"Look where we are now in the United States," says Ciaran Martin, formerly the founding CEO of the UK's National Cyber Security Centre (NCSC), now a professor at the University of Oxford.
"We have official government advice in force today asking people not to panic buy gasoline, or petrol as we call it over here, and put it in plastic bags," he told the AusCERT cybersecurity conference on Thursday.
"If you wanted an illustration of the impact of cyber harms, it will be hard to think of a better one."
Martin is of course referring to the Colonial Pipelines ransomware attack and subsequent shutdown of their operations. The company paid the almost $5 million ransom, but it wasn't enough to stop the disruption.
"In a sense, this feeds all those warnings over years, over decades, about really difficult cyber impacts -- cyberwar, cybergeddon, and all the rest of it," Martin said.
"[They're] just sitting there in bedrooms in suburban England, suburban Australia. Teenagers, unstoppable, hacking everything, and there was nothing we could do to stop them," Martin said.
"The panic on the east coast of the US at the moment seems to be fuelling that narrative. Except it's wrong. It's absolutely wrong."
In Martin's view, what's happening is something much more prosaic.
"We have a bunch of criminals, they're in over their heads, operating out of Russia. They've even issued a partial apology for what they've done, because what they were trying to do, yet again, is exploit basic weaknesses in corporate security all over the world to make money. And they've gone too far," he said.
This ransomware crew didn't realise they were hacking the IT systems of a pipeline company. They didn't realise that would cause the company "for whatever reason" to shut down the pipeline.
According to Martin, this has been just another "accidental spiralling out of control", where a series of structural weaknesses in the way we do cybersecurity and the way organisations are incentivised has led to "a public impact which is very, very serious".
"I'm sure it was not central to the Russia-Ukraine tensions," Martin said.
We need absolutely to demystify cybersecurity
"Cyber threats, cyber risks, they're not catastrophes. Cyber harms are the aggregation of small harms. Hype, fear, uncertainty, doubt, that is our enemy," he said.
When he left the NCSC in August 2020, Martin produced a simple taxonomy of cyber harms, based on what he'd actually seen during his six and a half years with the organisation.
It boiled down to three simple categories: Getting robbed for cash, intellectual property, or other data; getting weakened by espionage, political interference, or pre-positioning for a later attack; and getting hurt.
The last category included cyber attacks that destroyed data, ransomware, and what he called "catastrophic cyber attacks" -- and that final category had an asterisk against it.
"That's because that is the one thing that has not happened," Martin said.
"There have been all sorts of cyber attacks. There have been many, many of them, and the one thing that we can still say, thankfully, is that the official death toll caused by cyber harms is zero."
Martin pointed to the large number of examples of "very, very basic security lapses, leading to quite high impact, including "a very controversial election leak".
During the lead-up to the UK's general election in 2019, someone working for former trade minister Liam Fox had used a personal Gmail account to bypass restrictions on working from home.
Fox's personal email was hacked by Russia. Eventually, a 451-page dossier of emails, including classified documents relating to US-UK trade talks, ended up in the hands of opposition leader Jeremy Corbyn.
"We need absolutely to demystify cybersecurity. We have to treat it as an ordinary business risk," Martin said.
"This is the reality of cyber harms. It's not glamorous. It's not individual catastrophes. It's all sorts of nebulous, pernicious, nasty little incidents, exploiting basic weaknesses to add up to a big, big social problem."