Hatfield vs. McCoys moment on encryption -- a war of words over unlocking the San Bernardino shooter's iPhone.

During this embarrassing media circus, the local DA told a federal judge the phone had to be unlocked, because it may hold the trigger to unleash a "dormant cyber pathogen." The quote was reported with a straight face by more than a few outlets in news items declaring that the "San Bernardino shooter could have introduced 'dormant cyber pathogen.'"

Shortly after making the remark, San Bernardino DA Michael Ramos admitted that the alleged 'dormant cyber pathogen' was entirely made up.

So far, he's the only authority to fess up to his painful linguistic chicanery, which is more than we can say for any other cyber-doom loons on the stage right now. These voices happen to include hippie activists who scare frail old politicians with boogeymen "digital arms" dealers and lawmakers spooking one another at congressional sleepovers with an ever-looming "cyber Pearl Harbor."

The problem is, a "cyber Pearl Harbor" is a thing of fiction. But words are powerful. More than ever, catchy rhetoric about hacking does more than create linkbait. It shapes policy.

Right now we're in a situation where press, policy makers, soldiers, officials and citizens don't realize there's no such thing as a "cyber bomb." Unless told otherwise, they will think there are actual bombs, which will obliterate, destroy, somehow flatten and put an end to whatever -- or whoever -- the so-called bombs are "dropped" on.


As Defense One put it, "One gets [the] sense from recent statements that "cyber bombs" are the wonder weapons that will make all the difference and deliver victory. But this is just as untrue as the equally hyperbolic statements of cyber doom."

"We ought to be wary of claims that the dropping of a few U.S. cyber bombs will soon lead to the surrender of the Islamic State's United Cyber Caliphate on the deck of a virtual battleship."

And they're right. Officials need to stop saying "cyber bombs" when what they really mean is changing spreadsheets, intercepting email, jamming comms, penetrating networks, doing recon and data exfiltration and planting malware.

It's hard to imagine people saying things like "cyber bombs" with a straight face, let alone imagine how they'd navigate riding the bus unescorted or tying their own shoelaces. Infosec, for its own part, is doing a good job of calling bullshit when it plops into headlines. And news outlets are finally starting to listen to them, even though reporters don't quite have their don't-quote-the-discredited-nutjob filters adjusted just yet.

I joke that it's an age thing, but it might be worse: laziness or even ignorance. It's no secret that our government, like many world governments, is struggling to figure out its relationship with computer security.

Applying old-world war terms to hacking might work for Hollywood films from the 1980s. If they keep training people to expect cyber D-Days and World War II homecoming parades after we've cyber-flattened our distant enemies, the reality is going to be one of the greatest disappointments this country has ever known.