YELLOW ALERT! SOMETHING BAD MAY OR MAY NOT HAPPEN! TAKE NO ACTION!!
Such yellow alerts haven’t worked effectively since the Star Trek TV series, but the US government keeps trying them anyway, most recently in an Obama presidential directive.
You’d think they’d know better by now. For nine years after 9/11, DHS maintained a color coded terror alert level. During most of that time, America was on yellow alert. DHS briefly raised it to orange on five occasions. Levels below yellow were never used.
As Americans learned to live on perpetual yellow alert, it became the new normal, widely ignored, sometimes openly mocked. In 2011 DHS finally scrapped color coded threats and replaced them with a more precise and actionable National Terrorism Advisory System (NTAS) saying it would “more effectively communicate information about terrorist threats by providing timely, detailed information to the American public”. (At this time there is one active NTAS advisory in effect, published on June 15 in the aftermath of the Orlando shootings, to warn the public about “terrorist-inspired individuals”.)
The main problem with those yellow alerts was they conveyed no specific threat information and recommended no particular action. "The old color coded system taught Americans to be scared, not prepared," observed Rep. Bennie Thompson (D-Mississippi). Eventually we weren’t even scared; we just ignored yellow alerts as background noise. This is a kind of False Positive Syndrome, or “boy who cried wolf” situation, where a steady stream of meaningless alerts gradually undermines vigilance, paradoxically making us more vulnerable to real attacks.
Remember the classic film “How to Steal a Million” with Audrey Hepburn and Peter O’Toole? They carry out a brazen heist by setting off a series of alarms that progressively annoy museum guards so much they finally turn off the alarm system, thinking it must be malfunctioning. O’Toole and Hepburn then steal a priceless statue with ease. This is a clever illustration of how attackers can turn false alarms to their advantage.
A prolonged series of danger signals causes nervous system and adrenal fatigue, leading to illnesses such as the Chronic Fatigue Syndrome seen in many Gulf War veterans. It’s only natural for us to ignore repeated danger signs of questionable value, simply to preserve our physical health. Eventually DHS figured this out and the era of terrorist yellow alerts came to an end.
Yet now the White House wants to implement a 5-level color-coded scale for cyber threats. It looks like this:
They apparently plan to apply it to specific threats and incidents, rather than issue a blanket global alert level, so arguably it’s an improvement over the old DHS system. But their yellow alert level has the same problems as before; it conveys no specific threat information nor prompts any concrete action. Only higher levels (orange, red, black) will trigger a government response.
Given the murky nature of the cyber world, with its difficulties of actor attribution and impact assessment, it seems likely the default threat level for most cyber-attacks will be yellow. But if America experiences another long barrage of meaningless yellow alerts, we will tune them out and ignore the whole thing, just like before.
WARNING! Learn from history or be doomed to repeat it!
Michael McCormick is in information security consultant, researcher, and founder of Taproot Security.