We marched into Baghdad on flimsy evidence and we might be about to make the same mistake in cyberspace.

Over the past few weeks, there has been a steady drumbeat of alarmist rhetoric about potential threats online. At a Senate Armed Services
Committee hearing this month, chairman Carl Levin said that
“cyberweapons and cyberattacks potentially can be devastating,
approaching weapons of mass destruction in their effects.”

The increased consternation began with the suspected Chinese breach of Google’s servers earlier this year. Since then, press accounts, congressional pronouncements, and security industry talk have increasingly sown panic
about an amorphous cyberthreat.

Bush administration cybersecurity chief Michael McConnell recently warned that the United States “is fighting a cyber-war today, and we are losing.”

According to McConnell, now a vice president at Booz Allen Hamilton, “our power grids, air and ground transportation, telecommunications, and
water-filtration systems are in jeopardy.” More recently, Sens. Jay
Rockefeller (D) and Olympia Snowe (R) wrote about “sophisticated cyber
adversaries” with the potential “to disrupt or disable vital
information networks, which could cause catastrophic economic loss and
social havoc.”

Yet none of the prognosticators of disaster presents any evidence to sustain their claims. They mention the Google breach, but that was an act of espionage that, while serious, did not
lead to catastrophe.

There have been and continue to be many “cyberattacks” on government and private networks, from the Korea attacks to the denial-of-service attacks during the Georgia-Russia war. To be sure, these attacks are a serious concern and we should continue to
study them.

But so far, these types of events tend to be more of a nuisance than a catastrophe. The biggest result is that websites are down for a few hours or days.

This shows that security should be a serious concern for any network operator. It does not show, however, that these attacks can lead – much less have ever led – to the
types of doomsday scenarios that politicians imagine. There is no
evidence that these attacks have ever cost any lives or that any type
of critical infrastructure has ever been compromised: No blackouts, no
dams bursting, no panic in the streets.

The cyberalarmist rhetoric conflates the various threats we might face into one big ball of fear, uncertainty, and doubt. This week for example, the director of
the Central Intelligence Agency announced that a cyberattack could be
the next Pearl Harbor.

Cyberwar, cyberespionage, cyberterrorism, cybercrime – these are all disparate threats. Some are more real than others, and they each have different causes, motivations,
manifestations, and implications. As a result, there will probably be
different appropriate responses for each.

Unfortunately, the popular discussion largely clumps them into the vague and essentially meaningless “cyberthreat” category.

Let’s take a deep breath.

Before we can effectively address any of these amorphous “cyberthreats,” we must first identify what, specifically, these threats are and to what
extent the federal government plays a role in defending against them.

The war metaphor may be useful rhetoric, but it is a poor analogy to the dispersed and different threats that both public and private
information technology systems face.

The fact is, as long as we have had networks, they have been under attack. But over the past 20 years network operators have developed effective detection, prevention,
and mitigation strategies.

This is why we should be wary of calls for more government supervision of the Internet. Last week, as part of its National Broadband Plan, the Federal Communications Commission
began an inquiry into whether to establish a “voluntary cybersecurity
certification program.” Through the program the FCC would certify
communication service providers based on a set of cybersecurity
standards developed directly by the FCC, or indirectly through a third
party.

More ominously, Senators Rockefeller and Snowe have introduced the Cybersecurity Act of 2010 that aims to change how the Internet works in the name of security. It would also create a national
system of licensing for security professionals, and would dole out
millions of dollars in cyberpork to “regional cybersecurity centers”
and other programs.

At the heart of calls for federal involvement in cybersecurity is the proposition that we reengineer the Internet to facilitate better tracking of users in order to pinpoint the origin of
attacks. The Rockefeller-Snowe bill looks to develop such a “secure
domain name addressing system.”

That’s a slippery slope.

And there’s the fact that we have seen a wasteful military-industrial complex develop before, and in this rush to “protect” we might be
seeing a new one blossoming now. The greater the threat is perceived to
be – and the less clearly it is defined – the better it is for defense
contractors like Booz Allen Hamilton, which last week landed $34
million in Defense Department cybersecurity contracts.

That money could certainly be put to better use right now.

Anyone concerned about net neutrality or civil liberties – in particular online privacy and anonymity – should take notice. Before
the country is swept by fear and we react too quickly to the “gathering
threat” of cyberattacks, we should pause to calmly consider the risks
involved and the alternatives available to us.

Rather than pass a sweeping “cyberdefense” bill right away, Congress should take the time to untangle the different threats that confront us and make sure they
are addressing each appropriately. If not, we will be saddled with an
overreaching one-size-fits-all result.

Giving the military and federal agencies the tools to protect their online assets might be an appropriate first response. But reengineering the Internet and imposing
standards and licensing on the most innovative sector of our economy
should give us pause. There is no reason to rush to action.

Jerry Brito and Tate Watkins are technology policy researchers at the Mercatus Center at George Mason University..